Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update the deps to latest levels #6

Closed
mkumatag opened this issue Oct 25, 2021 · 15 comments · Fixed by #23
Closed

update the deps to latest levels #6

mkumatag opened this issue Oct 25, 2021 · 15 comments · Fixed by #23
Assignees
@Madhan-SWE

Comments

@mkumatag
Copy link
Member

mkumatag commented Oct 25, 2021
edited by Madhan-SWE
Loading

Update the below dependencies to expected versions to avoid security issues:

  • k8s.io/kubernetes v1.22.3
  • Golang-jwt v3.2.1
@Madhan-SWE
Copy link

Upgrading k8s.io/kubernetes v1.22.3 creates below issue.

go: downloading k8s.io/kubernetes v1.22.3
go get: k8s.io/[email protected] requires
	k8s.io/[email protected]: reading k8s.io/component-helpers/go.mod at revision v0.0.0: unknown revision

@Madhan-SWE
Copy link

No patch available to solve vulnerabilities in Golang-jwt package.
Dependabot is suggesting to use version 3.2.1.

But, unable to upgrade to version 3.2.1

[root@madhan-multinode-kube-master powervs-csi-driver]# go get github.com/dgrijalva/[email protected]
go get github.com/dgrijalva/[email protected]: github.com/dgrijalva/[email protected]: invalid version: unknown revision v3.2.1

Even updating the Golang-jwt package to the latest version shows the current version and updated version as same vulnerable version.

[root@madhan-multinode-kube-master powervs-csi-driver]# go get github.com/dgrijalva/jwt-go
[root@madhan-multinode-kube-master powervs-csi-driver]# go list -m all | grep jwt
github.com/auth0/go-jwt-middleware v0.0.0-20170425171159-5493cabe49f7
github.com/dgrijalva/jwt-go v3.2.0+incompatible
[root@madhan-multinode-kube-master powervs-csi-driver]#

@Madhan-SWE
Copy link

/assign

@Madhan-SWE
Copy link

@Karthik-K-N any thoughts on this?

@Karthik-K-N
Copy link

Did you try this go mod edit -require=k8s.io/[email protected] then go mod tidy

@mkumatag
Copy link
Member Author

mkumatag commented Nov 2, 2021

No patch available to solve vulnerabilities in Golang-jwt package.
Dependabot is suggesting to use version 3.2.1.

But, unable to upgrade to version 3.2.1

[root@madhan-multinode-kube-master powervs-csi-driver]# go get github.com/dgrijalva/[email protected]
go get github.com/dgrijalva/[email protected]: github.com/dgrijalva/[email protected]: invalid version: unknown revision v3.2.1

Even updating the Golang-jwt package to the latest version shows the current version and updated version as same vulnerable version.

[root@madhan-multinode-kube-master powervs-csi-driver]# go get github.com/dgrijalva/jwt-go
[root@madhan-multinode-kube-master powervs-csi-driver]# go list -m all | grep jwt
github.com/auth0/go-jwt-middleware v0.0.0-20170425171159-5493cabe49f7
github.com/dgrijalva/jwt-go v3.2.0+incompatible
[root@madhan-multinode-kube-master powervs-csi-driver]#

Can you try using: github.com/golang-jwt/jwt instead..

@Madhan-SWE
Copy link

Did you try this go mod edit -require=k8s.io/[email protected] then go mod tidy

fails with same error

[root@madhan-multinode-kube-master powervs-csi-driver]# go mod edit -require=k8s.io/[email protected]
[root@madhan-multinode-kube-master powervs-csi-driver]# go mod tidy
go: k8s.io/[email protected] requires
	k8s.io/[email protected]: reading k8s.io/component-helpers/go.mod at revision v0.0.0: unknown revision v0.0.0

@Karthik-K-N
Copy link

Karthik-K-N commented Nov 2, 2021
edited
Loading

then give shot with earlier version like k8s.io/kubernetes

@Madhan-SWE
Copy link

No patch available to solve vulnerabilities in Golang-jwt package.
Dependabot is suggesting to use version 3.2.1.
But, unable to upgrade to version 3.2.1

[root@madhan-multinode-kube-master powervs-csi-driver]# go get github.com/dgrijalva/[email protected]
go get github.com/dgrijalva/[email protected]: github.com/dgrijalva/[email protected]: invalid version: unknown revision v3.2.1

Even updating the Golang-jwt package to the latest version shows the current version and updated version as same vulnerable version.

[root@madhan-multinode-kube-master powervs-csi-driver]# go get github.com/dgrijalva/jwt-go
[root@madhan-multinode-kube-master powervs-csi-driver]# go list -m all | grep jwt
github.com/auth0/go-jwt-middleware v0.0.0-20170425171159-5493cabe49f7
github.com/dgrijalva/jwt-go v3.2.0+incompatible
[root@madhan-multinode-kube-master powervs-csi-driver]#

Can you try using: github.com/golang-jwt/jwt instead..

Changing from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt solves the issue.

@Madhan-SWE
Copy link

Madhan-SWE commented Nov 2, 2021
edited
Loading

then give shot with earlier version like k8s.io/kubernetes

The current version is 1.19.14. I can upgrade to any of the 1.19.x version. But, I can't upgrade to 1.20.0 or more than that.
But the latest version is 1.22.3

As per the security alert, upgrading to 1.19.5 will solve the issue. But, that's far away from the latest version.

@Madhan-SWE
Copy link

I am using Kubernetes cluster version 1.19.2. I think that's why I cannot install client beyond 1.19.x.
I will create a single node cluster with latest Kubernetes version and test there.

@Madhan-SWE
Copy link

Deployed new Kubernetes cluster version 1.22.2.
Tried to upgrade the kubernetes package to v1.22.3.
Still getting the same error

[root@madhan-1-kube-1-22-2 powervs-csi-driver]# go get k8s.io/[email protected] requires
go: k8s.io/[email protected] requires
	k8s.io/[email protected]: reading k8s.io/component-helpers/go.mod at revision v0.0.0: unknown revision v0.0.0

@mkumatag
Copy link
Member Author

mkumatag commented Nov 8, 2021

best way to fix them via replace directive in the go.mod file, e.g: https://github.com/kubernetes-csi/csi-driver-nfs/blob/96d13a56e5974310618f0064e5026211a23dd340/go.mod#L25:L52

@Madhan-SWE
Copy link

best way to fix them via replace directive in the go.mod file, e.g: https://github.com/kubernetes-csi/csi-driver-nfs/blob/96d13a56e5974310618f0064e5026211a23dd340/go.mod#L25:L52

fixes the issue. Thanks

@Madhan-SWE
Copy link

Updating the dependencies to the latest version requires the go version 1.16 to build and test.
Working on go installation.

@Madhan-SWE Madhan-SWE mentioned this issue Nov 16, 2021
Closed
@Madhan-SWE Madhan-SWE linked a pull request Nov 16, 2021 that will close this issue
E2E tests added #16
Closed
@Madhan-SWE Madhan-SWE mentioned this issue Nov 29, 2021
Merged
@Madhan-SWE Madhan-SWE removed a link to a pull request Nov 29, 2021
E2E tests added #16
Closed
@Madhan-SWE Madhan-SWE mentioned this issue Feb 18, 2022
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Madhan-SWE Madhan-SWE

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

dependency fixes added Madhan-SWE/ibm-powervs-block-csi-driver-upstream
3 participants
@mkumatag @Karthik-K-N @Madhan-SWE