-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade go version to 1.19 to mitigate rapid reset CVE #1345
Conversation
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
I've put WIP as I'm trying to think of any potential impact this change might have. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1345 +/- ##
=======================================
Coverage 35.75% 35.75%
=======================================
Files 52 52
Lines 6696 6696
=======================================
Hits 2394 2394
Misses 4158 4158
Partials 144 144 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looks fine to me, at the level of the devfile/api, as long as the generator still works and outputs the same schemas, we should be safe to make this change.
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
Signed-off-by: thepetk <[email protected]>
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: amisevsk, johnmcollier, michael-valdron, thepetk The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What does this PR do?
As mentioned inside the EPIC#1303 a part of the actions needed to mitigate the Rapid Reset CVE inside the devfiles org would be to update the
k8s.io/apimachinery
to a version usinggolang.org/x/net
newer thanv0.8.0
. As a result the this PR upgrades thek8s.io/apimachinery
tov0.26.10
which is also used in the other devfile repos.Another action to mitigate the Rapid Reset CVE would be to upgrade the golang version of
generator
andapi
. Thegenerator
is usinggo version 1.13
and theapi
thego version 1.18
which are not supported anymore. There is already an EPIC to upgrade the projects inside the devfiles org toversion 1.19
. As a result, this PR upgrades thegenerator
and theapi
to use go version1.19
.Which issue(s) does this PR fix
fixes #1305
PR acceptance criteria
Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.
Unit/Functional tests
QE Integration test
Documentation
Client Impact
How to test changes / Special notes to the reviewer