Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade go version to 1.19 to mitigate rapid reset CVE #1345

Merged
merged 9 commits into from
Nov 22, 2023

Conversation

thepetk
Copy link
Contributor

@thepetk thepetk commented Nov 14, 2023

What does this PR do?

As mentioned inside the EPIC#1303 a part of the actions needed to mitigate the Rapid Reset CVE inside the devfiles org would be to update the k8s.io/apimachinery to a version using golang.org/x/net newer than v0.8.0. As a result the this PR upgrades the k8s.io/apimachinery to v0.26.10 which is also used in the other devfile repos.

Another action to mitigate the Rapid Reset CVE would be to upgrade the golang version of generator and api. The generator is using go version 1.13 and the api the go version 1.18 which are not supported anymore. There is already an EPIC to upgrade the projects inside the devfiles org to version 1.19. As a result, this PR upgrades the generator and the api to use go version 1.19.

Which issue(s) does this PR fix

fixes #1305

PR acceptance criteria

Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.

  • Open new test/doc issues under the devfile/api repo
  • Check each criteria if:
  • There is a separate tracking issue. Add the issue link under the criteria
    or
  • test/doc updates are made as part of this PR
  • If unchecked, explain why it's not needed

How to test changes / Special notes to the reviewer

@thepetk
Copy link
Contributor Author

thepetk commented Nov 14, 2023

I've put WIP as I'm trying to think of any potential impact this change might have.

@thepetk thepetk changed the title Upgrade go version to 1.19 to mitigate rapid reset CVE WIP: Upgrade go version to 1.19 to mitigate rapid reset CVE Nov 14, 2023
@thepetk thepetk mentioned this pull request Nov 14, 2023
2 tasks
Copy link

codecov bot commented Nov 14, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (447aa00) 35.75% compared to head (ddadf05) 35.75%.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1345   +/-   ##
=======================================
  Coverage   35.75%   35.75%           
=======================================
  Files          52       52           
  Lines        6696     6696           
=======================================
  Hits         2394     2394           
  Misses       4158     4158           
  Partials      144      144           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@amisevsk amisevsk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks fine to me, at the level of the devfile/api, as long as the generator still works and outputs the same schemas, we should be safe to make this change.

build-generator.sh Outdated Show resolved Hide resolved
Signed-off-by: thepetk <[email protected]>
@openshift-ci openshift-ci bot removed the lgtm label Nov 15, 2023
@thepetk thepetk changed the title WIP: Upgrade go version to 1.19 to mitigate rapid reset CVE Upgrade go version to 1.19 to mitigate rapid reset CVE Nov 15, 2023
@thepetk thepetk requested a review from amisevsk November 15, 2023 19:39
@thepetk
Copy link
Contributor Author

thepetk commented Nov 21, 2023

/retest

Copy link
Member

@michael-valdron michael-valdron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Copy link

openshift-ci bot commented Nov 21, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amisevsk, johnmcollier, michael-valdron, thepetk

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@thepetk
Copy link
Contributor Author

thepetk commented Nov 22, 2023

I've created issue #1359 to investigate any potential workaround regarding the usage of vendor dir during go generate. cc @amisevsk

@thepetk thepetk merged commit adb72c3 into devfile:main Nov 22, 2023
6 checks passed
@thepetk thepetk mentioned this pull request Nov 22, 2023
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update API's k8s dependencies
4 participants