Bump go to 1.22.9 - Githubissues

k8snetworkplumbingwg / ovs-cni

Open vSwitch CNI plugin

Apache License 2.0

224 stars 71 forks source link

Bump go to 1.22.9 #332

Closed phoracek closed 2 weeks ago

phoracek commented 2 weeks ago

What this PR does / why we need it:

This is to address a CVE, reported in #331.

Special notes for your reviewer:

Release note:

NONE

smoshiur1237 commented 2 weeks ago

Thanks @phoracek for this uplift. would you please update the docker file go version in the following line to 1.22.7? https://github.com/k8snetworkplumbingwg/ovs-cni/blob/9f9bb719fd2bd9e51aa05408eaf9781bd59d3c0e/hack/docker-builder/Dockerfile#L9

smoshiur1237 commented 2 weeks ago

I have the understanding that go mod file change should have minimum go version that it supports. As earlier version of 1.22.7 has the vulnerability, isn't it better to update the go version to 1.22.7 in go mod file and same in docker file ( ovs-cni/hack/docker-builder/Dockerfile ).

phoracek commented 2 weeks ago

@smoshiur1237 the Go version in the docker-builder should be only relevant to the Go used in test runs. But it's a good catch - I should update it too.

The version that matters for our containerized distribution is set here https://github.com/k8snetworkplumbingwg/ovs-cni/blob/main/cmd/Dockerfile#L10, and it is based on the one listed in Go.mod. Binary builds attached to releases are currently built by me manually (no CI), but they should follow the Go.mod directive.

smoshiur1237 commented 2 weeks ago

@phoracek I can understand the go version is taken from go mod file. Is there any issue to use 1.22.7 ? I think the fix for that CVE landed in 1.22.7. So if you uplift it to 1.22.9, does it fix the CVE?

phoracek commented 2 weeks ago

@smoshiur1237 yes, following semver, if the fix is available in 1.22.7, it should be a part of all the newer z-stream releases.

smoshiur1237 commented 2 weeks ago

/lgtm

kubevirt-bot commented 2 weeks ago

@smoshiur1237: changing LGTM is restricted to collaborators

In response to [this](https://github.com/k8snetworkplumbingwg/ovs-cni/pull/332#issuecomment-2472658543): >/lgtm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

SchSeba commented 2 weeks ago

/lgtm /approve

kubevirt-bot commented 2 weeks ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: phoracek, SchSeba

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/k8snetworkplumbingwg/ovs-cni/blob/main/OWNERS)~~ [SchSeba,phoracek] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment