search

openshift / assisted-installer-agent

Apache License 2.0
24 stars 81 forks source link

OCPBUGS-42157: Switch to github.com/docker/distribution/reference to Mitigate CVE-2024-3727 #782

Closed paul-maidment closed 2 months ago

paul-maidment commented 2 months ago

The library github.com/containers/image/v5 has a vulnerability that has as of yet been unresolved.

Thankfully, it is possible to change the part of the library that we use

We can change github.com/containers/image/v5/docker/reference for github.com/docker/distribution/reference

In the case of assisted-installer, we achieve this by changing the dependency to the latest assisted-installer

openshift-ci-robot commented 2 months ago

@paul-maidment: This pull request references Jira Issue OCPBUGS-42157, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/assisted-installer-agent/pull/782): >The library github.com/containers/image/v5 has a vulnerability that has as of yet been unresolved. > >Thankfully, it is possible to change the part of the library that we use > >We can change github.com/containers/image/v5/docker/reference for github.com/docker/distribution/reference > >In the case of assisted-installer, we achieve this by changing the dependency to the latest assisted-installer Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fassisted-installer-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci[bot] commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adriengentil, paul-maidment

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/assisted-installer-agent/blob/master/OWNERS)~~ [adriengentil,paul-maidment] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
codecov[bot] commented 2 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 59.60%. Comparing base (9bebe91) to head (5043fa1).

Additional details and impacted files [![Impacted file tree graph](https://app.codecov.io/gh/openshift/assisted-installer-agent/pull/782/graphs/tree.svg?width=650&height=150&src=pr&token=ZYXZPU4167&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift)](https://app.codecov.io/gh/openshift/assisted-installer-agent/pull/782?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift) ```diff @@ Coverage Diff @@ ## master #782 +/- ## ======================================= Coverage 59.60% 59.60% ======================================= Files 74 74 Lines 3755 3755 ======================================= Hits 2238 2238 Misses 1356 1356 Partials 161 161 ```
paul-maidment commented 2 months ago

Opened against wrong branch in error, closing

openshift-ci-robot commented 2 months ago

@paul-maidment: This pull request references Jira Issue OCPBUGS-42157. The bug has been updated to no longer refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/assisted-installer-agent/pull/782): >The library github.com/containers/image/v5 has a vulnerability that has as of yet been unresolved. > >Thankfully, it is possible to change the part of the library that we use > >We can change github.com/containers/image/v5/docker/reference for github.com/docker/distribution/reference > >In the case of assisted-installer, we achieve this by changing the dependency to the latest assisted-installer Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fassisted-installer-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.