OCPBUGS-36379: bump(k8s)=1.29.6

ingvagabund commented 3 months ago

SSIA

openshift-ci-robot commented 3 months ago

@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is invalid:

expected the bug to target the "4.16.z" version, but no target version was set
release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
expected Jira Issue OCPBUGS-36379 to depend on a bug targeting a version in 4.17.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/oc/pull/1810): >SSIA Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

ingvagabund commented 3 months ago

/jira refresh

openshift-ci-robot commented 3 months ago

@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
expected Jira Issue OCPBUGS-36379 to depend on a bug targeting a version in 4.17.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to [this](https://github.com/openshift/oc/pull/1810#issuecomment-2203165497): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

jiridanek commented 3 months ago

Scanning master with govulncheck gives me this

``` jdanek@fedora:~/repos/openshift/oc$ ~/go/bin/govulncheck -mode=source -show=color ./... === Symbol Results === Vulnerability #1: GO-2024-2659 Data exfiltration from internal networks in github.com/docker/docker More info: https://pkg.go.dev/vuln/GO-2024-2659 Module: github.com/docker/docker Found in: github.com/docker/docker@v25.0.3+incompatible Fixed in: github.com/docker/docker@v25.0.5+incompatible Example traces found: #1: pkg/cli/image/archive/archive.go:86:39: archive.ApplyLayer calls archive.DecompressStream #2: pkg/cli/image/extract/extract.go:582:2: extract.layerByEntry calls ioutils.ReadCloserWrapper.Close, which calls archive.cmdStream #3: pkg/cli/image/extract/extract.go:20:2: extract.init calls archive.init #4: pkg/cli/image/extract/extract.go:582:2: extract.layerByEntry calls ioutils.ReadCloserWrapper.Close, which calls archive.wrapReadCloser #5: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls blkiodev.init #6: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls container.init #7: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls filters.init #8: pkg/helpers/newapp/docker/docker.go:30:39: docker.Helper.GetClient calls dockerclient.NewClientFromEnv, which eventually calls homedir.Get #9: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which calls homedir.init #10: pkg/cli/image/archive/archive.go:77:31: archive.RemapIDs.Alter calls idtools.IdentityMapping.ToHost #11: pkg/cli/image/archive/archive.go:15:2: archive.init calls idtools.init #12: pkg/cli/image/archive/archive.go:86:39: archive.ApplyLayer calls archive.DecompressStream, which eventually calls ioutils.NewReadCloserWrapper #13: pkg/cli/image/extract/extract.go:582:2: extract.layerByEntry calls ioutils.ReadCloserWrapper.Close #14: pkg/cli/image/archive/archive.go:16:2: archive.init calls pools.init, which calls ioutils.init #15: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which calls jsonmessage.init #16: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls mount.init #17: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls multierror.init #18: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls network.init #19: pkg/cli/image/archive/archive.go:86:39: archive.ApplyLayer calls archive.DecompressStream, which calls pools.BufioReaderPool.Get #20: pkg/cli/image/archive/archive.go:86:39: archive.ApplyLayer calls archive.DecompressStream, which calls pools.BufioReaderPool.NewReadCloserWrapper #21: pkg/cli/image/archive/archive.go:100:2: archive.unpackLayer calls pools.BufioReaderPool.Put #22: pkg/cli/image/extract/extract.go:582:2: extract.layerByEntry calls ioutils.ReadCloserWrapper.Close, which calls pools.NewReadCloserWrapper #23: pkg/cli/image/archive/archive.go:16:2: archive.init calls pools.init #24: pkg/helpers/image/dockerlayer/add/add.go:69:24: add.DigestCopy calls io.discard.ReadFrom, which eventually calls pools.newBufferPoolWithSize #25: pkg/helpers/image/dockerlayer/add/add.go:69:24: add.DigestCopy calls io.discard.ReadFrom, which eventually calls pools.newBufioReaderPoolWithSize #26: pkg/helpers/image/dockerlayer/add/add.go:69:24: add.DigestCopy calls io.discard.ReadFrom, which eventually calls pools.newBufioWriterPoolWithSize #27: pkg/cli/image/manifest/dockercredentials/credential_store_factory.go:9:2: dockercredentials.init calls registry.init #28: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls runtime.init #29: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls specs.init #30: pkg/helpers/image/dockerlayer/add/add.go:69:24: add.DigestCopy calls io.discard.ReadFrom, which eventually calls stdcopy.init #31: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which calls stdcopy.init #32: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which eventually calls strslice.init #33: pkg/helpers/newapp/portutils/common.go:8:2: portutils.init calls dockerclient.init, which calls swarm.init #34: pkg/cli/image/archive/archive.go:301:27: archive.unpackLayer calls system.Chtimes #35: pkg/cli/image/archive/archive.go:444:31: archive.createTarFile calls system.LUtimesNano #36: pkg/cli/image/archive/archive_linux.go:36:34: archive.overlayWhiteoutConverter.ConvertWrite calls system.Lgetxattr #37: pkg/cli/image/archive/archive.go:401:29: archive.createTarFile calls system.Lsetxattr #38: pkg/cli/image/archive/archive_unix.go:63:50: archive.handleTarTypeBlockCharFifo calls system.Mkdev #39: pkg/cli/image/archive/archive.go:173:26: archive.unpackLayer calls system.MkdirAll #40: pkg/cli/image/archive/archive_unix.go:63:21: archive.handleTarTypeBlockCharFifo calls system.Mknod #41: pkg/cli/admin/release/info.go:867:56: release.InfoOptions.LoadReleaseInfo calls system.XattrError.Error #42: pkg/cli/startbuild/startbuild.go:974:24: startbuild.StartBuildOptions.RunStartBuildWebHook calls io.ReadAll, which eventually calls system.XattrError.Timeout #43: pkg/helpers/cmd/errors.go:63:15: cmd.CheckOAuthDisabledErr calls errors.As, which eventually calls system.XattrError.Unwrap #44: pkg/cli/image/archive/archive.go:17:2: archive.init calls system.init #45: pkg/cli/image/imagesource/file.go:17:2: imagesource.init calls manifest.init, which calls versions.init Module: github.com/docker/docker-credential-helpers Found in: github.com/docker/docker-credential-helpers@v0.8.1 Fixed in: N/A Example traces found: #1: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls client.Get #2: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls client.List #3: pkg/cli/registry/login/login.go:300:56: login.LoginOptions.Run calls config.SetCredentials, which eventually calls client.NewShellProgramFunc #4: pkg/cli/registry/login/login.go:300:56: login.LoginOptions.Run calls config.SetCredentials, which eventually calls client.Store #5: pkg/cli/registry/login/login.go:12:2: login.init calls config.init, which calls client.init #6: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls credentials.IsCredentialsMissingServerURLMessage #7: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls credentials.IsCredentialsMissingUsernameMessage #8: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls credentials.IsErrCredentialsNotFoundMessage #9: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls credentials.NewErrCredentialsMissingServerURL #10: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls credentials.NewErrCredentialsMissingUsername #11: pkg/cli/image/manifest/dockercredentials/auth_resolver.go:34:52: dockercredentials.NewAuthResolver calls config.GetAllCredentials, which eventually calls credentials.NewErrCredentialsNotFound #12: pkg/cli/admin/release/info.go:867:56: release.InfoOptions.LoadReleaseInfo calls credentials.errCredentialsMissingServerURL.Error #13: pkg/cli/admin/release/info.go:867:56: release.InfoOptions.LoadReleaseInfo calls credentials.errCredentialsMissingUsername.Error #14: pkg/cli/admin/release/info.go:867:56: release.InfoOptions.LoadReleaseInfo calls credentials.errCredentialsNotFound.Error #15: pkg/cli/registry/login/login.go:12:2: login.init calls config.init, which calls credentials.init Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 6 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. ```

Scanning the PR shows a much better result


jdanek@fedora:~/repos/openshift/oc$ ~/go/bin/govulncheck -mode=source -show=color ./...
=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

The verbose scan running on the pr branch, out of curiosity, looks like this

``` jdanek@fedora:~/repos/openshift/oc$ ~/go/bin/govulncheck -mode=source -show=verbose ./... Scanning your code and 1495 packages across 184 dependent modules for known vulnerabilities... Fetching vulnerabilities from the database... Checking the code against the vulnerabilities... === Symbol Results === No vulnerabilities found. === Package Results === No other vulnerabilities found. === Module Results === Vulnerability #1: GO-2024-2842 Unexpected authenticated registry accesses in github.com/containers/image/v5 More info: https://pkg.go.dev/vuln/GO-2024-2842 Module: github.com/containers/image/v5 Found in: github.com/containers/image/v5@v5.29.3 Fixed in: github.com/containers/image/v5@v5.30.1 Vulnerability #2: GO-2022-0646 Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go More info: https://pkg.go.dev/vuln/GO-2022-0646 Module: github.com/aws/aws-sdk-go Found in: github.com/aws/aws-sdk-go@v1.45.20 Fixed in: N/A Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 2 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. ```

Looks good. I only wonder why https://issues.redhat.com/browse/OCPBUGS-36379 had many more things reported compared to main. Is it just that latest-4.16 version of the binary is a bit old? Or could it be that the build done inside Red Hat maybe uses older version of go that's available in rhel 8 and its own go.mod file?

ingvagabund commented 3 months ago

Is it just that latest-4.16 version of the binary is a bit old? Or could it be that the build done inside Red Hat maybe uses older version of go that's available in rhel 8 and its own go.mod file?

@jiridanek the oc rpm was built 202406282106. One of the most recent ones. We hardly get any information about how the actual scanning is performed. I'd welcome any detailed analysis describing the decision logic. E.g. this version from this place (possibly coming from this source) is affected by this. This affected version is imported in this place (e.g. go.mod, library, ...) and that's why we assumed this library/image/rpm is affected as well. Etc. Given we don't get this information we always guess.

ingvagabund commented 3 months ago

/label backport-risk-assessed

ardaguclu commented 3 months ago

/lgtm

openshift-ci[bot] commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, ingvagabund

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/oc/blob/release-4.16/OWNERS)~~ [ardaguclu] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

jiridanek commented 3 months ago

@ingvagabund The most important aspect now is going to be the version of go that will be used to do the "Red Hat build of oc". If that's go1.21.9, which is the latest go-toolset we now have, then there are stdlib vulnerabilities that trivy will report. And I guess with the go stdlib vulns showing in the scan, customer still won't be happy.

edit: this thing is going to be a bummer for them, https://avd.aquasec.com/nvd/cve-2024-24790, assuming ^^^; and there is no way to talk through this (affected/vulnerable, this sort of thing), because the security scan they have (which is probably not necessary trivy, no idea, what it is, but trivy should be a good approximation) is gating for them and they either can't get exception from their own security team, or won't do it for us.

Would you know if I found the right distgit for oc, what I linked in https://issues.redhat.com/browse/OCPBUGS-36379?focusedId=25033208&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-25033208 (private comment)?

Here are some download links for oc, https://issues.redhat.com/browse/CLOUDDST-23491. Where are the builds producing the binaries there?

So far we used the https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/latest/openshift-client-linux.tar.gz link. Maybe it's not the best source of latest oc.

openshift-ci[bot] commented 3 months ago

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

ingvagabund commented 3 months ago

/jira refresh

openshift-ci-robot commented 3 months ago

@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to [this](https://github.com/openshift/oc/pull/1810#issuecomment-2208599347): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

ingvagabund commented 3 months ago

/jira refresh

openshift-ci-robot commented 3 months ago

@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.16.z) matches configured target version for branch (4.16.z) * bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST) * release note type set to "Release Note Not Required" * dependent bug [Jira Issue OCPBUGS-36525](https://issues.redhat.com//browse/OCPBUGS-36525) is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA)) * dependent [Jira Issue OCPBUGS-36525](https://issues.redhat.com//browse/OCPBUGS-36525) targets the "4.17.0" version, which is one of the valid target versions: 4.17.0 * bug has dependents

Requesting review from QA contact: /cc @zhouying7780

In response to [this](https://github.com/openshift/oc/pull/1810#issuecomment-2208600824): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

kasturinarra commented 3 months ago

/label cherry-pick-approved

openshift-ci-robot commented 3 months ago

@ingvagabund: Jira Issue OCPBUGS-36379: All pull requests linked via external trackers have merged:

openshift/oc#1810

Jira Issue OCPBUGS-36379 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/oc/pull/1810): >SSIA Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

openshift-bot commented 3 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build openshift-enterprise-cli-container-v4.16.0-202407041237.p0.g8c491ba.assembly.stream.el9 for distgit openshift-enterprise-cli. All builds following this will include this PR.

openshift-merge-robot commented 3 months ago

Fix included in accepted release 4.16.0-0.nightly-2024-07-05-012344

openshift / oc