Closed ingvagabund closed 3 months ago
@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
/jira refresh
@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
jdanek@fedora:~/repos/openshift/oc$ ~/go/bin/govulncheck -mode=source -show=color ./...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Looks good. I only wonder why https://issues.redhat.com/browse/OCPBUGS-36379 had many more things reported compared to main. Is it just that latest-4.16 version of the binary is a bit old? Or could it be that the build done inside Red Hat maybe uses older version of go that's available in rhel 8 and its own go.mod file?
Is it just that latest-4.16 version of the binary is a bit old? Or could it be that the build done inside Red Hat maybe uses older version of go that's available in rhel 8 and its own go.mod file?
@jiridanek the oc rpm was built 202406282106. One of the most recent ones. We hardly get any information about how the actual scanning is performed. I'd welcome any detailed analysis describing the decision logic. E.g. this version from this place (possibly coming from this source) is affected by this. This affected version is imported in this place (e.g. go.mod, library, ...) and that's why we assumed this library/image/rpm is affected as well. Etc. Given we don't get this information we always guess.
/label backport-risk-assessed
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: ardaguclu, ingvagabund
The full list of commands accepted by this bot can be found here.
The pull request process is described here
@ingvagabund The most important aspect now is going to be the version of go that will be used to do the "Red Hat build of oc". If that's go1.21.9, which is the latest go-toolset we now have, then there are stdlib vulnerabilities that trivy will report. And I guess with the go stdlib vulns showing in the scan, customer still won't be happy.
edit: this thing is going to be a bummer for them, https://avd.aquasec.com/nvd/cve-2024-24790, assuming ^^^; and there is no way to talk through this (affected/vulnerable, this sort of thing), because the security scan they have (which is probably not necessary trivy, no idea, what it is, but trivy should be a good approximation) is gating for them and they either can't get exception from their own security team, or won't do it for us.
Would you know if I found the right distgit for oc, what I linked in https://issues.redhat.com/browse/OCPBUGS-36379?focusedId=25033208&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-25033208 (private comment)?
Here are some download links for oc, https://issues.redhat.com/browse/CLOUDDST-23491. Where are the builds producing the binaries there?
So far we used the https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/latest/openshift-client-linux.tar.gz link. Maybe it's not the best source of latest oc.
@ingvagabund: all tests passed!
Full PR test history. Your PR dashboard.
/jira refresh
@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
/jira refresh
@ingvagabund: This pull request references Jira Issue OCPBUGS-36379, which is valid. The bug has been moved to the POST state.
Requesting review from QA contact: /cc @zhouying7780
/label cherry-pick-approved
@ingvagabund: Jira Issue OCPBUGS-36379: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-36379 has been moved to the MODIFIED state.
[ART PR BUILD NOTIFIER]
This PR has been included in build openshift-enterprise-cli-container-v4.16.0-202407041237.p0.g8c491ba.assembly.stream.el9 for distgit openshift-enterprise-cli. All builds following this will include this PR.
Fix included in accepted release 4.16.0-0.nightly-2024-07-05-012344
SSIA