search

openshift / openshift-controller-manager

Coming soon. Do not import.
Apache License 2.0
25 stars 78 forks source link

OCPBUGS-32873: Replace deprecated gopkg.in/square/go-jose.v2 #315

Closed sayan-biswas closed 5 months ago

sayan-biswas commented 5 months ago

Replace deprecated gopkg.in/square/go-jose.v2 with github.com/go-jose/go-jose/v3

Fixes the following CVE(s):

openshift-ci-robot commented 5 months ago

@sayan-biswas: This pull request references Jira Issue OCPBUGS-32873, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.17.0) matches configured target version for branch (4.17.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jitendar-singh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315): >Replace deprecated gopkg.in/square/go-jose.v2 with github.com/go-jose/go-jose/v3 > >Fixes the following CVE(s): >* CVE-2024-28180 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
sayan-biswas commented 5 months ago

/test e2e-hypershift-conformance

avinal commented 5 months ago

If you have to cherry-pick, then I suggest you command the bot before PR merges, if seems the bot doesn't work on closed PR.

sayan-biswas commented 5 months ago

If you have to cherry-pick, then I suggest you command the bot before PR merges, if seems the bot doesn't work on closed PR.

But I guess cherry-pick bot is configured to work with minimum "merged" status. Isn't it?

avinal commented 5 months ago

But I guess cherry-pick bot is configured to work with minimum "merged" status. Isn't it?

Yes, it will only open cherrypick PR once merged, but the bot ignores command after merging it seems.

sayan-biswas commented 5 months ago

/test e2e-aws-ovn

openshift-ci[bot] commented 5 months ago

@sayan-biswas: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 6bbfd9a43f96cb0f90c279363133c3e46ee3559f link false /test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
sayan-biswas commented 5 months ago

/lgtm

openshift-ci[bot] commented 5 months ago

@sayan-biswas: you cannot LGTM your own PR.

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315#issuecomment-2162424930): >/lgtm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
sayan-biswas commented 5 months ago

/label backport-risk-assessed /label cherry-pick-approved /label px-approved /label docs-approved /label qe-approved

openshift-ci-robot commented 5 months ago

@sayan-biswas: This pull request references Jira Issue OCPBUGS-32873, which is valid.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.17.0) matches configured target version for branch (4.17.0) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jitendar-singh

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315): >Replace deprecated gopkg.in/square/go-jose.v2 with github.com/go-jose/go-jose/v3 > >Fixes the following CVE(s): >* CVE-2024-28180 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
ayushsatyam146 commented 5 months ago

/lgtm

openshift-ci[bot] commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avinal, ayushsatyam146, sayan-biswas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/openshift-controller-manager/blob/master/OWNERS)~~ [sayan-biswas] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci-robot commented 5 months ago

@sayan-biswas: Jira Issue OCPBUGS-32873: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-32873 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315): >Replace deprecated gopkg.in/square/go-jose.v2 with github.com/go-jose/go-jose/v3 > >Fixes the following CVE(s): >* CVE-2024-28180 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
sayan-biswas commented 5 months ago

/cherrypick release-4.16 release-4.15 release-4.14 release-4.13 release-4.12

openshift-cherrypick-robot commented 5 months ago

@sayan-biswas: #315 failed to apply on top of branch "release-4.16":

Applying: OCPBUGS-32873: Replace deprecated gopkg.in/square/go-jose.v2
Using index info to reconstruct a base tree...
M   go.mod
M   go.sum
M   vendor/golang.org/x/sys/unix/mkerrors.sh
M   vendor/golang.org/x/sys/unix/zerrors_linux.go
M   vendor/golang.org/x/sys/unix/zerrors_linux_386.go
M   vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
M   vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go.git/rebase-apply/patch:3173: trailing whitespace.

.git/rebase-apply/patch:3173: new blank line at EOF.
+
warning: 2 lines add whitespace errors.

M   vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
M   vendor/golang.org/x/sys/unix/ztypes_linux.go
M   vendor/golang.org/x/sys/windows/syscall_windows.go
M   vendor/golang.org/x/sys/windows/zsyscall_windows.go
M   vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Auto-merging vendor/golang.org/x/sys/windows/zsyscall_windows.go
Auto-merging vendor/golang.org/x/sys/windows/syscall_windows.go
Removing vendor/golang.org/x/sys/windows/empty.s
Auto-merging vendor/golang.org/x/sys/unix/ztypes_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/ztypes_linux.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_386.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zerrors_linux.go
Auto-merging vendor/golang.org/x/sys/unix/mkerrors.sh
Removing vendor/golang.org/x/sys/unix/fstatfs_zos.go
Removing vendor/golang.org/x/sys/unix/epoll_zos.go
Removing vendor/golang.org/x/crypto/sha3/xor_unaligned.go
Removing vendor/golang.org/x/crypto/sha3/xor_generic.go
Removing vendor/golang.org/x/crypto/sha3/shake_generic.go
Removing vendor/golang.org/x/crypto/sha3/hashes_generic.go
Auto-merging go.sum
CONFLICT (content): Merge conflict in go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 OCPBUGS-32873: Replace deprecated gopkg.in/square/go-jose.v2
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315#issuecomment-2162518052): >/cherrypick release-4.16 release-4.15 release-4.14 release-4.13 release-4.12 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
sayan-biswas commented 5 months ago

/remove-label cherry-pick-approved

sayan-biswas commented 5 months ago

/remove-label backport-risk-assessed

sayan-biswas commented 5 months ago

/cherrypick release-4.17

openshift-cherrypick-robot commented 5 months ago

@sayan-biswas: new pull request created: #316

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315#issuecomment-2162561650): >/cherrypick release-4.17 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
sayan-biswas commented 5 months ago

/cherrypick release-4.18

openshift-cherrypick-robot commented 5 months ago

@sayan-biswas: new pull request created: #317

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315#issuecomment-2162579050): >/cherrypick release-4.18 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
openshift-bot commented 5 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-openshift-controller-manager-container-v4.17.0-202406121116.p0.gdc54a28.assembly.stream.el9 for distgit ose-openshift-controller-manager. All builds following this will include this PR.

sayan-biswas commented 4 months ago

/cherrypick release-4.16 release-4.15

openshift-cherrypick-robot commented 4 months ago

@sayan-biswas: #315 failed to apply on top of branch "release-4.16":

Applying: OCPBUGS-32873: Replace deprecated gopkg.in/square/go-jose.v2
Using index info to reconstruct a base tree...
M   go.mod
M   go.sum
M   vendor/golang.org/x/sys/unix/mkerrors.sh
M   vendor/golang.org/x/sys/unix/zerrors_linux.go
M   vendor/golang.org/x/sys/unix/zerrors_linux_386.go
M   vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
M   vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
M   vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go.git/rebase-apply/patch:3173: trailing whitespace.

.git/rebase-apply/patch:3173: new blank line at EOF.
+
warning: 2 lines add whitespace errors.

M   vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
M   vendor/golang.org/x/sys/unix/ztypes_linux.go
M   vendor/golang.org/x/sys/windows/syscall_windows.go
M   vendor/golang.org/x/sys/windows/zsyscall_windows.go
M   vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Auto-merging vendor/golang.org/x/sys/windows/zsyscall_windows.go
Auto-merging vendor/golang.org/x/sys/windows/syscall_windows.go
Removing vendor/golang.org/x/sys/windows/empty.s
Auto-merging vendor/golang.org/x/sys/unix/ztypes_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/ztypes_linux.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_386.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zerrors_linux.go
Auto-merging vendor/golang.org/x/sys/unix/mkerrors.sh
Removing vendor/golang.org/x/sys/unix/fstatfs_zos.go
Removing vendor/golang.org/x/sys/unix/epoll_zos.go
Removing vendor/golang.org/x/crypto/sha3/xor_unaligned.go
Removing vendor/golang.org/x/crypto/sha3/xor_generic.go
Removing vendor/golang.org/x/crypto/sha3/shake_generic.go
Removing vendor/golang.org/x/crypto/sha3/hashes_generic.go
Auto-merging go.sum
CONFLICT (content): Merge conflict in go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 OCPBUGS-32873: Replace deprecated gopkg.in/square/go-jose.v2
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
In response to [this](https://github.com/openshift/openshift-controller-manager/pull/315#issuecomment-2185999768): >/cherrypick release-4.16 release-4.15 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.