(PA-6881) Adding rexml gem to agent-runtime-main for CVE-2024-41123 and CVE-2024-41946

[imaqsood]

Testing Done for el7 and ubuntu

Agent-runtime-main build

vanagon-generic-builder (generic) Generic Builder Step 03 -- Vanagon Project Packaging #3181 Console [Jenkins]

Agent-runtime-main artifacts

Index of /puppet-runtime/63d6a583a1e69661d6795bd48f92074d119ef7e1/artifacts/

Puppet-Agent Build

vanagon-generic-builder (generic) Generic Builder Step 03 -- Vanagon Project Packaging #3182 Console [Jenkins]

Puppet-Artifacts

Index of /puppet-agent/eb37c609e51f1b8c94d7634d71ac206867eedbd7/artifacts/deb/bionic/puppet8/

Index of /puppet-agent/eb37c609e51f1b8c94d7634d71ac206867eedbd7/artifacts/el/7/puppet8/x86_64/

[cthorn42]

Is it expected that are leaving the older version of Rexml installed? From using the EL-7 artifact you built

/opt/puppetlabs/puppet/bin/gem list | grep rexml
rexml (3.3.4, 3.3.2)

[mhashizume]

We're already including REXML in agent-runtime-7.x as well: https://github.com/puppetlabs/puppet-runtime/blob/38fc20bfbe8025e06645db2eab087b48a052b9ec/configs/projects/agent-runtime-7.x.rb#L64-L67

Would it make more sense to include REXML in _shared-agent-components than each agent runtime separately?

[imaqsood]

Is it expected that are leaving the older version of Rexml installed? From using the EL-7 artifact you built

/opt/puppetlabs/puppet/bin/gem list | grep rexml
rexml (3.3.4, 3.3.2)

I didn't notice any changes in 7.x to remove the older REXML version that comes as the default, so I believe it should be fine with the main version as well.

[mhashizume]

I didn't notice any changes in 7.x to remove the older REXML version that comes as the default, so I believe it should be fine with the main version as well.

I believe that we do not do anything in 7.x to clean up older REXML gems because REXML is packaged differently in different Ruby versions; it's a default gem in Ruby 2.7, but became a bundled gem in Ruby >= 3.1.

Having multiple versions of REXML available has caused issues in CI in the past, see this thread in our private Slack channel: https://perforce.slack.com/archives/G047N5B7KK5/p1721074588851319.

It looks like @shubhamshinde360 worked on this last time and may have guidance on how to proceed.

[shubhamshinde360]

@imaqsood, I think we could do something like this: https://github.com/puppetlabs/puppet-runtime/pull/878/files#diff-73a9ffb9a7e1fd33926c952ab5c2592afcff624d71bb8b2f4a99dfac80ac6076R51-R57 but also address Cas' comment. This will run gem clean rexml command and remove the older of the rexml version.

[mhashizume]

I see that you've updated your PR, could you generated updated artifacts? I looked at the Vanagon generic builder and didn't see anything.

[imaqsood]

I see that you've updated your PR, could you generated updated artifacts? I looked at the Vanagon generic builder and didn't see anything. I have this passing vanagon runtime build https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3207/console

[donoghuc]

This appears to have resulted in a new "required" configuration for all projects. I dont believe we should make requirements like that as it encourages even more copy paste here. I propose we add a default as i believe it should be a pretty stable command. https://github.com/puppetlabs/puppet-runtime/pull/910

In the future @imaqsood can you please check this view https://jenkins-platform.delivery.puppetlabs.net/view/puppet-runtime/ when you are making changes that affect everybodies runtimes to make sure there are not widespread failures?