redhat-developer / kam

GitOps Application Manager: An opinionated CLI that generates the Kubernetes resources for managing your Tekton-based CI manifests, ArgoCD-based CD manifests and Application manifests in Git.
Apache License 2.0
145 stars 83 forks source link

Fix CVE-2021-4238 #333

Closed drpaneas closed 10 months ago

drpaneas commented 1 year ago

Signed-off-by: Panagiotis Georgiadis pgeorgia@redhat.com

What type of PR is this? /kind enhancement

What does this PR do / why we need it:

./goguard cve https://github.com/redhat-developer/kam CVE-2021-4238
Direct dependency check: [SAFE] Vulnerable Package github.com/Masterminds/goutils is NOT found in go.mod file
Indirect Dependency check: [VULNERABLE] List of vulnerable packages:
 * Version:v1.1.0
   * Indirect Dependency: [VULNERABLE] package 'helm.sh/helm/v3@v3.1.0-rc.1.0.20201215141456-e71d38b414eb' imports 'github.com/Masterminds/goutils' with version 'v1.1.0' (is less than v1.1.1)
   * Indirect Dependency: [VULNERABLE] package 'github.com/Masterminds/sprig/v3@v3.2.0' imports 'github.com/Masterminds/goutils' with version 'v1.1.0' (is less than v1.1.1)
   * Indirect Dependency: [VULNERABLE] package 'github.com/google/trillian@v1.3.11' imports 'github.com/Masterminds/goutils' with version 'v1.1.0' (is less than v1.1.1)

Have you updated the necessary documentation?

Which issue(s) this PR fixes:

Fixes #?

How to test changes / Special notes to the reviewer:

openshift-ci[bot] commented 1 year ago

Hi @drpaneas. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
openshift-ci[bot] commented 1 year ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign jannfis for approval by writing /assign @jannfis in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/redhat-developer/kam/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
varshab1210 commented 1 year ago

/ok-to-test

drpaneas commented 1 year ago

/ok-to-test

drpaneas commented 1 year ago

/test unit

openshift-ci[bot] commented 1 year ago

@drpaneas: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/unit 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test unit
ci/prow/v4.10-integration-e2e 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test v4.10-integration-e2e
ci/prow/v4.9-integration-e2e 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test v4.9-integration-e2e
ci/prow/v4.8-integration-e2e 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test v4.8-integration-e2e
ci/prow/v4.12-integration-e2e 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test v4.12-integration-e2e
ci/prow/v4.13-integration-e2e 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test v4.13-integration-e2e
ci/prow/v4.11-integration-e2e 85149c4c81617ae2163f68dc46d0b8638f450f57 link true /test v4.11-integration-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
openshift-merge-robot commented 1 year ago

PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
varshab1210 commented 10 months ago

Closing this, please feel free to reopen if required