search

tigera / operator

Kubernetes operator for installing Calico and Calico Enterprise
Apache License 2.0
181 stars 138 forks source link

Request to upgrade Go packages to fix a vulnerability #3446

Open kirthiprakash opened 1 month ago

kirthiprakash commented 1 month ago

We appreciate the value this tool brings to our production environment. However, our vulnerability scans have identified vulnerability with the package github.com/emicklei/go-restful, an indirect dependency of this project. Could this be addressed?

Vulnerability details

+------------------+----------+------+-----------------------------------+---------+------------------+-----------+------------+------------+----------------------------------------------------+-------------------+
|       CVE        | SEVERITY | CVSS |              PACKAGE              | VERSION |      STATUS      | PUBLISHED | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     | TRIGGERED FAILURE |
+------------------+----------+------+-----------------------------------+---------+------------------+-----------+------------+------------+----------------------------------------------------+-------------------+
| PRISMA-2022-0227 | high     | 7.50 | github.com/emicklei/go-restful/v3 | v3.9.0  | fixed in v3.10.0 | > 2 years | < 1 hour   | -629       | github.com/emicklei/go-restful/v3 module prior     | Yes               |
|                  |          |      |                                   |         | > 1 years ago    |           |            |            | to v3.10.0 is vulnerable to Authentication Bypass  |                   |
|                  |          |      |                                   |         |                  |           |            |            | by Primary Weakness. There is an inconsistency in  |                   |
|                  |          |      |                                   |         |                  |           |            |            | how...                                             |                   |
+------------------+----------+------+-----------------------------------+---------+------------------+-----------+------------+------------+----------------------------------------------------+-------------------+

Expected Behavior

Current Behavior

Possible Solution

go mod why shows that multiple packages depend on the go-restful package. In my local experiments, upgrading the github.com/elastic/cloud-on-k8s package bumps go-restful to >v3.10.0, which includes the fix for the vulnerability.

Context

Your Environment

tmjd commented 1 month ago

Since you've already locally done the needed package update, would you want to submit a PR with the updates?

kirthiprakash commented 1 month ago

I'd be happy to submit a PR, but it looks like my experiment was incomplete. I had only checked the package versions without validating if it would work. Today, I tried running it locally and encountered compatibility issues

go test controllers/*.go
# github.com/tigera/operator/pkg/render
pkg/render/logstorage.go:318:15: cannot use corev1.ResourceRequirements{…} (value of type "k8s.io/api/core/v1".ResourceRequirements) as "k8s.io/api/core/v1".VolumeResourceRequirements value in struct literal
pkg/render/logstorage.go:330:32: cannot use overridePvcRequirements(pvcTemplate.Spec.Resources, userOverrides) (value of type "k8s.io/api/core/v1".ResourceRequirements) as "k8s.io/api/core/v1".VolumeResourceRequirements value in assignment
pkg/render/logstorage.go:330:56: cannot use pvcTemplate.Spec.Resources (variable of type "k8s.io/api/core/v1".VolumeResourceRequirements) as "k8s.io/api/core/v1".ResourceRequirements value in argument to overridePvcRequirements
FAIL    command-line-arguments [build failed]
FAIL

I will look into this and see if I can make the version changes without affecting compatibility.