bump go to 1.22.6 - Githubissues

vmware / terraform-provider-avi

Terraform AVI Networks provider

https://registry.terraform.io/providers/vmware/avi/latest/docs

Mozilla Public License 2.0

31 stars 32 forks source link

bump go to 1.22.6 #610

Closed BergCyrill closed 1 month ago

BergCyrill commented 2 months ago

Due to unfixed CVEs in go <1.22.4 bump the used go version to build the provider to 1.22.6

The CVE (CVE-2024-24790) scores a 9.8 in the national vulnerability database.

vmwclabot commented 2 months ago

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <john.doe@email.org> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

Commit d226ff01f6a340d4111d9eba0c4e423559278955 must be signed by Cyrill.Berg@bwi.de

BergCyrill commented 2 months ago

All commits are signed & signoff was made according to the dco. I don't unterstand why the vmwclabot doesn't recognize this, I think it is a false behaviour.

vmwclabot commented 2 months ago

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <john.doe@email.org> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

Commit afe29cdf292fe29465980f677608e63f8784c02a must be signed by Cyrill.Berg@bwi.de

vmwclabot commented 2 months ago

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <john.doe@email.org> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

Commit b83c418e76d0d9ba0748097ce58970f93bb3b124 must be signed by Cyrill.Berg@bwi.de

BergCyrill commented 2 months ago

Ok tried to fix the dco-required label-issue. Worked for me on the terraform-provider-nsxt github project but not here.

vmwclabot commented 2 months ago

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <john.doe@email.org> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

Commit b83c418e76d0d9ba0748097ce58970f93bb3b124 must be signed by Cyrill.Berg@bwi.de

vmwclabot commented 2 months ago

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <john.doe@email.org> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

Commit f9305564d2cc69d041add802de4a23bb55c69daf must be signed by Cyrill.Berg@bwi.de

BergCyrill commented 2 months ago

Linting should now work with selected go toolchain version. The clabot still behaves weird.

BergCyrill commented 1 month ago

Is there anything that prevents this PR from being merged? The provider is currently unusable for me since it will not pass vulnerability checks.

tenthirtyam commented 1 month ago

The DCO issue is related to the author mismatch in f9305564d2cc69d041add802de4a23bb55c69daf where Cyrill.Berg@bwi.de is using instead of cyrill.berg@bwi.de.

commit dc48680d554cde221465f7baab18c728697947f7 (HEAD -> bump-go-1.22.6, origin/bump-go-1.22.6)
Author: Cyrill Berg <cyrill.berg@bwi.de>
Date:   Tue Aug 27 20:44:16 2024 +0200

    build: seperate toolchain version definition

    Signed-off-by: Cyrill Berg <cyrill.berg@bwi.de>

commit 819aea41da34d5709f5f0aa5dc1d8675f44306ac
Author: Cyrill Berg <cyrill.berg@bwi.de>
Date:   Tue Aug 27 20:40:43 2024 +0200

    ci: bump used golangci lint to supported version

    Signed-off-by: Cyrill Berg <cyrill.berg@bwi.de>

commit f9305564d2cc69d041add802de4a23bb55c69daf
Author: Cyrill Berg <Cyrill.Berg@bwi.de>
Date:   Tue Aug 20 08:56:59 2024 +0200

    bump go to 1.22.6

    Signed-off-by: Cyrill Berg <cyrill.berg@bwi.de>

Try:

git checkout f9305564d2cc69d041add802de4a23bb55c69daf

git commit --amend --author="Cyrill Berg <cyrill.berg@bwi.de>"

git push --force

BergCyrill commented 1 month ago

Thank you, I have totally overlooked this little detail in the commit author field. Should be better now.

tenthirtyam commented 1 month ago

Thank you, I have totally overlooked this little detail in the commit author field. Should be better now.

Looks good!

BergCyrill commented 1 month ago

@tenthirtyam is there anything I could do to get this PR merged and released?

BergCyrill commented 1 month ago

Anyone who can give an update on this? It gives a bad feeling if high severity CVE are not fixed for such a long time even when someone tries to contribute. I'm willing to help just give me a hint what is missing?!

tenthirtyam commented 1 month ago

I'll ping the PM tomorrow.

tenthirtyam commented 1 month ago

PMs have been informed.

parimanur commented 1 month ago

@BergCyrill We are looking into the PR, We will review and proceed with fixing the CVE.