Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extend go.mod replace rules to workaround present CVEs #2211

Closed
wants to merge 1 commit into from
Closed

extend go.mod replace rules to workaround present CVEs #2211

wants to merge 1 commit into from

Conversation

RafalSkolasinski
Copy link
Contributor

Addressed CVEs

Introduced change have effect on go.sum:

  • removing it and creating again render offended deps not present

Note: this does not seem to affect output of "go mod graph" command

@RafalSkolasinski
extend go.mod replace rules to workaround present CVEs
31fb780 
Addressed CVEs
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0210
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8559
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040

Introduced change have effect on go.sum:
- removing it and creating again render offended deps not present

Note: this does not seem to affect output of "go mod graph" command
@RafalSkolasinski
Copy link
Contributor Author

/test integration
/test notebooks

@seldondev
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign rafalskolasinski
You can assign the PR to them by writing /assign @rafalskolasinski in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@seldondev
Copy link
Collaborator

Wed Jul 29 09:44:54 UTC 2020
The logs for [lint] [2] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2211/2.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2211 --build=2

@seldondev
Copy link
Collaborator

Wed Jul 29 09:45:00 UTC 2020
The logs for [pr-build] [1] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2211/1.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2211 --build=1

@seldondev
Copy link
Collaborator

Wed Jul 29 09:45:10 UTC 2020
The logs for [integration] [4] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2211/4.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2211 --build=4

@seldondev
Copy link
Collaborator

Wed Jul 29 09:45:13 UTC 2020
The logs for [notebooks] [3] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2211/3.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2211 --build=3

@axsaucedo
Copy link
Contributor

Seems the only one to fail was one of the flaky tests, namely test-label-update-1-0-2
/test integration

@seldondev
Copy link
Collaborator

Wed Jul 29 11:44:34 UTC 2020
The logs for [integration] [5] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2211/5.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2211 --build=5

@RafalSkolasinski
Copy link
Contributor Author

Now it failed on test_label_update[1.1.0] so same test but different entry.

@RafalSkolasinski
Copy link
Contributor Author

/test integration

@seldondev
Copy link
Collaborator

Wed Jul 29 13:37:58 UTC 2020
The logs for [integration] [6] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2211/6.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2211 --build=6

@RafalSkolasinski
Copy link
Contributor Author

@axsaucedo It seems it was just flakiness

@RafalSkolasinski
Copy link
Contributor Author

/hold

@axsaucedo
Copy link
Contributor

/hold

@mrowebot
Copy link

Does this PR also update the licenses as the dependency tree is now different? Or is that out-of-scope, and we can assume that the licenses cover what we need here?

@RafalSkolasinski RafalSkolasinski mentioned this pull request Jul 31, 2020
Closed
@axsaucedo
Copy link
Contributor

Closing as discussed, this will be addressed by updating to kubernetes 1.18 and by reaching out to each respective project. For the meantime this is a viable workaround to override these current libraries

@axsaucedo axsaucedo closed this Aug 4, 2020
@axsaucedo axsaucedo mentioned this pull request Aug 14, 2020
Closed
This was referenced Aug 17, 2020
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glindsell glindsell Awaiting requested review from glindsell

@axsaucedo axsaucedo Awaiting requested review from axsaucedo

Assignees
No one assigned
Labels
do-not-merge/hold size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RafalSkolasinski @seldondev @axsaucedo @mrowebot