Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update go version to 1.20.4 #2056

Merged
merged 1 commit into from
May 5, 2023

Conversation

RamakrishnanArun
Copy link
Contributor

What this PR does / why we need it:
This PR upgrades the Go version to 1.20.3 and go-restful to 3.10.2 which resolves a number of security vulnerabilities.

How does this change affect the cardinality of KSM: (increases, decreases or does not change cardinality) Does not change

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2054

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 1, 2023
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label May 1, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 1, 2023
@RamakrishnanArun
Copy link
Contributor Author

I've run the Twistlock tool against this and the report shows no vulnerabilities.

@RamakrishnanArun RamakrishnanArun marked this pull request as ready for review May 1, 2023 17:05
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 1, 2023
@mrueg
Copy link
Member

mrueg commented May 1, 2023

I'm fine with the go 1.20.3 bump, I would like to see go-restful merged in kubernetes/kubernetes#115067 (in particular because of kubernetes/kubernetes#115067 (comment) ) before we include this here.

go.mod Outdated Show resolved Hide resolved
go.sum Outdated Show resolved Hide resolved
@liam-verta
Copy link

@RamakrishnanArun
Perhaps you could update the PR to remove (per the suggestions) to only update Go version?

It would be better to get this merged and a new release out.

@RamakrishnanArun
Copy link
Contributor Author

@liam-verta Thanks for your input. I think I misunderstood @mrueg 's comment. I understood it as a required change but only merged after the linked change in kubernetes/kubernetes#115067 merged first.

So the reason for adding the change in both was that I got security vulnerabilities in both the go version and the version of go-restful that I am indirectly using with this project. That's why I wanted to add both updates.

Should I split them into 2 different PRs? One for the Go version and then one for the Go-Restful version?

Copy link
Member

@mrueg mrueg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For go-restful, I would suggest to reach out on kubernetes/kubernetes#115067
I doubt this is actually exploitable here though.
We use https://go.dev/security/vuln/ govulncheck here, which checks the affected codepaths.
Most of the other scanners use a noisy approach of simply checking go.mod files, which is unreliable.

Makefile Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 4, 2023
@RamakrishnanArun
Copy link
Contributor Author

Thank you @liam-verta @mrueg for your review and inputs!

@mrueg
Copy link
Member

mrueg commented May 4, 2023

One last request, since this change has become a single line now. Can you rebase everything into a single commit?

@RamakrishnanArun RamakrishnanArun changed the title Update go and go-restful versions Update go version to 1.20.4 May 5, 2023
@RamakrishnanArun
Copy link
Contributor Author

@mrueg done! Single commit now.

@mrueg
Copy link
Member

mrueg commented May 5, 2023

/lgtm

Thanks!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 5, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrueg, RamakrishnanArun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 5, 2023
@RamakrishnanArun
Copy link
Contributor Author

When do you think the next release would be done?

@k8s-ci-robot k8s-ci-robot merged commit eb45f33 into kubernetes:main May 5, 2023
@RamakrishnanArun RamakrishnanArun deleted the cvefix/1.20.3 branch May 5, 2023 15:34
@liam-verta
Copy link

@mrueg
When do you think the next release would be done? This addresses reported CVE in dependencies so it would be good to cut a new image.

@rexagod rexagod mentioned this pull request May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

publicly reported security vulnerabilities
4 participants