Fix GO-2024-2659

[skonto]

Fixes #

Proposed Changes

• CVE Fix for GO-2024-2659
• See output here
• Maybe we should fail builds when the Golang vulnerability scanner reports a failure?

[skonto]

/cherry-pick release-1.15
/cherry-pick release-1.14

[knative-prow-robot]

@skonto: once the present PR merges, I will cherry-pick it on top of release-1.15 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.15
/cherry-pick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.49%. Comparing base (1a1eb10) to head (3fe51d4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15547      +/-   ##
==========================================
+ Coverage   84.44%   84.49%   +0.05%     
==========================================
  Files         219      219              
  Lines       13608    13608              
==========================================
+ Hits        11491    11498       +7     
+ Misses       1744     1740       -4     
+ Partials      373      370       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[skonto]

@dprotaso hi, could you take a look at the License Compliance failure (I have no access)? I guess false alarm?

[ReToCode]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ReToCode, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ReToCode,skonto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[skonto]

/test ?

[knative-prow]

@skonto: The following commands are available to trigger required jobs:

• /test build-tests
• /test contour-latest
• /test contour-tls
• /test gateway-api-latest
• /test istio-latest-no-mesh
• /test istio-latest-no-mesh-tls
• /test kourier-stable
• /test kourier-stable-tls
• /test unit-tests
• /test upgrade-tests

The following commands are available to trigger optional jobs:

• /test gateway-api-latest-and-contour
• /test https
• /test istio-latest-mesh
• /test istio-latest-mesh-short
• /test istio-latest-mesh-tls
• /test performance-tests

Use /test all to run the following jobs that were automatically triggered:

• build-tests_serving_main
• istio-latest-no-mesh-tls_serving_main
• istio-latest-no-mesh_serving_main
• unit-tests_serving_main
• upgrade-tests_serving_main

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[knative-prow-robot]

@skonto: new pull request created: #15548

In response to this:

/cherry-pick release-1.15
/cherry-pick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[skonto]

/cherry-pick release-1.14

[knative-prow-robot]

@skonto: new pull request created: #15549

In response to this:

/cherry-pick release-1.15
/cherry-pick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[knative-prow-robot]

@skonto: new pull request could not be created: failed to create pull request against knative/serving#release-1.14 from head knative-prow-robot:cherry-pick-15547-to-release-1.14: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for knative-prow-robot:cherry-pick-15547-to-release-1.14."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"}

In response to this:

/cherry-pick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dsimansk]

Closing the loop here: FOSSA license scanner was complaining about GPL license being present. It was transitively recognized in github.com/docker/docker pointing to spdx/tools-golang library. The issue is that the repository declares 2 licenses in the same file, being Apache 2.0 and GPL. By the comment on the specific file, it's usable by any of those two. Hence for our need Aparche 2.0 it's. I've added explanation to FOSSA Dashboard for this spefic library and case, it's going to be ignored in the future.

https://github.com/spdx/tools-golang/blob/v0.5.3/LICENSE.code

[dprotaso]

FWIW - I don't think this CVE affects us.

https://pkg.go.dev/vuln/GO-2024-2659

dockerd forwards DNS requests to the host loopback device

We only use the docker/docker dependency indirectly for container tag to digest resolution