Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PWX-30765: Updating golang, aws and gcloud sdk to fix vulnerabilities. #1458

Merged
merged 5 commits into from
Jul 26, 2023

Conversation

pp511
Copy link
Contributor

@pp511 pp511 commented Jul 24, 2023

What type of PR is this?

Improvement

What this PR does / why we need it:
Update golang, aws-iam-authenticator and google-cloud-sdk versions to address golang vulnerabilities.

Does this PR change a user-facing CRD or CLI?:
no

Is a release note needed?:
Fixed several vulnerabilities resulting from

Does this change need to be cherry-picked to a release branch?:
yes 23.7

Notes:

  • Changes will be tested as part of 23.7.0 System tests
  • There is some issue in our github repo due to which following error is observed when updating to any golang version > 1.19.1. To bypass this error -buildvcs=false has been added.
 error obtaining VCS status: exit status 128
	Use -buildvcs=false to disable VCS stamping.

This is probably being caused due to some issue with out github repo but I have not been able to figure this out yet.
Consequence of doing this change is that vcs information will not be embedded in the container image.

go version -m bin/stork 
        build	-ldflags="-s -w -X github.com/libopenstorage/stork/pkg/version.Version=23.7.0-eb657dcdc"
	build	vcs=git
	build	vcs.revision=eb657dcdc5d17934b4f048b94d0080d1c7e5e266
	build	vcs.time=2023-07-20T08:48:30Z
	build	vcs.modified=true

However we are already passing the version info using ldflag so we should be good.

  • Another issue observed after updating to 1.19.10 was following error during Travis build
    Travis
runtime/cgo: pthread_create failed: Operation not permitted
478SIGABRT: abort

It appears that default seccomp rules are not allowing us to build and resulting in a crash. As a workaround, I have updated it to unconfined.

@cnbu-jenkins
Copy link
Collaborator

Can one of the admins verify this patch?

Signed-off-by: Priyanshu Pandey <[email protected]>
Signed-off-by: Priyanshu Pandey <[email protected]>
@pp511 pp511 force-pushed the PWX-30765-Vul-scan-fix-23-7 branch from 61e1395 to bbe6a32 Compare July 25, 2023 21:47
@@ -15,7 +15,7 @@ RUN microdnf clean all && microdnf install -y python3.9 ca-certificates tar gzip
RUN python3 -m pip install awscli && python3 -m pip install oci-cli && python3 -m pip install rsa --upgrade


RUN curl -q -o /usr/local/bin/aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator && \
RUN curl -q -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64 && \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any particular reason we have taken 0.5.9 version when 0.6.10 is the latest release?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This version was showing up as the default on aws website. https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html and all vulnerability scans were getting addressed with it too.

@pp511 pp511 merged commit 3ea3d82 into master Jul 26, 2023
@pp511 pp511 deleted the PWX-30765-Vul-scan-fix-23-7 branch July 26, 2023 16:53
pp511 added a commit that referenced this pull request Jul 26, 2023
#1458)

* PWX-30765: Updating golang, aws and gcloud sdk to fix vulnerabilities.

Signed-off-by: Priyanshu Pandey <[email protected]>

* Updating travis golang version

Signed-off-by: Priyanshu Pandey <[email protected]>

* Using seccomp=unconfined during docker run

Signed-off-by: Priyanshu Pandey <[email protected]>

* Adding CGO_ENABLED=0 in test binary

Signed-off-by: Priyanshu Pandey <[email protected]>

---------

Signed-off-by: Priyanshu Pandey <[email protected]>
pp511 added a commit that referenced this pull request Jul 27, 2023
#1458) (#1465)

* PWX-30765: Updating golang, aws and gcloud sdk to fix vulnerabilities.



* Updating travis golang version



* Using seccomp=unconfined during docker run



* Adding CGO_ENABLED=0 in test binary



---------

Signed-off-by: Priyanshu Pandey <[email protected]>
lalat-das pushed a commit that referenced this pull request Aug 14, 2023
#1458)

* PWX-30765: Updating golang, aws and gcloud sdk to fix vulnerabilities.

Signed-off-by: Priyanshu Pandey <[email protected]>

* Updating travis golang version

Signed-off-by: Priyanshu Pandey <[email protected]>

* Using seccomp=unconfined during docker run

Signed-off-by: Priyanshu Pandey <[email protected]>

* Adding CGO_ENABLED=0 in test binary

Signed-off-by: Priyanshu Pandey <[email protected]>

---------

Signed-off-by: Priyanshu Pandey <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants