Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating logrus and net packages in go.mod #1495

Merged
merged 2 commits into from
Oct 18, 2023

Conversation

jbusche
Copy link
Contributor

@jbusche jbusche commented Oct 14, 2023

@anishasthana @tedhtchang @kevin85421 @z103cb

Note: I'm going to leave this in draft mode for now until I have been able to deploy it with CodeFlare and make sure that all works. A quick test, it looked good, but I'd like to do additional tests.

Why are these changes needed?

There are three CVE vulnerabilities that I think can be easily fixed with this PR

        severityCHML    cvss    riskFactors     cve     link    hasFix  status  packageType     packageName
        M       6.2     DoS - Low,Has fix,Medium severity       PRISMA-2023-0056        https://github.com/sirupsen/logrus/issues/1370  Y       fixed in v1.9.3 go      github.com/sirupsen/logrus
        M       0       Has fix,Medium severity,Recent vulnerability    CVE-2023-39325  https://nvd.nist.gov/vuln/detail/CVE-2023-39325 Y       fixed in 0.17.0 go      golang.org/x/net
        M       6.1     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-3978   https://nvd.nist.gov/vuln/detail/CVE-2023-3978  Y       fixed in 0.13.0 go      golang.org/x/net

I'm updating the logurs and net packages in go.mod so that Twistlock no longer flags them as a vulnerability.

Related issue number

Closes #1494

Checks

Well, I'm not certain this is the tests you mean, but I've done this

  1. make docker-build
    and it reports
Ran 57 of 57 Specs in 154.079 seconds
SUCCESS! -- 57 Passed | 0 Failed | 0 Pending | 0 Skipped

and later

Ran 4 of 4 Specs in 0.000 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
  1. I ran Twistlock against it, and the 3 vulnerabilities are gone
    Before: There were 8 total vulnerabilities: C:0|H:1|M:7|L:0|T:8
    After the PR: There are 5 total vulnerabilities left: C:0|H:1|M:4|L:0|T:5
  • I've made sure the tests are passing. (IN-PROGRESS....!)
  • Testing Strategy
    • Unit tests
    • Manual tests
    • This PR is not tested :(

@z103cb
Copy link
Contributor

z103cb commented Oct 16, 2023

This is looking good to me. It would be great if you could extend your scanning to the apiserver. I believe that there are some other vulnerabilities in that executable

@z103cb
Copy link
Contributor

z103cb commented Oct 16, 2023

@jbusche I think you need to do a go mod tidy after the update of the dependency in go.mod. The resulting go.sum file will need to be checked in.

@tedhtchang
Copy link
Contributor

tedhtchang commented Oct 17, 2023

@jbusche Can you also do go mod tidy under the apiserver/ folder ? And then also run make lint. It seems because apiserver/go.mod requires github.com/ray-project/kuberay/ray-operator

Signed-off-by: James Busche <[email protected]>
@jbusche
Copy link
Contributor Author

jbusche commented Oct 17, 2023

Hi @z103cb, I had done the go mod tidy on the ray-operator, but I didn't change anything in ../apiserver and didn't realize I also needed to run it there as well... thanks for the tip @tedhtchang! Let's see if it passes this time...

@kevin85421
Copy link
Member

Is this PR ready for review?

Copy link
Contributor

@z103cb z103cb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jbusche, this is looking good. I would flip this PR to ready for review.
LGTM

@kevin85421 kevin85421 marked this pull request as ready for review October 18, 2023 17:45
Copy link
Member

@kevin85421 kevin85421 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@kevin85421 kevin85421 merged commit 2793492 into ray-project:master Oct 18, 2023
20 checks passed
kevin85421 pushed a commit to kevin85421/kuberay that referenced this pull request Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug] Update go.mod to address Fixable CVEs in KubeRay Operator
4 participants