Skip to content

[1.1] chore: silencing security false positives caused by golang.org/x/net #4244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kolyshkin merged 1 commit into from
Apr 17, 2024
Merged

[1.1] chore: silencing security false positives caused by golang.org/x/net #4244

kolyshkin merged 1 commit into from
Apr 17, 2024

Conversation

@kycheng
Copy link

@kycheng kycheng commented Apr 8, 2024

@lifubang
Copy link
Member

lifubang commented Apr 8, 2024

Thanks for your contribution! The first cve issue seems not related, the second one is about HTML, and the third one is about http2, all of this are not used by runc. We only use "golang.org/x/net/bpf" in runc.

@kycheng
Copy link
Author

kycheng commented Apr 8, 2024
edited
Loading

Thanks for your contribution! The first cve issue seems not related, the second one is about HTML, and the third one is about http2, all of this are not used by runc. We only use "golang.org/x/net/bpf" in runc.

@lifubang It seems true. This report was output by me using trivy and may not be accurate.
At the same time, I saw that the net on main has been updated to v0.22.0. Does the release branch also need the same update?

AkihiroSuda
AkihiroSuda requested changes Apr 8, 2024
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good, but please reword "fix" to something like "silence false positives" to avoid confusion

@kolyshkin kolyshkin changed the title chore: fix golang.org/x/net security vulnerability [1.1] chore: fix golang.org/x/net security vulnerability Apr 9, 2024
@kolyshkin kolyshkin added this to the 1.1.13 milestone Apr 9, 2024
@kycheng kycheng changed the title [1.1] chore: fix golang.org/x/net security vulnerability [1.1] chore: silencing security false positives caused by golang.org/x/net Apr 9, 2024
rata
rata reviewed Apr 9, 2024
View reviewed changes
Copy link
Member

@rata rata left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see runc main is using the versions you are updating to here, but I think we should update them to the latest, specially if we want to silence CVEs as 0.22 is vulnerable to some CVEs.

I'd update to the latest here and do the same in runc main too.

Also @kycheng can you comment how do you see a warning? Which tool are you using that throws a warning for this?

With the recent supply chain attacks, I've verified locally that running "make vendor" with the changes on go.mod produces the exact same things as this PR. It's not a matter of not trusting you, but just to be on the safe side of things :)

@kycheng
silence security false positives from golang/net
59056a0 
golang.org/x/net:v0.8.0 will introduce some security false positives:

- https://avd.aquasec.com/nvd/cve-2023-4448
- https://avd.aquasec.com/nvd/cve-2023-3978
- https://avd.aquasec.com/nvd/cve-2023-39325

Signed-off-by: kychen <kychen@alauda.io>
@kycheng
Copy link
Author

kycheng commented Apr 10, 2024

I see runc main is using the versions you are updating to here, but I think we should update them to the latest, specially if we want to silence CVEs as 0.22 is vulnerable to some CVEs.

I'd update to the latest here and do the same in runc main too.

Also @kycheng can you comment how do you see a warning? Which tool are you using that throws a warning for this?

I'm using buildkit, the latest version of runc referenced by buildkit, and this issue was exposed when we scanned the buildkit(use trivy image ....).

image

With the recent supply chain attacks, I've verified locally that running "make vendor" with the changes on go.mod produces the exact same things as this PR. It's not a matter of not trusting you, but just to be on the safe side of things :)

In addition, the content of the vendor of this PR is indeed the same as that of make vendor. Sorry, I don't know what the process is. Do I need to remove the vendor changes and just update go.mod?

@rata

@rata
Copy link
Member

rata commented Apr 10, 2024

@kycheng Thanks!

In addition, the content of the vendor of this PR is indeed the same as that of make vendor. Sorry, I don't know what the process is. Do I need to remove the vendor changes and just update go.mod?

No, as it is is perfect. I was just letting maintainers know that there were indeed no hidden changes, as verifying that is needed to prevent some supply chain attacks. Nothing for you to change, just a sanity check :-)

@kycheng
Copy link
Author

kycheng commented Apr 11, 2024

The failure in the unit test seems to have nothing to do with my update. I spent some time understanding criu. Is the failure of the test related to the functions supported by the kernel?

image

I'm not quite sure how I can fix this unit test. @rata

@rata
Copy link
Member

rata commented Apr 11, 2024

You can just do git commit --amend and don't change anything, then push again. That will change the commit hash, so tests will run again, hopefully the flaky test passes now :)

@kycheng
Copy link
Author

kycheng commented Apr 16, 2024

@rata @AkihiroSuda Are there any other issues with this PR that need to be fixed? Can you help me review it?

kolyshkin
kolyshkin approved these changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@kolyshkin kolyshkin merged commit b0691ca into opencontainers:release-1.1 Apr 17, 2024
@kolyshkin kolyshkin added backport/1.1-pr A backport PR to release-1.1 and removed backport/1.1-pr A backport PR to release-1.1 labels Apr 29, 2024
@austinvazquez austinvazquez mentioned this pull request May 14, 2024
Merged
@kycheng kycheng deleted the chore/net-cve branch May 21, 2024 07:42
@lifubang lifubang mentioned this pull request Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rata rata rata left review comments

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.1.13

Development

Successfully merging this pull request may close these issues.

5 participants

@kycheng @lifubang @rata @kolyshkin @AkihiroSuda