Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moby CVEs trivyignore #10438

Merged
merged 15 commits into from
Dec 23, 2024
Merged

Moby CVEs trivyignore #10438

merged 15 commits into from
Dec 23, 2024

Conversation

bewebi
Copy link

@bewebi bewebi commented Dec 4, 2024
edited by solo-changelog-bot bot
Loading

Description

  • Add two CVEs for vulnerabilities in moby/moby

Context

See justification here

Notes for reviewers

This is marked as "work in progress" until consensus is reached on this path forward

Checklist:

@solo-changelog-bot
Copy link

Issues linked to changelog:
https://github.com/solo-io/solo-projects/issues/7353
https://github.com/solo-io/solo-projects/issues/7357
https://github.com/solo-io/solo-projects/issues/7358
https://github.com/solo-io/solo-projects/issues/7359

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 4, 2024
edited
Loading

Visit the preview URL for this PR (updated for commit 1c7f3aa):

https://gloo-edge--pr10438-bewebi-moby-trivyign-etuaq3gs.web.app

(expires Thu, 19 Dec 2024 16:34:41 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 77c2b86e287749579b7ff9cadb81e099042ef677

@danehans
Copy link

danehans commented Dec 5, 2024

The Kubernetes Tests / End-to-End (cluster-six) (pull_request) job is failing due to #10397. I'll rekick the job. If the failure persists, please rebase.

danehans
danehans approved these changes Dec 5, 2024
View reviewed changes
.trivyignore Outdated
# removed from all LTS branches
CVE-2024-36621
CVE-2024-36623
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should this file end with a new line?

changelog/v1.19.0-beta1/moby-cves-trivyignore.yaml Outdated
issueLink: https://github.com/solo-io/solo-projects/issues/7358
- type: NON_USER_FACING
description: This also resolves the issue for 1.14
issueLink: https://github.com/solo-io/solo-projects/issues/7359
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should this file end with a new line?

@bewebi
Copy link
Author

bewebi commented Dec 5, 2024

I'm investigating the alternative solution proposed by @sam-heilbron here which may eliminate the need for this PR

@sam-heilbron
Copy link

@bewebi are we safe to close this?

@bewebi
Copy link
Author

bewebi commented Dec 10, 2024

We ran into complications backporting the EE CVE fix to 1.16 and, while that PR (solo-io/solo-projects#7396) is now passing CI, it required some dep bumps which may cause issues in 1.15 and 1.14 (eg bumping Go to 1.22)

Therefore I'd advocate to leave this open until those backports are done and we know there is no need for this
On the other hand, if we close this PR and later discover a need, we can always reopen it

@solo-changelog-bot
Copy link

Issues linked to changelog:
https://github.com/solo-io/solo-projects/issues/7353
https://github.com/solo-io/solo-projects/issues/7358
https://github.com/solo-io/solo-projects/issues/7359

jenshu
jenshu reviewed Dec 18, 2024
View reviewed changes
.trivyignore Outdated
# These are not expected to impact us and are difficult to resolve due to breaking API changes that impact our
# code
# While this has been resolved on v1.16+, backporting it to lower versions is complicated and we opted to skip it
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should it be resolved in 1.17+ since we are reverting the fix in EE 1.16?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup

@solo-changelog-bot
Copy link

Issues linked to changelog:
https://github.com/solo-io/solo-projects/issues/7357
https://github.com/solo-io/solo-projects/issues/7358
https://github.com/solo-io/solo-projects/issues/7359

@bewebi bewebi enabled auto-merge (squash) December 23, 2024 20:18
@bewebi
Copy link
Author

bewebi commented Dec 23, 2024

/kick

@bewebi bewebi merged commit f82e330 into main Dec 23, 2024
19 checks passed
@bewebi bewebi deleted the bewebi/moby-trivyignore branch December 23, 2024 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenshu jenshu jenshu left review comments

@danehans danehans danehans approved these changes

@ashishb-solo ashishb-solo ashishb-solo approved these changes

Assignees
No one assigned
Labels
keep pr updated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bewebi @danehans @sam-heilbron @jenshu @ashishb-solo @davidjumani