Nothing Special   »   [go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.1] chore: silencing security false positives caused by golang.org/x/net #4244

Merged
merged 1 commit into from
Apr 17, 2024

Conversation

kycheng
Copy link
@kycheng kycheng commented Apr 8, 2024

@lifubang
Copy link
Member
lifubang commented Apr 8, 2024

Thanks for your contribution! The first cve issue seems not related, the second one is about HTML, and the third one is about http2, all of this are not used by runc. We only use "golang.org/x/net/bpf" in runc.

@kycheng
Copy link
Author
kycheng commented Apr 8, 2024

Thanks for your contribution! The first cve issue seems not related, the second one is about HTML, and the third one is about http2, all of this are not used by runc. We only use "golang.org/x/net/bpf" in runc.

@lifubang It seems true. This report was output by me using trivy and may not be accurate.
At the same time, I saw that the net on main has been updated to v0.22.0. Does the release branch also need the same update?

Copy link
Member
@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good, but please reword "fix" to something like "silence false positives" to avoid confusion

@kolyshkin kolyshkin changed the title chore: fix golang.org/x/net security vulnerability [1.1] chore: fix golang.org/x/net security vulnerability Apr 9, 2024
@kolyshkin kolyshkin added this to the 1.1.13 milestone Apr 9, 2024
@kycheng kycheng changed the title [1.1] chore: fix golang.org/x/net security vulnerability [1.1] chore: silencing security false positives caused by golang.org/x/net Apr 9, 2024
Copy link
Member
@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see runc main is using the versions you are updating to here, but I think we should update them to the latest, specially if we want to silence CVEs as 0.22 is vulnerable to some CVEs.

I'd update to the latest here and do the same in runc main too.

Also @kycheng can you comment how do you see a warning? Which tool are you using that throws a warning for this?

With the recent supply chain attacks, I've verified locally that running "make vendor" with the changes on go.mod produces the exact same things as this PR. It's not a matter of not trusting you, but just to be on the safe side of things :)

go.mod Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
golang.org/x/net:v0.8.0 will introduce some security false positives:

- https://avd.aquasec.com/nvd/cve-2023-4448
- https://avd.aquasec.com/nvd/cve-2023-3978
- https://avd.aquasec.com/nvd/cve-2023-39325

Signed-off-by: kychen <kychen@alauda.io>
@kycheng
Copy link
Author
kycheng commented Apr 10, 2024

I see runc main is using the versions you are updating to here, but I think we should update them to the latest, specially if we want to silence CVEs as 0.22 is vulnerable to some CVEs.

I'd update to the latest here and do the same in runc main too.

Also @kycheng can you comment how do you see a warning? Which tool are you using that throws a warning for this?

I'm using buildkit, the latest version of runc referenced by buildkit, and this issue was exposed when we scanned the buildkit(use trivy image ....).

image

With the recent supply chain attacks, I've verified locally that running "make vendor" with the changes on go.mod produces the exact same things as this PR. It's not a matter of not trusting you, but just to be on the safe side of things :)

In addition, the content of the vendor of this PR is indeed the same as that of make vendor. Sorry, I don't know what the process is. Do I need to remove the vendor changes and just update go.mod?

@rata

@rata
Copy link
Member
rata commented Apr 10, 2024

@kycheng Thanks!

In addition, the content of the vendor of this PR is indeed the same as that of make vendor. Sorry, I don't know what the process is. Do I need to remove the vendor changes and just update go.mod?

No, as it is is perfect. I was just letting maintainers know that there were indeed no hidden changes, as verifying that is needed to prevent some supply chain attacks. Nothing for you to change, just a sanity check :-)

@kycheng
Copy link
Author
kycheng commented Apr 11, 2024

The failure in the unit test seems to have nothing to do with my update. I spent some time understanding criu. Is the failure of the test related to the functions supported by the kernel?

image

I'm not quite sure how I can fix this unit test. @rata

@rata
Copy link
Member
rata commented Apr 11, 2024

You can just do git commit --amend and don't change anything, then push again. That will change the commit hash, so tests will run again, hopefully the flaky test passes now :)

@kycheng
Copy link
Author
kycheng commented Apr 16, 2024

@rata @AkihiroSuda Are there any other issues with this PR that need to be fixed? Can you help me review it?

Copy link
Contributor
@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@kolyshkin kolyshkin merged commit b0691ca into opencontainers:release-1.1 Apr 17, 2024
29 checks passed
@kolyshkin kolyshkin added backport/1.1-pr A backport PR to release-1.1 and removed backport/1.1-pr A backport PR to release-1.1 labels Apr 29, 2024
@kycheng kycheng deleted the chore/net-cve branch May 21, 2024 07:42
@lifubang lifubang mentioned this pull request Jun 10, 2024
aepifanov added a commit to aepifanov/runc that referenced this pull request Jul 11, 2024
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have."

This is the thirteenth patch release in the 1.1.z release branch of runc. It
brings in Go 1.12.x compatibility and fixes a few issues, including an
occasional wrong nofile rlimit in runc exec, and a race between runc list and
runc delete.

NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version.
For more details, see issue opencontainers#4233.

 * Support go 1.22.4+. (opencontainers#4313)
 * runc list: fix race with runc delete. (opencontainers#4231)
 * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299)
 * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284)
 * Fix a debug msg for user ns in nsexec. (opencontainers#4315)
 * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316)
 * CI fixes and misc backports. (opencontainers#4241)
 * Fix codespell warnings. (opencontainers#4300)
 * Silence security false positives from golang/net. (opencontainers#4244)
 * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257)
 * allow overriding VERSION value in Makefile. (opencontainers#4270)
 * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261)
 * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <akhilerm@gmail.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Sohan Kunkerkar <sohank2602@gmail.com>
 * TTFISH <jiongchiyu@gmail.com>
 * kychen <kychen@alauda.io>
 * lifubang <lifubang@acmcoder.com>
 * ls-ggg <335814617@qq.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh
# EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ
# 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr
# i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi
# ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr
# C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU
# ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A==
# =IFN9
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Jun 13 08:46:46 2024 PDT
# gpg:                using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
# gpg: Can't check signature: No public key

# Conflicts:
#	CHANGELOG.md
#	VERSION
#	go.mod
#	go.sum
#	vendor/golang.org/x/sys/unix/mmap_nomremap.go
#	vendor/golang.org/x/sys/windows/syscall_windows.go
#	vendor/modules.txt
aepifanov added a commit to aepifanov/runc that referenced this pull request Jul 11, 2024
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have."

This is the thirteenth patch release in the 1.1.z release branch of runc. It
brings in Go 1.12.x compatibility and fixes a few issues, including an
occasional wrong nofile rlimit in runc exec, and a race between runc list and
runc delete.

NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version.
For more details, see issue opencontainers#4233.

 * Support go 1.22.4+. (opencontainers#4313)
 * runc list: fix race with runc delete. (opencontainers#4231)
 * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299)
 * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284)
 * Fix a debug msg for user ns in nsexec. (opencontainers#4315)
 * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316)
 * CI fixes and misc backports. (opencontainers#4241)
 * Fix codespell warnings. (opencontainers#4300)
 * Silence security false positives from golang/net. (opencontainers#4244)
 * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257)
 * allow overriding VERSION value in Makefile. (opencontainers#4270)
 * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261)
 * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <akhilerm@gmail.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Sohan Kunkerkar <sohank2602@gmail.com>
 * TTFISH <jiongchiyu@gmail.com>
 * kychen <kychen@alauda.io>
 * lifubang <lifubang@acmcoder.com>
 * ls-ggg <335814617@qq.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh
# EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ
# 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr
# i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi
# ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr
# C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU
# ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A==
# =IFN9
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Jun 13 08:46:46 2024 PDT
# gpg:                using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
# gpg: Can't check signature: No public key
aepifanov added a commit to aepifanov/runc that referenced this pull request Jul 11, 2024
v1.1.13 -- "There is no certainty in the world. This is the only certainty I have."

This is the thirteenth patch release in the 1.1.z release branch of runc. It
brings in Go 1.12.x compatibility and fixes a few issues, including an
occasional wrong nofile rlimit in runc exec, and a race between runc list and
runc delete.

NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version.
For more details, see issue opencontainers#4233.

 * Support go 1.22.4+. (opencontainers#4313)
 * runc list: fix race with runc delete. (opencontainers#4231)
 * Fix set nofile rlimit error. (opencontainers#4277, opencontainers#4299)
 * libct/cg/fs: fix setting rt_period vs rt_runtime. (opencontainers#4284)
 * Fix a debug msg for user ns in nsexec. (opencontainers#4315)
 * script/*: fix gpg usage wrt keyboxd. (opencontainers#4316)
 * CI fixes and misc backports. (opencontainers#4241)
 * Fix codespell warnings. (opencontainers#4300)
 * Silence security false positives from golang/net. (opencontainers#4244)
 * libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (opencontainers#4257)
 * allow overriding VERSION value in Makefile. (opencontainers#4270)
 * Vagrantfile.fedora: bump Fedora to 39. (opencontainers#4261)
 * ci/cirrus: rm centos stream 8. (opencontainers#4305, opencontainers#4308)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <akhilerm@gmail.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Sohan Kunkerkar <sohank2602@gmail.com>
 * TTFISH <jiongchiyu@gmail.com>
 * kychen <kychen@alauda.io>
 * lifubang <lifubang@acmcoder.com>
 * ls-ggg <335814617@qq.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZrFGYACgkQF95ey3Wh
# EA7DPwf9HVwO0EO3s7OuJPBCmZBp92L6AMDBmkpnE14Pi1c4DVcWtlrBna2CNnUJ
# 4Hu8rgEtT80Y8L3GBf96Wo3C1DHR6lG6dyu6FjHozWu97WfrTtw92I/254dQZnsr
# i7m+5C6Tluewr9pH6ageRI0rRYt4QPpyRihMkiZQHl44Z5ogRGJvCCkjk9nIDlxi
# ok2U5aPIw4NWPwnMg3wC6CmcviaM81kyuWh2Twc1OPwRilCPQXWblcUgqujg5tOr
# C3Z6AwiIedpMt6Nr0jdWZh9Rh0ffuOXBEiUO/K8vYqE/eDvqJd42c8ALi1HOONoU
# ZwrNWNU3o2pIQ4qz0Fs4vauK4wSs1A==
# =IFN9
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Jun 13 08:46:46 2024 PDT
# gpg:                using RSA key C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
# gpg: Can't check signature: No public key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants