Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Cherrypick to v2.11] bump up beego to v2.2.1 (#20555) #21000

Merged

Conversation

hajnalmt
Copy link
Contributor

@hajnalmt hajnalmt commented Oct 4, 2024

Bump up beego v2.2.1

Comprehensive Summary of your change

Cherry-picking MinerYang's commit:
https://github.com/goharbor/harbor/pull/20555/files
There were High security vulnerabilities in the beego versions <2.2.1

GHSA-wr3p-r5fj-wf9
GHSA-r6qh-j42j-pw64

I've checked and it seems none of them affects Harbor. Please confirm my take on this one.
Even though this does not affect Harbor it would be nice to have this in at least on the latest release.

Please indicate you've done the following:

  • Well Written Title and Summary of the PR
  • Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
  • Accepted the DCO. Commits without the DCO will delay acceptance.
  • Made sure tests are passing and test coverage is added if needed.
  • Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

@hajnalmt hajnalmt requested a review from a team as a code owner October 4, 2024 10:56
@hajnalmt hajnalmt force-pushed the release-2.11.0-beego-cherry-pick branch from 12ac369 to 5eb52cf Compare October 4, 2024 11:05
bump up beego v2.2.1

Co-authored-by: yminer <yminer@vmware.com>
Signed-off-by: Mate Hajnal <hajnalmt@gmail.com>
@hajnalmt hajnalmt force-pushed the release-2.11.0-beego-cherry-pick branch from 5eb52cf to 6bbd3fe Compare October 4, 2024 11:09
@MinerYang
Copy link
Contributor

This is not in out plan for 2.11. So will close this for now.

@MinerYang MinerYang closed this Oct 14, 2024
@Vad1mo
Copy link
Member

Vad1mo commented Oct 17, 2024

@MinerYang, Why is that not a good fix for 2.11.x and good 2.12.x?
This is a critical security and stability relevant backport for a version that is still under support,
We should not close backports of stability relevant PRs without any discussion!

@Vad1mo Vad1mo reopened this Oct 17, 2024
@Vad1mo Vad1mo added the release-note/update Update or Fix label Oct 17, 2024
Copy link

codecov bot commented Oct 17, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (release-2.11.0@cdbef9d). Learn more about missing BASE report.

Additional details and impacted files

Impacted file tree graph

@@                Coverage Diff                @@
##             release-2.11.0   #21000   +/-   ##
=================================================
  Coverage                  ?   66.33%           
=================================================
  Files                     ?     1044           
  Lines                     ?   113939           
  Branches                  ?     2845           
=================================================
  Hits                      ?    75577           
  Misses                    ?    34241           
  Partials                  ?     4121           
Flag Coverage Δ
unittests 66.33% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/lib/orm/query.go 76.27% <100.00%> (ø)
src/pkg/artifact/dao/dao.go 57.63% <100.00%> (ø)
src/pkg/task/dao/execution.go 61.82% <100.00%> (ø)
src/pkg/task/dao/task.go 64.31% <100.00%> (ø)

@Vad1mo Vad1mo enabled auto-merge (squash) October 17, 2024 18:13
@wy65701436
Copy link
Contributor

To avoid any uncertainty in the Harbor patch release, we prefer not to upgrade the minor version of Beego; instead, we would like to stick with the patch release. Upgrading to a minor release would introduce code changes that we would like to avoid.

To address the CVEs, I will discuss with the Beego maintainer to see if they can provide a patch for Harbor. If they are unable to assist, we can consider merging this PR.

@Vad1mo
What are your thoughts on this approach?

@MinerYang MinerYang disabled auto-merge November 13, 2024 09:15
@reasonerjt
Copy link
Contributor

Let's merge this PR to fix CVEs in v2.11.2

@reasonerjt reasonerjt merged commit 5d2b1ec into goharbor:release-2.11.0 Nov 13, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/update Update or Fix
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants