Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NET-8601] security: upgrade vault/api to remove go-jose.v2 #20910

Merged
merged 1 commit into from
May 4, 2024
Merged

[NET-8601] security: upgrade vault/api to remove go-jose.v2 #20910

merged 1 commit into from
May 4, 2024

Conversation

zalimeni
Copy link
Member

@zalimeni zalimeni commented Mar 27, 2024
edited
Loading

This dependency has an open vulnerability (GO-2024-2631 AKA CVE-2024-28180), and is no longer needed by the latest vault/api. This is a follow-up to the upgrade of go-jose/v3 in this repository to make all our dependencies consolidate on v3.

Also remove the recently added security scan triage block for GO-2024-2631, which was added due to incorrect reports that go-jose/v3@3.0.3 was impacted; in reality, is was this indirect client dependency (not impacted by CVE) that the scanner was flagging. A bug report has been filed to address the incorrect reporting.

This PR will fail some backports due to go.mod/go.sum conflicts, but opening w/ labels to ensure we don't forget. I'll fix up the backports that fail.

Description

  • Upgrade vault/api to latest
  • Remove triage block for go-jose from scanner config

Testing & Reproduction steps

CI including Security Scan continue to pass.

Links

Follow-up to #20901

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@zalimeni zalimeni added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. backport/1.18 labels Mar 27, 2024
@zalimeni zalimeni requested a review from a team as a code owner March 27, 2024 13:57
@zalimeni zalimeni requested a review from a team March 27, 2024 13:57
@zalimeni zalimeni requested a review from a team as a code owner March 27, 2024 13:57
@zalimeni zalimeni requested review from marianoasselborn and randyhdev and removed request for a team March 27, 2024 13:57
@github-actions github-actions bot added theme/api Relating to the HTTP API interface pr/dependencies PR specifically updates dependencies of project labels Mar 27, 2024
@zalimeni zalimeni changed the title security: upgrade vault/api to remove go-jose.v2 [NET-8601] security: upgrade vault/api to remove go-jose.v2 Mar 27, 2024
dduzgun-security
dduzgun-security approved these changes Mar 27, 2024
View reviewed changes
Copy link
Collaborator

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@zalimeni zalimeni force-pushed the zalimeni/upgrade-vault-remove-go-jose.v2 branch from fe7007c to 2c4dd07 Compare March 27, 2024 16:44
@zalimeni zalimeni force-pushed the zalimeni/upgrade-vault-remove-go-jose.v2 branch from 2c4dd07 to 923374a Compare May 3, 2024 23:57
@zalimeni
security: upgrade vault/api to remove go-jose.v2
1c8e398 
This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.

Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
@zalimeni zalimeni force-pushed the zalimeni/upgrade-vault-remove-go-jose.v2 branch from 923374a to 1c8e398 Compare May 3, 2024 23:59
@zalimeni zalimeni enabled auto-merge (squash) May 4, 2024 00:01
xwa153
xwa153 approved these changes May 4, 2024
View reviewed changes
Copy link
Member

@xwa153 xwa153 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your great work! LGTM 👍

@zalimeni zalimeni merged commit 86b0818 into main May 4, 2024
85 checks passed
@zalimeni zalimeni deleted the zalimeni/upgrade-vault-remove-go-jose.v2 branch May 4, 2024 00:18
This was referenced May 4, 2024
Closed
Closed
Closed
Merged
@hc-github-team-consul-core
Copy link
Collaborator

@zalimeni, a backport is missing for this PR [20910] for versions [1.15,1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

1 similar comment
@hc-github-team-consul-core
Copy link
Collaborator

@zalimeni, a backport is missing for this PR [20910] for versions [1.15,1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@hc-github-team-consul-core
Copy link
Collaborator

@zalimeni, a backport is missing for this PR [20910] for versions [1.15,1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

2 similar comments
@hc-github-team-consul-core
Copy link
Collaborator

@zalimeni, a backport is missing for this PR [20910] for versions [1.15,1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@hc-github-team-consul-core
Copy link
Collaborator

@zalimeni, a backport is missing for this PR [20910] for versions [1.15,1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@zalimeni zalimeni added backport/ent/1.17 This release series is longer active on CE or Ent backport/ent/1.16 backport/ent/1.15 Changes are backported to 1.15 ent and removed backport/ent/1.17 This release series is longer active on CE or Ent backport/ent/1.15 Changes are backported to 1.15 ent labels May 8, 2024
@hc-github-team-consul-core
Copy link
Collaborator

@zalimeni, a backport is missing for this PR [20910] for versions [1.15,1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@zalimeni zalimeni removed backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. labels May 9, 2024
This was referenced Sep 26, 2024
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xwa153 xwa153 xwa153 approved these changes

@dduzgun-security dduzgun-security dduzgun-security approved these changes

@marianoasselborn marianoasselborn Awaiting requested review from marianoasselborn

@randyhdev randyhdev Awaiting requested review from randyhdev

Assignees
No one assigned
Labels
backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.17 This release series is longer active on CE or Ent pr/dependencies PR specifically updates dependencies of project theme/api Relating to the HTTP API interface
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zalimeni @hc-github-team-consul-core @dduzgun-security @xwa153