Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-5689: Fix dependency with insecure randomness #744

Merged
merged 1 commit into from
Jan 18, 2023
Merged

OCPBUGS-5689: Fix dependency with insecure randomness #744

merged 1 commit into from
Jan 18, 2023

Conversation

wizhaoredhat
Copy link
Contributor

Upgrade sprig to ver.3 which updates CWE-330
vulnerable goutils to 1.1.1.
Sprig ver.3 retains the same Go API as ver.2.

Signed-off-by: Martin Kennelly martin.kennelly@intel.com
(cherry picked from commit 41259d5)

@martinkennelly @wizhaoredhat
Fix dependency with insecure randomness
1955b04 
Upgrade sprig to ver.3 which updates CWE-330
vulnerable goutils to 1.1.1.
Sprig ver.3 retains the same Go API as ver.2.

Signed-off-by: Martin Kennelly <martin.kennelly@intel.com>
(cherry picked from commit 41259d5)
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 11, 2023

@wizhaoredhat: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

Fix dependency with insecure randomness

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wizhaoredhat
Copy link
Contributor Author

/cc @zshi-redhat @pliurh

@wizhaoredhat wizhaoredhat changed the title Fix dependency with insecure randomness OCPBUGS-5689: Fix dependency with insecure randomness Jan 11, 2023
@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 11, 2023
@openshift-ci-robot
Copy link
Contributor

@wizhaoredhat: This pull request references Jira Issue OCPBUGS-5689, which is invalid:

  • expected Jira Issue OCPBUGS-5689 to depend on a bug targeting a version in 4.9.0, 4.9.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Upgrade sprig to ver.3 which updates CWE-330
vulnerable goutils to 1.1.1.
Sprig ver.3 retains the same Go API as ver.2.

Signed-off-by: Martin Kennelly martin.kennelly@intel.com
(cherry picked from commit 41259d5)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 11, 2023

@wizhaoredhat: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

OCPBUGS-5689: Fix dependency with insecure randomness

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested a review from dougbtv January 11, 2023 19:36
@wizhaoredhat
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 11, 2023
@openshift-ci-robot
Copy link
Contributor

@wizhaoredhat: This pull request references Jira Issue OCPBUGS-5689, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.8.z) matches configured target version for branch (4.8.z)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-5691 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
  • dependent Jira Issue OCPBUGS-5691 targets the "4.9.z" version, which is one of the valid target versions: 4.9.0, 4.9.z
  • bug has dependents

Requesting review from QA contact:
/cc @zhaozhanqi

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 11, 2023
@wizhaoredhat
Copy link
Contributor Author

@zshi-redhat @zhaozhanqi Could you please approve and provide the backport-risk-assessed labels?

@wizhaoredhat
Copy link
Contributor Author

/cc @bn222

@openshift-ci openshift-ci bot requested a review from bn222 January 11, 2023 19:56
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 11, 2023

@wizhaoredhat: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

bn222 pushed a commit to bn222/dpu-network-operator that referenced this pull request Jan 11, 2023
sprig ver 3 needs to be updated to use better randomness. The patch
b792e20 
is based on github.com/openshift/sriov-network-operator/pull/744. go mod
tidy was run too.
bn222 pushed a commit to bn222/dpu-network-operator that referenced this pull request Jan 11, 2023
Fix dependency on package with bad randomness
308c138 
sprig ver 3 needs to be updated to use better randomness. The patch
is based on github.com/openshift/sriov-network-operator/pull/744. go mod
tidy was run too.

Signed-off-by: Balazs Nemeth <bnemeth@bnemeth.users.ipa.redhat.com>
@bn222 bn222 mentioned this pull request Jan 11, 2023
Closed
@zhaozhanqi
Copy link

I can label cherry-pick-approved after backport-risk-assessed is added

@wizhaoredhat
Copy link
Contributor Author

@zshi-redhat Could you please provide approved and backport-risk-assessed labels?

@bn222
Copy link
Contributor

bn222 commented Jan 12, 2023

Please run go mod tidy and go mod vendor

@bn222
Copy link
Contributor

bn222 commented Jan 12, 2023

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 12, 2023
@wizhaoredhat
Copy link
Contributor Author

wizhaoredhat commented Jan 12, 2023
edited
Loading

@bn222 go mod tidy and go mod vendor did not give any git diffs. This was a clean cherry-pick without any conflicts.

@wizhaoredhat
Copy link
Contributor Author

/unhold

@wizhaoredhat
Copy link
Contributor Author

I already checked that this commit:
4f12e55
As part of the original PR upstream:
k8snetworkplumbingwg/sriov-network-operator#144

Was already backported in this commit:
#586

@bn222
Copy link
Contributor

bn222 commented Jan 18, 2023

Please include k8snetworkplumbingwg/sriov-network-operator#396

@bn222
Copy link
Contributor

bn222 commented Jan 18, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 18, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 18, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bn222, wizhaoredhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 18, 2023
@bn222
Copy link
Contributor

bn222 commented Jan 18, 2023
edited
Loading

/label backport-risk-assessed

@bn222
Copy link
Contributor

bn222 commented Jan 18, 2023

/retest

@wizhaoredhat
Copy link
Contributor Author

/label backport-risk-assessed

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 18, 2023

@wizhaoredhat: Can not set label backport-risk-assessed: Must be member in one of these teams: [team-multus-cni-maintainers]

In response to this:

/label backport-risk-assessed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bn222
Copy link
Contributor

bn222 commented Jan 18, 2023

/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jan 18, 2023
@wizhaoredhat
Copy link
Contributor Author

@zhaozhanqi PTAL and add the cherry-pick label

@mffiedler
Copy link

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jan 18, 2023
@openshift-merge-robot openshift-merge-robot merged commit 3979dc4 into openshift:release-4.8 Jan 18, 2023
@openshift-ci-robot
Copy link
Contributor

@wizhaoredhat: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-5689 has been moved to the MODIFIED state.

In response to this:

Upgrade sprig to ver.3 which updates CWE-330
vulnerable goutils to 1.1.1.
Sprig ver.3 retains the same Go API as ver.2.

Signed-off-by: Martin Kennelly martin.kennelly@intel.com
(cherry picked from commit 41259d5)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wizhaoredhat wizhaoredhat deleted the cherry_pick_41259d5_to_4_8 branch March 14, 2023 17:52
@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

This PR has been included in build sriov-network-operator-container-v4.8.0-202311261141.p0.g3979dc4.assembly.stream for distgit sriov-network-operator.
All builds following this will include this PR.

SchSeba pushed a commit to SchSeba/sriov-network-operator that referenced this pull request Aug 20, 2024
@zeeke
Merge pull request openshift#744 from SchSeba/fix_mtu_test_1
15a3f73 
Fix reconcile vf functional test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pliurh pliurh Awaiting requested review from pliurh

@zshi-redhat zshi-redhat Awaiting requested review from zshi-redhat

@dougbtv dougbtv Awaiting requested review from dougbtv

@zhaozhanqi zhaozhanqi Awaiting requested review from zhaozhanqi

@bn222 bn222 Awaiting requested review from bn222

Assignees

@mffiedler mffiedler

@rbbratta rbbratta

@weliang1 weliang1

@bn222 bn222

@anuragthehatter anuragthehatter

@huiran0826 huiran0826

@asood-rh asood-rh

@jechen0648 jechen0648

@yingwang-0320 yingwang-0320

@qiowang721 qiowang721

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.