Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

keda-2.15/2.15.1-r3: cve remediation #33273

Merged
merged 3 commits into from
Nov 6, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Nov 5, 2024

Copy link
Contributor Author

octo-sts bot commented Nov 5, 2024

Gen AI suggestions to solve the build error:

Based on the error log, here's how to fix the build error for the keda-2.15 package:

  1. The main error is related to a version mismatch with the golang-jwt package:
Failed to running update. Error: package github.com/golang-jwt/jwt/v4 with v4.5.0 is less than the desired version v4.5.1

Here are the steps to resolve this:

  1. Update the melange YAML file (keda-2.15.yaml) by:

    pipeline:
      - uses: git-checkout
      # Modify or remove the go/bump step to either:
      # Option 1: Remove version constraints for jwt package
      - uses: go/bump
        with:
          packages: ""  # Remove jwt package from bumping
      
      # Option 2: Specify the correct version
      - uses: go/bump
        with:
          packages: "github.com/golang-jwt/jwt/[email protected]"
  2. Alternative fix - directly modify go.mod:

    # Add this to your build steps
    - uses: shell
      run: |
        go mod edit -replace github.com/golang-jwt/jwt/v4=github.com/golang-jwt/jwt/[email protected]
        go mod tidy
  3. Update build dependencies in the YAML:

    environment:
      contents:
        packages:
          - go@>=1.23.2
          - build-base
          # Add other required packages
  4. Clear melange cache and retry:

    rm -rf .melangecache
    make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/keda-2.15 -j1

These changes should resolve the version conflict and allow the build to proceed.

@octo-sts octo-sts bot added the P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. label Nov 5, 2024
@Aditvil-Dev Aditvil-Dev self-assigned this Nov 5, 2024
Copy link
Contributor

github-actions bot commented Nov 5, 2024

Package keda-2.15: Click to expand/collapse

Package keda-2.15:
Modified: /usr/bin/keda

Package keda-2.15-metrics-apiserver: Click to expand/collapse

Package keda-2.15-metrics-apiserver:
Modified: /usr/bin/keda-adapter

Package keda-2.15-admission-webhooks: Click to expand/collapse

Package keda-2.15-admission-webhooks:
Modified: /usr/bin/keda-admission-webhooks

Package keda-2.15-compat: Click to expand/collapse

Package keda-2.15-compat:
Unchanged

Copy link
Contributor Author

octo-sts bot commented Nov 5, 2024

Gen AI suggestions to solve the build error:

Based on the build output, it appears the build was successful but encountered an error during the test phase. The main issue seems to be with the ImgRef being empty when trying to run tests.

Here are some steps to debug and fix this:

  1. Check your melange.yaml file for the test configuration section. Make sure you have properly defined:
test:
  environment:
    # Add any required env vars
  pipeline:
    - runs: |
        # Add test commands here
  1. Verify the test runner configuration:
# At the top level of your melange.yaml
environment:
  contents:
    repositories:
      - https://packages.wolfi.dev/os
    keyring:
      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
    packages:
      - wolfi-base # Add other test dependencies

test:
  # Your test config here
  1. Make sure required test dependencies are available:
  • Add wolfi-base and any other required packages to test environment
  • Verify repository and keyring configurations are correct
  1. Try running with increased verbosity:
melange test --debug --verbose keda-2.15.yaml
  1. Validate your pipeline directory structure:
./pipelines/
  ├── build.yml
  └── test.yml

The empty ImgRef suggests the test environment image isn't being created properly. Adding proper test configuration should resolve this issue.

@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Nov 5, 2024
@Aditvil-Dev Aditvil-Dev added the approved-to-run A repo member has approved this external contribution label Nov 5, 2024
@Aditvil-Dev
Copy link
Member

Has multiple replaces for the same package in go.mod: https://github.com/kedacore/keda/blob/main/go.mod#L147

… mod

The module is not getting used anywhere but it is mentioned in the go.mod file and now it causing error when we try to update the github.com/golang-jwt/jwt/v4

Signed-off-by: debasishbsws <[email protected]>
@debasishbsws
Copy link
Member

Create a upstream PR to remove it from the go.mod file kedacore/keda#6315

Copy link
Contributor

github-actions bot commented Nov 6, 2024

Package keda-2.15: Click to expand/collapse

Package keda-2.15:
Modified: /usr/bin/keda

Package keda-2.15-metrics-apiserver: Click to expand/collapse

Package keda-2.15-metrics-apiserver:
Modified: /usr/bin/keda-adapter

Package keda-2.15-admission-webhooks: Click to expand/collapse

Package keda-2.15-admission-webhooks:
Modified: /usr/bin/keda-admission-webhooks

Package keda-2.15-compat: Click to expand/collapse

Package keda-2.15-compat:
Unchanged

@debasishbsws debasishbsws merged commit 7b06d46 into main Nov 6, 2024
16 checks passed
@debasishbsws debasishbsws deleted the cve-keda-2.15-e513ecc4a39f7ad79e47ec3126bcdd75 branch November 6, 2024 18:17
@JorTurFer
Copy link

Hello
I'm Jorge, one of KEDA maintainers 😄
github.com/dgrijalva/jwt-go is used as transitory dependency of github.com/spf13/viper with is a transitory dependency of github.com/spf13/cobra, so sadly it's in use and that's why we added the replace statement there.
We plan to ship v2.16 tomorrow and we have a PR opened with a lot of bumps, preparing tomorrow's release. I have included a bump of this dep to fix the issue -> fba853a (#6305).
Is it enough?
Removing the replaces isn't feasible because of transitory dependencies, e.g: golang-jwt/jwt/v4 is used with affected versions in multiple packages

go mod graph | grep github.com/golang-jwt/jwt/v4                       
github.com/kedacore/keda/v2 github.com/golang-jwt/jwt/[email protected]
github.com/Azure/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/azure/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/azure/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/bradleyfalzon/ghinstallation/[email protected] github.com/golang-jwt/jwt/[email protected]
k8s.io/[email protected] github.com/golang-jwt/jwt/[email protected]
k8s.io/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/golang-jwt/jwt/[email protected]

I've checked all the replacement and all of them are used somehow with affected versions, although I've just updated the replacement with latest package versions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved-to-run A repo member has approved this external contribution automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-29wx-vh33-7x7r go/bump keda-2.15/2.15.1-r3 manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants