Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[YUNIKORN-2541] Upgrade golang.org/x/net for CVEs #135

Closed
wants to merge 3 commits into from

Conversation

targetoee
Copy link
Contributor

What is this PR for?

This PR upgrades golang.org/x/net to 0.23.0 to address CVEs.

What type of PR is it?

  • - Bug Fix
  • - Improvement
  • - Feature
  • - Documentation
  • - Hot Fix
  • - Refactoring

Todos

After this PR is merged, core and k8shim should also be upgraded.

What is the Jira issue?

YUNIKORN-2541

How should this be tested?

Screenshots (if appropriate)

Questions:

go.mod Outdated
Comment on lines 31 to 32
golang.org/x/net v0.20.0 // indirect
golang.org/x/sys v0.17.0 // indirect
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't change these, leave these as they are the replace below will force the later version. Those we can update without the system touching them. The indirect ones are managed by the go module system.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Thanks for the feedback!

Copy link
Contributor

@chenyulin0719 chenyulin0719 Apr 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @targetoee,
We don't manually change indirect dependency.

However, golang.org/x/sys v0.18.0 // indirect could be kept since it was resovled by 'go mod tidy' after upgrade to golang.org/x/net v0.23.0.

Here is our previous discussion for indirect/replace directives

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't change these, leave these as they are the replace below will force the later version.

Hi @wilfred-s, I still think we have a valid reason(Fix CVE) to update the automatically generated dependencies that were updated by 'go mod tidy'.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's reasonable even though the dependencies will propagate to downstream packages.

Copy link
Contributor

@craigcondit craigcondit Apr 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Except it doesn't work like that. The purpose of 'go mod tidy' is to remove redundant information and 'tidy up' dependencies. We should never be committing any go.mod / go.sum changes which go against what 'go mod tidy' produces, otherwise every other user will have to undo work that it performs every time. Those dependencies are indirect, and therefore not our responsibility. Instead we use replacements to ensure that our own builds are forced to use newer versions. Please do as Wilfred asks and leave these alone.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me explain my thoughts step by step,

We changed ‘replace' directive to 'golang.org/x/net v0.23.0' first.
Then run 'go mod tidy' and it will automatilcally update 'golang.org/x/sys' to v0.18.0. (The minimum required version)
Below is the tidy result:
image

Since 'replace' directive take higher precedence than indirect dependencies, we should also change the 'replace' directive to 'golang.org/x/sys v0.18.0'. (Otherwise Go will use the outdated version)
So the correct change for this PR is:

image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I think I understand now. 'Go mod tidy' updated the indirect version so you are updating the replacement to match. I think that's fine.

Copy link
Contributor

@chenyulin0719 chenyulin0719 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My fix CVE dependencies steps:

  1. Upgrade replace directives to CVE fixed version
  2. Run 'go mod tidy'
  3. Check all the existing replace directives, if there have newer version in indirect require dependencies. Update replace directive to newer version too.

We should keep the indirect directives resolved by 'go mod tidy'.
golang.org/x/sys v0.18.0 // indirect

Copy link
Contributor

@chenyulin0719 chenyulin0719 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 LGTM

@targetoee targetoee deleted the YUNIKORN-2541 branch April 19, 2024 00:50
pbacsko pushed a commit that referenced this pull request May 3, 2024
upgrade golang.org/x/net to v0.23

Closes: #135

Signed-off-by: Yu-Lin Chen <chenyulin0719@apache.org>
(cherry picked from commit c40fbd2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants