Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: build with keda-tools:1.22.5 #5971

Merged
merged 5 commits into from
Jul 30, 2024
Merged

chore: build with keda-tools:1.22.5 #5971

merged 5 commits into from
Jul 30, 2024

Conversation

pauldotyu
Copy link
Contributor

@pauldotyu pauldotyu commented Jul 19, 2024

Provide a description of what has been changed

This PR is to build keda container images with an updated version of keda-tools with latest version of Go to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791. Related PR: kedacore/test-tools#169

Also bumping github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255.

Checklist

Fixes #

Relates to #
kedacore/test-tools#169

@pauldotyu pauldotyu requested a review from a team as a code owner July 19, 2024 22:55
@JorTurFer
Copy link
Member

I guess that we need to bump the user version too:
image

I'd say that it's a good moment to bump go version, don't you think @zroubalik ?

@pauldotyu
Copy link
Contributor Author

pauldotyu commented Jul 22, 2024

I guess that we need to bump the user version too:

I tested locally for both go 1.21 and go 1.22 set and it seemed to work fine either way.

Also, I think we should bump go version in the Devcontainer too, right?

FROM golang:1.21.9

@JorTurFer
Copy link
Member

JorTurFer commented Jul 22, 2024

Also, I think we should bump go version in the Devcontainer too, right?

Yeah, you can check all the places to change here: https://github.com/kedacore/keda/pull/5734/files

@pauldotyu pauldotyu force-pushed the main branch 3 times, most recently from c4cd459 to f625518 Compare July 23, 2024 00:27
Copy link

semgrep-app bot commented Jul 23, 2024

Semgrep found 1 no-sudo-in-dockerfile finding:

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.

Ignore this finding from no-sudo-in-dockerfile.

@pauldotyu pauldotyu force-pushed the main branch 2 times, most recently from 56195f9 to abd7e74 Compare July 23, 2024 05:12
@pauldotyu
Copy link
Contributor Author

Also, I think we should bump go version in the Devcontainer too, right?

Yeah, you can check all the places to change here: https://github.com/kedacore/keda/pull/5734/files

In the Devcontainer's Dockerfile, I had to change the way go modules were installed. Bumping to 1.22.5 gave me errors about running go get outside of a module. So I had to use go install instead.

Also, after looking through the Devcontainer files, there seems to be a bit of code that could use some cleanup. For instance, in the Dockerfile I see that it configures a non-root user vscode but runs as root (probably for Docker CLI). Also, might be able to leverage devcontainer features in the devcontainer.json file to load some of the tooling instead of baking them all into the container. I can create an issue for this and work on cleaning this up if that's okay.

@JorTurFer
Copy link
Member

I can create an issue for this and work on cleaning this up if that's okay

Yeah, let's do it

@pauldotyu
Copy link
Contributor Author

I can create an issue for this and work on cleaning this up if that's okay

Yeah, let's do it

Sounds good! Anything else I need to do for this particular pull request?

@JorTurFer
Copy link
Member

JorTurFer commented Jul 24, 2024

just solve merge conflicts please 🙏
@zroubalik , do you see any problem updating golang version for the release?

@pauldotyu
Copy link
Contributor Author

Merge conflict has been resolved 😁

Copy link

semgrep-app bot commented Jul 24, 2024

Semgrep found 1 no-sudo-in-dockerfile finding:

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.

Ignore this finding from no-sudo-in-dockerfile.

to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791
bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Copy link

semgrep-app bot commented Jul 25, 2024

Semgrep found 1 no-sudo-in-dockerfile finding:

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.

Ignore this finding from no-sudo-in-dockerfile.

@qpetraroia
Copy link

Hi @JorTurFer,

Once this PR is merged, is it possible to cut a release for KEDA 2.14.1?

@JorTurFer
Copy link
Member

We plan to ship v2.15 next week and I'd like to include the golang bump. Is it enough? We don't plan any other release for v2.14

@JorTurFer
Copy link
Member

JorTurFer commented Jul 30, 2024

/run-e2e internal
Update: You can check the progress here

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
@JorTurFer
Copy link
Member

JorTurFer commented Jul 30, 2024

/run-e2e azure
Update: You can check the progress here

Copy link

semgrep-app bot commented Jul 30, 2024

Semgrep found 1 no-sudo-in-dockerfile finding:

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.

Ignore this finding from no-sudo-in-dockerfile.

1 similar comment
Copy link

semgrep-app bot commented Jul 30, 2024

Semgrep found 1 no-sudo-in-dockerfile finding:

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.

Ignore this finding from no-sudo-in-dockerfile.

@JorTurFer JorTurFer merged commit fec0756 into kedacore:main Jul 30, 2024
17 of 18 checks passed
@JorTurFer JorTurFer mentioned this pull request Jul 30, 2024
23 tasks
JorTurFer added a commit to JorTurFer/keda that referenced this pull request Jul 30, 2024
* chore: build with keda-tools:1.22.5
to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791
bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: use go install instead of go get and replacing deprecated tools

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: vendor dependency cleanup

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* Update missing references to 1.21

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

---------

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
JorTurFer added a commit to JorTurFer/keda that referenced this pull request Jul 30, 2024
* chore: build with keda-tools:1.22.5
to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791
bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: use go install instead of go get and replacing deprecated tools

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: vendor dependency cleanup

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* Update missing references to 1.21

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

---------

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
JorTurFer added a commit that referenced this pull request Jul 31, 2024
* bump golang

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* chore: build with keda-tools:1.22.5 (#5971)

* chore: build with keda-tools:1.22.5
to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791
bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: use go install instead of go get and replacing deprecated tools

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: vendor dependency cleanup

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* Update missing references to 1.21

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

---------

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* [BUG-5922] Report failing ScaledJob triggers in status (#5916)

Signed-off-by: Josef Karasek <josef@kedify.io>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* [BUG-5656] Annotate Jobs with parent ScaledJob generation (#5876)

* Annotate Jobs with parent ScaledJob generation

Signed-off-by: Josef Karasek <josef@kedify.io>

* fix tests

Signed-off-by: Josef Karasek <josef@kedify.io>

* fix lint

Signed-off-by: Josef Karasek <josef@kedify.io>

* fix log message

Signed-off-by: Josef Karasek <josef@kedify.io>

* update changelog

Signed-off-by: Josef Karasek <josef@kedify.io>

* update changelog

Signed-off-by: Josef Karasek <josef@kedify.io>

* update changelog

Signed-off-by: Josef Karasek <josef@kedify.io>

---------

Signed-off-by: Josef Karasek <josef@kedify.io>
Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix: `+srv` mongodb url scheme parsing bug (#5773)

This commit fixs issue #5760. where OP was facing problem with +srv schema

Signed-off-by: Rishikesh Betigeri <53863619+Rishikesh01@users.noreply.github.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix: issue when GitHub organization contains more than 30 repos (#5746)

Signed-off-by: Simon Kobler <github@kobler.me>
Signed-off-by: Simon Kobler <32038731+KoblerS@users.noreply.github.com>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Co-authored-by: Simon Kobler <github@kobler.me>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* Fix scaler leak during cache refresh (#5807)

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* Prepare release v2.14.1

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* add missing change

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* update changelog

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix: e2e test regex check tag (#5831)

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* Validate regex before building image for e2e test (#5783)

* added regex pre check before building image

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* updated changelog

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* refactored

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* corrected

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* corrected changelog

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* updated the workflow

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* updated the workflow

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

---------

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix some pending tasks

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* use AAD-Pod-Identity always

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

* use AAD-Pod-Identity always

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

---------

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Josef Karasek <josef@kedify.io>
Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
Signed-off-by: Rishikesh Betigeri <53863619+Rishikesh01@users.noreply.github.com>
Signed-off-by: Simon Kobler <github@kobler.me>
Signed-off-by: Simon Kobler <32038731+KoblerS@users.noreply.github.com>
Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>
Co-authored-by: Paul Yu <paul.d.yu@gmail.com>
Co-authored-by: Josef Karasek <josef@kedify.io>
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>
Co-authored-by: Rishikesh <53863619+Rishikesh01@users.noreply.github.com>
Co-authored-by: Simon Kobler <32038731+KoblerS@users.noreply.github.com>
Co-authored-by: Simon Kobler <github@kobler.me>
Co-authored-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>
Co-authored-by: Yashveer <101015836+Yaxhveer@users.noreply.github.com>
jkyros pushed a commit to jkyros/keda that referenced this pull request Aug 2, 2024
* bump golang

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* chore: build with keda-tools:1.22.5 (kedacore#5971)

* chore: build with keda-tools:1.22.5
to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791
bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: use go install instead of go get and replacing deprecated tools

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: vendor dependency cleanup

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* Update missing references to 1.21

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

---------

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* [BUG-5922] Report failing ScaledJob triggers in status (kedacore#5916)

Signed-off-by: Josef Karasek <josef@kedify.io>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* [BUG-5656] Annotate Jobs with parent ScaledJob generation (kedacore#5876)

* Annotate Jobs with parent ScaledJob generation

Signed-off-by: Josef Karasek <josef@kedify.io>

* fix tests

Signed-off-by: Josef Karasek <josef@kedify.io>

* fix lint

Signed-off-by: Josef Karasek <josef@kedify.io>

* fix log message

Signed-off-by: Josef Karasek <josef@kedify.io>

* update changelog

Signed-off-by: Josef Karasek <josef@kedify.io>

* update changelog

Signed-off-by: Josef Karasek <josef@kedify.io>

* update changelog

Signed-off-by: Josef Karasek <josef@kedify.io>

---------

Signed-off-by: Josef Karasek <josef@kedify.io>
Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix: `+srv` mongodb url scheme parsing bug (kedacore#5773)

This commit fixs issue kedacore#5760. where OP was facing problem with +srv schema

Signed-off-by: Rishikesh Betigeri <53863619+Rishikesh01@users.noreply.github.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix: issue when GitHub organization contains more than 30 repos (kedacore#5746)

Signed-off-by: Simon Kobler <github@kobler.me>
Signed-off-by: Simon Kobler <32038731+KoblerS@users.noreply.github.com>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Co-authored-by: Simon Kobler <github@kobler.me>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* Fix scaler leak during cache refresh (kedacore#5807)

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* Prepare release v2.14.1

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* add missing change

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* update changelog

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix: e2e test regex check tag (kedacore#5831)

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* Validate regex before building image for e2e test (kedacore#5783)

* added regex pre check before building image

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* updated changelog

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* refactored

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* corrected

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* corrected changelog

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* updated the workflow

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

* updated the workflow

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>

---------

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix some pending tasks

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* use AAD-Pod-Identity always

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

* use AAD-Pod-Identity always

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

---------

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Josef Karasek <josef@kedify.io>
Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
Signed-off-by: Rishikesh Betigeri <53863619+Rishikesh01@users.noreply.github.com>
Signed-off-by: Simon Kobler <github@kobler.me>
Signed-off-by: Simon Kobler <32038731+KoblerS@users.noreply.github.com>
Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>
Co-authored-by: Paul Yu <paul.d.yu@gmail.com>
Co-authored-by: Josef Karasek <josef@kedify.io>
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>
Co-authored-by: Rishikesh <53863619+Rishikesh01@users.noreply.github.com>
Co-authored-by: Simon Kobler <32038731+KoblerS@users.noreply.github.com>
Co-authored-by: Simon Kobler <github@kobler.me>
Co-authored-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>
Co-authored-by: Yashveer <101015836+Yaxhveer@users.noreply.github.com>
JorTurFer added a commit to JorTurFer/keda that referenced this pull request Oct 7, 2024
* chore: build with keda-tools:1.22.5
to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791
bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: use go install instead of go get and replacing deprecated tools

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* chore: vendor dependency cleanup

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>

* Update missing references to 1.21

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

---------

Signed-off-by: Paul Yu <paul.d.yu@gmail.com>
Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants