Merge pull request #10078 from pdeslaur/crypto-1

CVE-2023-48795: First batch of remediation
wolfi-dev · Dec 19, 2023 · 48977ca · 48977ca
2 parents ea4fc44 + 9e5396c
commit 48977ca
Show file tree

Hide file tree

Showing 13 changed files with 109 additions and 26 deletions.
diff --git a/apko.yaml b/apko.yaml
@@ -1,7 +1,7 @@
 package:
   name: apko
   version: 0.12.0
-  epoch: 1
+  epoch: 2
   description: Build OCI images using APK directly without Dockerfile
   copyright:
     - license: Apache-2.0
@@ -23,10 +23,13 @@ pipeline:
       repository: https://github.com/chainguard-dev/apko
       tag: v${{package.version}}
       expected-commit: 691fe51dd1d536460f8a955d1357eaba974208b5
-      destination: apko
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      go-version: "1.21"
 
   - runs: |
-      cd apko
       make apko
       install -m755 -D ./apko "${{targets.destdir}}"/usr/bin/apko
 

diff --git a/argo-workflows.yaml b/argo-workflows.yaml
@@ -1,7 +1,7 @@
 package:
   name: argo-workflows
   version: 3.5.2
-  epoch: 2
+  epoch: 3
   description: Workflow engine for Kubernetes.
   copyright:
     - license: Apache-2.0
@@ -24,6 +24,11 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 5b6ad2be163ecd3f0251a931ab84dba3c6085ad2
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      replaces: github.com/whilp/git-urls=github.com/dlorenc/[email protected]
+
   - runs: |
       # NODE_OPTIONS has to been set
       sed -i 's/NODE_OPTIONS='\''[^'\'']*'\''/NODE_OPTIONS='\''--openssl-legacy-provider'\''/g' ui/package.json
@@ -36,10 +41,6 @@ pipeline:
       # Our global LDFLAGS conflict with a Makefile parameter
       unset LDFLAGS
 
-      # GHSA-3f2q-6294-fmq5 CVE-2023-46402
-      go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/[email protected]
-      go mod tidy
-
       make dist/workflow-controller
       make dist/argo
       make dist/argoexec

diff --git a/cadvisor.yaml b/cadvisor.yaml
@@ -1,7 +1,7 @@
 package:
   name: cadvisor
   version: 0.48.1
-  epoch: 2
+  epoch: 3
   description: Analyzes resource usage and performance characteristics of running containers.
   copyright:
     - license: Apache-2.0
@@ -28,7 +28,7 @@ pipeline:
 
   - uses: go/bump
     with:
-      deps: golang.org/x/[email protected]
+      deps: golang.org/x/[email protected] golang.org/x/[email protected]
       modroot: cmd
 
   - runs: |

diff --git a/cert-manager-1.11.yaml b/cert-manager-1.11.yaml
@@ -2,7 +2,7 @@ package:
   name: cert-manager-1.11
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
   version: 1.11.5
-  epoch: 8
+  epoch: 9
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -31,7 +31,7 @@ pipeline:
   # to workaround, set CTR to anything $(command -v)able
   - uses: go/bump
     with:
-      deps: golang.org/x/[email protected] go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected] go.opentelemetry.io/[email protected] go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] go.opentelemetry.io/otel/[email protected] github.com/docker/[email protected] oras.land/[email protected] github.com/cyphar/[email protected]
+      deps: golang.org/x/[email protected] go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected] go.opentelemetry.io/[email protected] go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] go.opentelemetry.io/otel/[email protected] github.com/docker/[email protected] oras.land/[email protected] github.com/cyphar/[email protected] golang.org/x/[email protected]
       replaces: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp=go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
 
   - runs: |
@@ -81,7 +81,7 @@ subpackages:
   - name: cmctl-1.11
     pipeline:
       - runs: |
-          make CTR=make cmctl-linux
+          make CTR=make _bin/cmctl/cmctl-linux-$(go env GOARCH)
       - runs: |
           install -Dm755 _bin/cmctl/cmctl-linux-$(go env GOARCH) ${{targets.subpkgdir}}/usr/bin/cmctl
       - uses: strip

diff --git a/cert-manager-1.12.yaml b/cert-manager-1.12.yaml
@@ -2,7 +2,7 @@ package:
   name: cert-manager-1.12
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
   version: 1.12.7
-  epoch: 1
+  epoch: 2
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -27,9 +27,36 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 6d7629ba42b946978e3baaa75348c851f7ef9134
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: .
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: cmd/controller
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: cmd/ctl
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: cmd/webhook
+
   # the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it
   # to workaround, set CTR to anything $(command -v)able
   - runs: |
+      # This is needed because the go bumps above affect these packages
+      for mod in cainjector acmesolver; do
+        cd cmd/$mod
+        go mod tidy
+        cd ../..
+      done
+
       make CTR=make _bin/server/controller-linux-$(go env GOARCH)
       make CTR=make _bin/server/webhook-linux-$(go env GOARCH)
       make CTR=make _bin/server/cainjector-linux-$(go env GOARCH)
@@ -76,7 +103,7 @@ subpackages:
   - name: cmctl-1.12
     pipeline:
       - runs: |
-          make CTR=make cmctl-linux
+          make CTR=make _bin/cmctl/cmctl-linux-$(go env GOARCH)
       - runs: |
           install -Dm755 _bin/cmctl/cmctl-linux-$(go env GOARCH) ${{targets.subpkgdir}}/usr/bin/cmctl
       - uses: strip

diff --git a/cert-manager-1.13.yaml b/cert-manager-1.13.yaml
@@ -2,7 +2,7 @@ package:
   name: cert-manager-1.13
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
   version: 1.13.3
-  epoch: 0
+  epoch: 1
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -27,9 +27,36 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 876e386ee905aa86e2466c287e654613b0426927
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: .
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: cmd/controller
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: cmd/ctl
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      modroot: cmd/webhook
+
   # the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it
   # to workaround, set CTR to anything $(command -v)able
   - runs: |
+      # This is needed because the go bumps above affect these packages
+      for mod in cainjector acmesolver; do
+        cd cmd/$mod
+        go mod tidy
+        cd ../..
+      done
+
       make CTR=make _bin/server/controller-linux-$(go env GOARCH)
       make CTR=make _bin/server/webhook-linux-$(go env GOARCH)
       make CTR=make _bin/server/cainjector-linux-$(go env GOARCH)
@@ -76,7 +103,7 @@ subpackages:
   - name: cmctl-1.13
     pipeline:
       - runs: |
-          make CTR=make cmctl-linux
+          make CTR=make _bin/cmctl/cmctl-linux-$(go env GOARCH)
       - runs: |
           install -Dm755 _bin/cmctl/cmctl-linux-$(go env GOARCH) ${{targets.subpkgdir}}/usr/bin/cmctl
       - uses: strip

diff --git a/flux-helm-controller.yaml b/flux-helm-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux-helm-controller
   version: 0.37.1
-  epoch: 0
+  epoch: 1
   description: The GitOps Toolkit Helm reconciler, for declarative Helming
   copyright:
     - license: Apache-2.0
@@ -22,6 +22,10 @@ pipeline:
       repository: https://github.com/fluxcd/helm-controller
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+
   - uses: go/build
     with:
       ldflags: -s -w

diff --git a/flux-image-automation-controller.yaml b/flux-image-automation-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux-image-automation-controller
   version: 0.37.0
-  epoch: 1
+  epoch: 2
   description: GitOps Toolkit controller that patches container image tags in Git
   copyright:
     - license: Apache-2.0
@@ -23,6 +23,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: d5e199b983be3df27da3b3c59761d3670ba8f0a0
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+
   - runs: |
       mkdir -p "${{targets.destdir}}"/usr/bin
       CGO_ENABLED=1 CGO_LDFLAGS="-static -fuse-ld=lld" go build \

diff --git a/flux-image-reflector-controller.yaml b/flux-image-reflector-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux-image-reflector-controller
   version: 0.31.1
-  epoch: 0
+  epoch: 1
   description: GitOps Toolkit controller that scans container registries
   copyright:
     - license: Apache-2.0
@@ -21,6 +21,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 91ee4308d4dcdc80a18411f25cdab90c42afe096
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+
   - uses: go/build
     with:
       packages: .

diff --git a/flux-kustomize-controller.yaml b/flux-kustomize-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux-kustomize-controller
   version: 1.2.1
-  epoch: 0
+  epoch: 1
   description: The GitOps Toolkit Kustomize reconciler
   copyright:
     - license: Apache-2.0
@@ -38,7 +38,7 @@ pipeline:
 
   - uses: go/bump
     with:
-      deps: github.com/go-jose/go-jose/[email protected]
+      deps: github.com/go-jose/go-jose/[email protected] golang.org/x/[email protected]
 
   - uses: go/build
     with:

diff --git a/flux-notification-controller.yaml b/flux-notification-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux-notification-controller
   version: 1.2.3
-  epoch: 0
+  epoch: 1
   description: The GitOps Toolkit event forwarded and notification dispatcher
   copyright:
     - license: Apache-2.0
@@ -20,8 +20,12 @@ pipeline:
       repository: https://github.com/fluxcd/notification-controller
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      go-version: 1.21
+
   - runs: |
-      go mod tidy
       mkdir -p "${{targets.destdir}}"/usr/bin
       CGO_ENABLED=0 go build \
         -trimpath -a -o "${{targets.destdir}}"/usr/bin/notification-controller .

diff --git a/flux-source-controller.yaml b/flux-source-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux-source-controller
   version: 1.2.3
-  epoch: 0
+  epoch: 1
   description: The GitOps Toolkit source management component
   copyright:
     - license: Apache-2.0
@@ -23,6 +23,11 @@ pipeline:
       repository: https://github.com/fluxcd/source-controller
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+      go-version: 1.21
+
   - runs: |
       mkdir -p "${{targets.destdir}}"/usr/bin
       CGO_ENABLED=1 CGO_LDFLAGS="-static -fuse-ld=lld" go build \

diff --git a/flux.yaml b/flux.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux
   version: 2.2.1
-  epoch: 0
+  epoch: 1
   description: Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit.
   copyright:
     - license: Apache-2.0
@@ -24,6 +24,10 @@ pipeline:
       uri: https://github.com/fluxcd/flux2/archive/v${{package.version}}/v${{package.version}}.tar.gz
       expected-sha256: aa01a6b3ec41588d21a5eb637d1c77292e4ca4da68e92c606dd8a980d58ca4bd
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+
   - runs: |
       mkdir -p "${{targets.destdir}}"/usr/bin
       VERSION=${{package.version}} make build