Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): remove github.com/mholt/archiver/v3 dependency #1472

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

chore(deps): remove github.com/mholt/archiver/v3 dependency #1472

wants to merge 2 commits into from

Conversation

RTann
Copy link
Collaborator

@RTann RTann commented Apr 10, 2024
edited

mholt/archiver#396 has yet to land so github.com/mholt/archiver/v3 is still affected by CVE-2024-0406. This repository is not affected by this vulnerability.

This PR removes the dependency to:

  • minimize dependencies
  • ensure security scanners do not claim Scanner is affected, when it is not

Implementation is completely based on https://github.com/mholt/archiver/blob/v3.5.1/zip.go#L140.

Note: I want to make sure the diff-dumps still give the same data, but that step is failing at the moment... In any case, it doesn't hurt to start the review process

@RTann RTann added the generate-dumps-on-pr Generates the image based on dumps from the PR label Apr 10, 2024
@RTann RTann force-pushed the ross/rm-mholt-archiver branch 4 times, most recently from 448508e to 5e01666 Compare April 15, 2024 17:59
@RTann
Copy link
Collaborator Author

RTann commented Apr 15, 2024

/retest

@RTann RTann force-pushed the ross/rm-mholt-archiver branch 2 times, most recently from 8fb906b to 1acad4e Compare April 15, 2024 21:00
@RTann
Copy link
Collaborator Author

RTann commented Apr 15, 2024

/retest

@RTann
Copy link
Collaborator Author

RTann commented Apr 17, 2024

/retest

@RTann RTann force-pushed the ross/rm-mholt-archiver branch 2 times, most recently from f9a1f8f to 3088957 Compare April 25, 2024 20:57
@msugakov
Copy link
Contributor

msugakov commented May 3, 2024

This PR and subsequent scanner dependency update in stackrox/stackrox should help with https://github.com/stackrox/stackrox/security/dependabot/270

dcaravel
dcaravel reviewed May 6, 2024
View reviewed changes
Copy link
Contributor

@dcaravel dcaravel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like code was removed related to handling symlinks, was that because in the various workflows that use WriteZip we know symlinks are not being used?

(rest looks OK to me - holding approve for a successful diff-dump / test)

pkg/vulndump/write.go Outdated Show resolved Hide resolved
@RTann
Copy link
Collaborator Author

RTann commented May 6, 2024

Looks like code was removed related to handling symlinks, was that because in the various workflows that use WriteZip we know symlinks are not being used?

Yes, WriteZip is only used by generate-dump and diff-dumps, and we do not use symlinks for either (that I know of).

(rest looks OK to me - holding approve for a successful diff-dump / test)

I'm also waiting for diff-dump. Running into space issues in CI, though it seems unique to this PR, so I wonder if I messed something up, I'm getting unlucky, or GHA allocates different resources for PR vs push to master branch

@RTann RTann requested a review from dcaravel May 6, 2024 22:51
@RTann RTann force-pushed the ross/rm-mholt-archiver branch 2 times, most recently from c3d6356 to 52e16c6 Compare May 9, 2024 22:03
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 16, 2024

@RTann: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/slim-e2e-tests 9635317 link false /test slim-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvdm jvdm Awaiting requested review from jvdm

@msugakov msugakov Awaiting requested review from msugakov

@BradLugo BradLugo Awaiting requested review from BradLugo

@daynewlee daynewlee Awaiting requested review from daynewlee

@dcaravel dcaravel Awaiting requested review from dcaravel

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Milestone
No milestone
3 participants
@RTann @msugakov @dcaravel