fix: GO-2024-2687 and GO-2023-1571 #102
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
PROBLEM: the project incldues some old package versions that come with vulnerabilities SOLUTION: upgrade `k8s.io/xxx` packages to the minimum version that fixes the reported vulnerabilities fixes aquasecurity#101
cmontemuino
force-pushed
the
fix-vulnerabilities
branch
from
fc87bce
to
e60afd4
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PROBLEM: the project incldues some old package versions that come
with vulnerabilities
SOLUTION: upgrade
k8s.io/xxxpackages to the minimum versionthat fixes the reported vulnerabilities
@cmontemuino ➜ /workspaces/kubectl-who-can (main) $ go mod tidygo: downloading github.com/spf13/pflag v1.0.5
go: downloading k8s.io/cli-runtime v0.27.15
go: downloading k8s.io/client-go v0.27.15
go: downloading k8s.io/klog/v2 v2.90.1
go: downloading github.com/stretchr/testify v1.8.3
go: downloading github.com/spf13/cobra v1.6.0
go: downloading k8s.io/api v0.27.15
go: downloading k8s.io/apiextensions-apiserver v0.27.15
go: downloading k8s.io/apimachinery v0.27.15
go: downloading github.com/evanphx/json-patch v4.12.0+incompatible
go: downloading github.com/google/uuid v1.3.0
go: downloading k8s.io/utils v0.0.0-20230209194617-a36077c30491
go: downloading github.com/go-logr/logr v1.2.3
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/inconshreveable/mousetrap v1.0.1
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/go-cmp v0.5.9
go: downloading github.com/google/gofuzz v1.1.0
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading google.golang.org/protobuf v1.33.0
go: downloading k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
go: downloading github.com/imdario/mergo v0.3.6
go: downloading golang.org/x/term v0.18.0
go: downloading golang.org/x/net v0.23.0
go: downloading github.com/stretchr/objx v0.5.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/pkg/errors v0.9.1
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading golang.org/x/text v0.14.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading sigs.k8s.io/kustomize/api v0.13.2
go: downloading sigs.k8s.io/kustomize/kyaml v0.14.1
go: downloading github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7
go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible
go: downloading golang.org/x/oauth2 v0.7.0
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading golang.org/x/time v0.3.0
go: downloading golang.org/x/sys v0.18.0
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/go-openapi/jsonreference v0.20.1
go: downloading github.com/google/btree v1.0.1
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/onsi/ginkgo/v2 v2.9.1
go: downloading github.com/onsi/gomega v1.27.4
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/go-openapi/jsonpointer v0.19.6
go: downloading github.com/go-errors/errors v1.4.2
go: downloading github.com/sergi/go-diff v1.1.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/emicklei/go-restful/v3 v3.9.0
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/kr/pretty v0.3.0
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/xlab/treeprint v1.1.0
go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.12.0
go: downloading go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5
go: downloading github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0
go: downloading golang.org/x/tools v0.16.1
go: downloading github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
go: downloading github.com/onsi/ginkgo v1.16.4
@cmontemuino ➜ /workspaces/kubectl-who-can (fix-vulnerabilities) $ make unit-testsGO111MODULE=on go test -v -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
github.com/aquasecurity/kubectl-who-can/cmd/kubectl-who-can coverage: 0.0% of statements
=== RUN TestIsAllowed
=== RUN TestIsAllowed/Should_return_true_when_SSAR's_allowed_property_is_true
=== RUN TestIsAllowed/Should_return_false_when_SSAR's_allowed_property_is_false
=== RUN TestIsAllowed/Should_return_error_when_API_request_fails
--- PASS: TestIsAllowed (0.00s)
--- PASS: TestIsAllowed/Should_return_true_when_SSAR's_allowed_property_is_true (0.00s)
--- PASS: TestIsAllowed/Should_return_false_when_SSAR's_allowed_property_is_false (0.00s)
--- PASS: TestIsAllowed/Should_return_error_when_API_request_fails (0.00s)
=== RUN TestActionFrom
=== RUN TestActionFrom/A
list_test.go:182: PASS: Namespace()
=== RUN TestActionFrom/B
list_test.go:182: PASS: Namespace()
=== RUN TestActionFrom/C
=== RUN TestActionFrom/D
=== RUN TestActionFrom/F
=== RUN TestActionFrom/G
--- PASS: TestActionFrom (0.00s)
--- PASS: TestActionFrom/A (0.00s)
--- PASS: TestActionFrom/B (0.00s)
--- PASS: TestActionFrom/C (0.00s)
--- PASS: TestActionFrom/D (0.00s)
--- PASS: TestActionFrom/F (0.00s)
--- PASS: TestActionFrom/G (0.00s)
=== RUN TestValidate
=== RUN TestValidate/Should_return_nil_when_namespace_is_valid
list_test.go:248: PASS: Validate(string)
=== RUN TestValidate/Should_return_error_when_namespace_does_not_exist
list_test.go:248: PASS: Validate(string)
=== RUN TestValidate/Should_return_error_when_--subresource_flag_is_used_with_non-resource_URL
--- PASS: TestValidate (0.00s)
--- PASS: TestValidate/Should_return_nil_when_namespace_is_valid (0.00s)
--- PASS: TestValidate/Should_return_error_when_namespace_does_not_exist (0.00s)
--- PASS: TestValidate/Should_return_error_when_--subresource_flag_is_used_with_non-resource_URL (0.00s)
=== RUN TestWhoCan_CheckAPIAccess
=== RUN TestWhoCan_CheckAPIAccess/A
list_test.go:355: PASS: IsAllowedTo(string,string,string)
list_test.go:355: PASS: IsAllowedTo(string,string,string)
list_test.go:355: PASS: IsAllowedTo(string,string,string)
list_test.go:355: PASS: IsAllowedTo(string,string,string)
list_test.go:355: PASS: IsAllowedTo(string,string,string)
=== RUN TestWhoCan_CheckAPIAccess/B
list_test.go:355: PASS: IsAllowedTo(string,string,string)
list_test.go:355: PASS: IsAllowedTo(string,string,string)
--- PASS: TestWhoCan_CheckAPIAccess (0.00s)
--- PASS: TestWhoCan_CheckAPIAccess/A (0.00s)
--- PASS: TestWhoCan_CheckAPIAccess/B (0.00s)
=== RUN TestWhoCan_GetRolesFor
list_test.go:417: PASS: MatchesRole(v1.Role,cmd.resolvedAction)
list_test.go:417: PASS: MatchesRole(v1.Role,cmd.resolvedAction)
--- PASS: TestWhoCan_GetRolesFor (0.00s)
=== RUN TestWhoCan_GetClusterRolesFor
list_test.go:476: PASS: MatchesClusterRole(v1.ClusterRole,cmd.resolvedAction)
list_test.go:476: PASS: MatchesClusterRole(v1.ClusterRole,cmd.resolvedAction)
--- PASS: TestWhoCan_GetClusterRolesFor (0.00s)
=== RUN TestWhoCan_GetRoleBindings
--- PASS: TestWhoCan_GetRoleBindings (0.00s)
=== RUN TestWhoCan_GetClusterRoleBindings
--- PASS: TestWhoCan_GetClusterRoleBindings (0.00s)
=== RUN TestNamespaceValidator_Validate
=== RUN TestNamespaceValidator_Validate/Should_return_error_when_getting_namespace_fails
=== RUN TestNamespaceValidator_Validate/Should_return_error_when_namespace_does_not_exist
=== RUN TestNamespaceValidator_Validate/Should_return_error_when_namespace_is_not_active
=== RUN TestNamespaceValidator_Validate/Should_return_nil_when_namespace_is_active
--- PASS: TestNamespaceValidator_Validate (0.00s)
--- PASS: TestNamespaceValidator_Validate/Should_return_error_when_getting_namespace_fails (0.00s)
--- PASS: TestNamespaceValidator_Validate/Should_return_error_when_namespace_does_not_exist (0.00s)
--- PASS: TestNamespaceValidator_Validate/Should_return_error_when_namespace_is_not_active (0.00s)
--- PASS: TestNamespaceValidator_Validate/Should_return_nil_when_namespace_is_active (0.00s)
=== RUN TestMatcher_MatchesRole
--- PASS: TestMatcher_MatchesRole (0.00s)
=== RUN TestMatcher_MatchesClusterRole
--- PASS: TestMatcher_MatchesClusterRole (0.00s)
=== RUN TestMatcher_matches
=== RUN TestMatcher_matches/A
=== RUN TestMatcher_matches/B
=== RUN TestMatcher_matches/C
=== RUN TestMatcher_matches/D
=== RUN TestMatcher_matches/E
=== RUN TestMatcher_matches/F
=== RUN TestMatcher_matches/G
=== RUN TestMatcher_matches/H
=== RUN TestMatcher_matches/I
=== RUN TestMatcher_matches/J
=== RUN TestMatcher_matches/K
=== RUN TestMatcher_matches/L
=== RUN TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_resolved_resource's_group
=== RUN TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_all_('')resource_groups
=== RUN TestMatcher_matches/Should_return_false_when_PolicyRule's_APIGroup_doesn't_match_resolved_resource's_Group
--- PASS: TestMatcher_matches (0.00s)
--- PASS: TestMatcher_matches/A (0.00s)
--- PASS: TestMatcher_matches/B (0.00s)
--- PASS: TestMatcher_matches/C (0.00s)
--- PASS: TestMatcher_matches/D (0.00s)
--- PASS: TestMatcher_matches/E (0.00s)
--- PASS: TestMatcher_matches/F (0.00s)
--- PASS: TestMatcher_matches/G (0.00s)
--- PASS: TestMatcher_matches/H (0.00s)
--- PASS: TestMatcher_matches/I (0.00s)
--- PASS: TestMatcher_matches/J (0.00s)
--- PASS: TestMatcher_matches/K (0.00s)
--- PASS: TestMatcher_matches/L (0.00s)
--- PASS: TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_resolved_resource's_group (0.00s)
--- PASS: TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_all('')_resource_groups (0.00s)
--- PASS: TestMatcher_matches/Should_return_false_when_PolicyRule's_APIGroup_doesn't_match_resolved_resource's_Group (0.00s)
=== RUN TestResourceResolver_Resolve
=== RUN TestResourceResolver_Resolve/A
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/B
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/C
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/D
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/E
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/F
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/G
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/H
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/I
=== RUN TestResourceResolver_Resolve/Should_resolve_psp
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
=== RUN TestResourceResolver_Resolve/Should_return_error_when_psp_verb_is_not_supported
resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource)
--- PASS: TestResourceResolver_Resolve (0.00s)
--- PASS: TestResourceResolver_Resolve/A (0.00s)
--- PASS: TestResourceResolver_Resolve/B (0.00s)
--- PASS: TestResourceResolver_Resolve/C (0.00s)
--- PASS: TestResourceResolver_Resolve/D (0.00s)
--- PASS: TestResourceResolver_Resolve/E (0.00s)
--- PASS: TestResourceResolver_Resolve/F (0.00s)
--- PASS: TestResourceResolver_Resolve/G (0.00s)
--- PASS: TestResourceResolver_Resolve/H (0.00s)
--- PASS: TestResourceResolver_Resolve/I (0.00s)
--- PASS: TestResourceResolver_Resolve/Should_resolve_psp (0.00s)
--- PASS: TestResourceResolver_Resolve/Should_return_error_when_psp_verb_is_not_supported (0.00s)
=== RUN TestPrinter_PrintWarnings
=== RUN TestPrinter_PrintWarnings/A
=== RUN TestPrinter_PrintWarnings/B
=== RUN TestPrinter_PrintWarnings/C
--- PASS: TestPrinter_PrintWarnings (0.00s)
--- PASS: TestPrinter_PrintWarnings/A (0.00s)
--- PASS: TestPrinter_PrintWarnings/B (0.00s)
--- PASS: TestPrinter_PrintWarnings/C (0.00s)
=== RUN TestPrinter_PrintChecks
=== RUN TestPrinter_PrintChecks/A
=== RUN TestPrinter_PrintChecks/B
=== RUN TestPrinter_PrintChecks/C
=== RUN TestPrinter_PrintChecks/D
=== RUN TestPrinter_PrintChecks/E
--- PASS: TestPrinter_PrintChecks (0.00s)
--- PASS: TestPrinter_PrintChecks/A (0.00s)
--- PASS: TestPrinter_PrintChecks/B (0.00s)
--- PASS: TestPrinter_PrintChecks/C (0.00s)
--- PASS: TestPrinter_PrintChecks/D (0.00s)
--- PASS: TestPrinter_PrintChecks/E (0.00s)
=== RUN TestPrinter_ExportData
=== RUN TestPrinter_ExportData/A
=== RUN TestPrinter_ExportData/B
=== RUN TestPrinter_ExportData/C
=== RUN TestPrinter_ExportData/D
=== RUN TestPrinter_ExportData/E
=== RUN TestPrinter_ExportData/F
--- PASS: TestPrinter_ExportData (0.00s)
--- PASS: TestPrinter_ExportData/A (0.00s)
--- PASS: TestPrinter_ExportData/B (0.00s)
--- PASS: TestPrinter_ExportData/C (0.00s)
--- PASS: TestPrinter_ExportData/D (0.00s)
--- PASS: TestPrinter_ExportData/E (0.00s)
--- PASS: TestPrinter_ExportData/F (0.00s)
PASS
coverage: 75.5% of statements
ok github.com/aquasecurity/kubectl-who-can/pkg/cmd 1.177s coverage: 75.5% of statements
=== RUN TestIntegration
integration_test.go:36: Integration test
--- SKIP: TestIntegration (0.00s)
PASS
coverage: [no statements]
ok github.com/aquasecurity/kubectl-who-can/test 1.041s coverage: [no statements]
@cmontemuino ➜ /workspaces/kubectl-who-can (main) $ govulncheck ./...