Fix/dependabot bumps #751
Draft
Fix/dependabot bumps #751
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stacker-bom support is really far behind where it needs to be to not keep stacker back in go dependencies. Once stacker-bom is ported to recent syft go library we can re-introduce support in stacker itself. Signed-off-by: Ryan Harper <rharper@woxford.com>
Bump the major Critical CVE components. Once built a grype scan shows now Critial CVEs anymore, just Highs/Mediums Signed-off-by: Ryan Harper <rharper@woxford.com>
fulcio bump requires: - move to go 1.25.5 - latest grpc 1.77.0 had issues with some undefined header so drop replace to 1.76.0 release Signed-off-by: Ryan Harper <rharper@woxford.com>
Fix the remaining high CVE by bumping to modern incus v6 shared golang API for idmap support - reworked idmap struct member IDs and - umoci version bumped and updated calls with time.Now() Signed-off-by: Ryan Harper <rharper@woxford.com>
- Bump to latest golangci-lint (still has issues though) - Attempt some go mod bumpts to deal with golangci-lint run complaining about containers/storage module - Fix up a few more container image call sites where we need to pass in a time.Time parameter Signed-off-by: Ryan Harper <rharper@woxford.com>
Contributor
Author
|
Need to look into the |
Signed-off-by: Ryan Harper <rharper@woxford.com>
Signed-off-by: Ryan Harper <rharper@woxford.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #751 +/- ##
==========================================
+ Coverage 52.84% 60.21% +7.36%
==========================================
Files 59 54 -5
Lines 6492 4826 -1666
==========================================
- Hits 3431 2906 -525
+ Misses 2418 1346 -1072
+ Partials 643 574 -69 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
cleanup
Which issue does this PR fix:
#742
#734
#732
#730
#725
#724
#722
#708
#704
What does this PR do / Why do we need it:
Fix Critical/High/Medium CVEs against golang dependencies in stacker.
If an issue # is not available please add repro steps and logs showing the issue:
grype stacker
Testing done on this change:
make test priv and unpriv on amd64
Automation added to e2e:
none
Will this break upgrades or downgrades?
no
Does this PR introduce any user-facing change?:
Yes. Dropping stacker-bom support. The stacker-bom project is out-of-date with newer synk API which prevents updating it to newer go.mods which then keeps stacker down to be compatible with the stacker-bom go API.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.