From 0bd53fd37471026ed4edd2fe0e0790bc974a7d99 Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Sun, 3 Dec 2023 09:23:24 -0500 Subject: [PATCH 1/3] Patch GHSA-3f2q-6294-fmq5 by switching to the forked repo. I forked git-urls to patch the vulnerability. I submitted a patch upstream, but haven't heard back from the maintainer yet: https://github.com/whilp/git-urls/pull/25 This switches go packages that use this to my fork. Signed-off-by: Dan Lorenc --- argo-cd-2.7.yaml | 5 ++++- argo-cd-2.8.yaml | 5 ++++- argo-cd-2.9.yaml | 5 ++++- argo-workflows.yaml | 7 ++++++- flux-notification-controller.yaml | 5 ++++- melange.yaml | 8 +++++--- pulumi-kubernetes-operator.yaml | 31 ++++++++++++++++--------------- 7 files changed, 43 insertions(+), 23 deletions(-) diff --git a/argo-cd-2.7.yaml b/argo-cd-2.7.yaml index e8e9c7bfd12..44a72bf8ce9 100644 --- a/argo-cd-2.7.yaml +++ b/argo-cd-2.7.yaml @@ -1,7 +1,7 @@ package: name: argo-cd-2.7 version: 2.7.15 - epoch: 0 + epoch: 2 description: Declarative continuous deployment for Kubernetes. copyright: - license: Apache-2.0 @@ -41,6 +41,9 @@ pipeline: unset GOFLAGS + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 + # CVE-2023-2253 go get github.com/docker/distribution@v2.8.2 diff --git a/argo-cd-2.8.yaml b/argo-cd-2.8.yaml index 8317395d421..56f314b975a 100644 --- a/argo-cd-2.8.yaml +++ b/argo-cd-2.8.yaml @@ -1,7 +1,7 @@ package: name: argo-cd-2.8 version: 2.8.7 - epoch: 1 + epoch: 2 description: Declarative continuous deployment for Kubernetes. copyright: - license: Apache-2.0 @@ -41,6 +41,9 @@ pipeline: unset GOFLAGS + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 + # CVE-2023-3955/GHSA-q78c-gwqw-jcmc go get k8s.io/kubernetes@v1.24.17 diff --git a/argo-cd-2.9.yaml b/argo-cd-2.9.yaml index 1690b35ae0f..ddf71c81720 100644 --- a/argo-cd-2.9.yaml +++ b/argo-cd-2.9.yaml @@ -1,7 +1,7 @@ package: name: argo-cd-2.9 version: 2.9.3 - epoch: 0 + epoch: 1 description: Declarative continuous deployment for Kubernetes. copyright: - license: Apache-2.0 @@ -41,6 +41,9 @@ pipeline: unset GOFLAGS + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 + # CVE-2023-3955/GHSA-q78c-gwqw-jcmc go get k8s.io/kubernetes@v1.24.17 go get google.golang.org/grpc@v1.56.3 diff --git a/argo-workflows.yaml b/argo-workflows.yaml index 1e02bb77207..a79b8ef6e70 100644 --- a/argo-workflows.yaml +++ b/argo-workflows.yaml @@ -1,7 +1,7 @@ package: name: argo-workflows version: 3.5.2 - epoch: 0 + epoch: 1 description: Workflow engine for Kubernetes. copyright: - license: Apache-2.0 @@ -35,6 +35,11 @@ pipeline: # Our global LDFLAGS conflict with a Makefile parameter unset LDFLAGS + + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 + go mod tidy + make dist/workflow-controller make dist/argo make dist/argoexec diff --git a/flux-notification-controller.yaml b/flux-notification-controller.yaml index 4efb3ae97c5..a74c3930be2 100644 --- a/flux-notification-controller.yaml +++ b/flux-notification-controller.yaml @@ -1,7 +1,7 @@ package: name: flux-notification-controller version: 1.1.0 - epoch: 5 + epoch: 6 description: The GitOps Toolkit event forwarded and notification dispatcher copyright: - license: Apache-2.0 @@ -21,6 +21,9 @@ pipeline: tag: v${{package.version}} - runs: | + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 + # CVE-2023-39325 and CVE-2023-3978 go get golang.org/x/net@v0.17.0 diff --git a/melange.yaml b/melange.yaml index 09aadaed503..04b4bfbe6a9 100644 --- a/melange.yaml +++ b/melange.yaml @@ -2,7 +2,7 @@ package: name: melange # When bumping the version check if the CVE/GHSA mitigations below can be removed. version: 0.5.3 - epoch: 0 + epoch: 1 description: build APKs from source code copyright: - license: Apache-2.0 @@ -25,10 +25,12 @@ pipeline: repository: https://github.com/chainguard-dev/melange tag: v${{package.version}} expected-commit: 728624ec624ea06a461c8fbbc1feabe1fd8569b9 - destination: melange - runs: | - cd melange + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 + go mod tidy + make melange install -m755 -D ./melange "${{targets.destdir}}"/usr/bin/melange diff --git a/pulumi-kubernetes-operator.yaml b/pulumi-kubernetes-operator.yaml index b96d08ebd28..bca5c9aff6d 100644 --- a/pulumi-kubernetes-operator.yaml +++ b/pulumi-kubernetes-operator.yaml @@ -1,7 +1,7 @@ package: name: pulumi-kubernetes-operator version: 1.14.0 - epoch: 0 + epoch: 1 description: A Kubernetes Operator that automates the deployment of Pulumi Stacks copyright: - license: Apache-2.0 @@ -19,25 +19,26 @@ pipeline: with: repository: https://github.com/pulumi/pulumi-kubernetes-operator.git tag: v${{package.version}} - destination: ${{package.name}} expected-commit: 7d9e693bc6e27f1e3881ce350cdf7fbde71b26be - - working-directory: ${{package.name}} - pipeline: - - runs: | - # Mitigate CVE-2023-39325 and CVE-2023-3978 - go get golang.org/x/net@v0.17.0 + - runs: | + # GHSA-3f2q-6294-fmq5 CVE-2023-46402 + go mod edit -replace=github.com/whilp/git-urls=github.com/dlorenc/git-urls@v0.0.1 - # Remediate GHSA-m425-mq94-257g - go get google.golang.org/grpc@v1.58.3 + # Mitigate CVE-2023-39325 and CVE-2023-3978 + go get golang.org/x/net@v0.17.0 - go mod tidy + # Remediate GHSA-m425-mq94-257g + go get google.golang.org/grpc@v1.58.3 - # Original Go build args found in ./scripts/build.sh - CGO_ENABLED=0 go build -o "${{targets.destdir}}/usr/bin/${{package.name}}" \ - -ldflags "-s -w -X github.com/pulumi/pulumi-kubernetes-operator/version.Version=v${{package.version}} -extldflags \"-static\"" \ - -tags netgo ./cmd/manager/main.go - - uses: strip + go mod tidy + + # Original Go build args found in ./scripts/build.sh + CGO_ENABLED=0 go build -o "${{targets.destdir}}/usr/bin/${{package.name}}" \ + -ldflags "-s -w -X github.com/pulumi/pulumi-kubernetes-operator/version.Version=v${{package.version}} -extldflags \"-static\"" \ + -tags netgo ./cmd/manager/main.go + + - uses: strip update: enabled: true From 55903055a484c2c97973ad1e14a8db47799d2574 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Sun, 3 Dec 2023 10:05:16 -0500 Subject: [PATCH 2/3] Update flux-notification-controller.yaml Signed-off-by: dlorenc --- flux-notification-controller.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flux-notification-controller.yaml b/flux-notification-controller.yaml index a74c3930be2..c754c05f3a1 100644 --- a/flux-notification-controller.yaml +++ b/flux-notification-controller.yaml @@ -30,6 +30,8 @@ pipeline: # Mitigate GHSA-m425-mq94-257g go get google.golang.org/grpc@v1.57.1 + go mod tidy + mkdir -p "${{targets.destdir}}"/usr/bin CGO_ENABLED=0 go build \ -trimpath -a -o "${{targets.destdir}}"/usr/bin/notification-controller . From f34e20519daf2c4a46073a380b0cf45479fabd8f Mon Sep 17 00:00:00 2001 From: dlorenc Date: Sun, 3 Dec 2023 10:09:26 -0500 Subject: [PATCH 3/3] Update flux-notification-controller.yaml Signed-off-by: dlorenc --- flux-notification-controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux-notification-controller.yaml b/flux-notification-controller.yaml index c754c05f3a1..8773ee8cdd4 100644 --- a/flux-notification-controller.yaml +++ b/flux-notification-controller.yaml @@ -31,7 +31,7 @@ pipeline: go get google.golang.org/grpc@v1.57.1 go mod tidy - + mkdir -p "${{targets.destdir}}"/usr/bin CGO_ENABLED=0 go build \ -trimpath -a -o "${{targets.destdir}}"/usr/bin/notification-controller .