flux-recv
flux-recv copied to clipboard
fluxcd
Various and sundry updates
This upgrade was reported to include some breaking changes upstream, in the github-go package release v30, it passes all the tests so I'm inclined to think it's OK to make this upgrade. I've also gone ahead and go get -u everything, and ran this through trivy as well as snyk to find things that might be in need of upgrade.
In response to #34 - there is no issue in flux-recv, I do not have triage here so I cannot close it, but if flux-recv is still around and unarchived, I figured somebody better check if all the tests still pass, and run the build again to mitigate any CVEs flagged in the base image. (There was no release of flux-recv at all in 2021)
In case this actually gets released, it should mitigate all known CVE warnings from Snyk and/or Trivy if possible.
I upgraded the base image from alpine:3.9 to alpine:3.14 in order to help with this:
Tested 16 dependencies for known issues, found 7 issues.
Base Image Vulnerabilities Severity
alpine:3.9 7 0 critical, 2 high, 4 medium, 1 low
Recommendations for base image upgrade:
Minor upgrades
Base Image Vulnerabilities Severity
alpine:3.14 0 0 critical, 0 high, 0 medium, 0 low
Alpine 3.9.6 is no longer supported by the Alpine maintainers. Vulnerability detection may be affected by a lack of security updates.
I'm scanning the image with trivy now, which should pick up any go modules that are flagged with vulnerabilities, I'm expecting to find at least one in there, (probably docker/distribution.)
(the image to test is kingdonb/flux-recv:2e8f3293 if you'd like to include this additional change)
The user who this PR was created for, is actually confused and doesn't use flux-recv (they are a Flux 2 user and have been redirected to notification controller.) If there are no flux-recv users anymore, then the need for any release may be mooted. I don't see that there is even properly a maintainers file in here.
In any case there are multiple CVE warnings flagged in the latest image of flux-recv. Is there any use publishing a new release? I'm happy to take care of it if someone can escalate my access (or else, we should consider archiving the repo, or in the future perhaps people may again be confused about its maintenance status / relationship with the current Flux project.)
We still use it as we haven't gotten around to migrate to Flux 2 yet. So, having a more secure version available would be nice.
Thanks @tun0 ! It's debatable if the changes make things more secure, I have strong doubts that flux-recv is going to be receptive to any vulnerabilities the scanner might flag, but if you'd like to test the latest version and help me verify it, we can certainly try to push a new release out. I appreciate you chiming in to let us know that there are still users!
The image I've just pushed at kingdonb/flux-recv:1b957130-update-github-go is the latest version from this branch now, you can substitute it for the official flux-recv image in your manifests. It is still built using Go 1.13, I've been advised not to YOLO into Go 1.17 but we can try upgrading the go version next, if you're interested in testing them?
Thanks for the build @kingdonb. I deployed it on our staging cluster and so far it seems to be behave just fine :+1:
Thanks for that! @tun0 I've upgraded everything else that I can think of in:
this image - kingdonb/flux-recv:0a06df5b-update-github-go
This includes the Go 1.17 upgrade, and everything in go.mod is upgraded. If you'd like to test this, I think it would be the next candidate for release! Might as well do as much as possible while I'm in here.
Hi @kingdonb, I completely forgot to follow up on this one. It's been running for over a month now on our staging cluster, and as far as I can tell, it's working just fine :+1: