kubernetes-ingress
kubernetes-ingress copied to clipboard
Published
20 hours ago •
haproxytech
haproxytech
CVE-2022-29526: Incorrect Privilege Assignment vulnerability in Go dependency
Trivy scans for both haproxytech/kubernetes-ingress:1.8.4 and haproxytech/kubernetes-ingress:1.8.3 images return the CVE-2022-29526 vulnerability which affects the golang.org/x/sys dependency in its v0.0.0-20220227234510-4e6760a101f9 version. The report states that the vulnerability has been fixed on version 0.0.0-20220412211240-33da011f77ad. I attach the report below:
haproxytech/kubernetes-ingress:1.8.4 (alpine 3.15.5)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
haproxy-ingress-controller (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM │ v0.0.0-20220227234510-4e6760a101f9 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │
└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────┘
Do you think this could be fixed by go-getting and upgrading the version in the go.mod file? Also, if it's any help VS Code tells me this dependency is only used in the test deploy/tests/e2e/utils.go when building a config from the kubeconfig file.
hi @monrax ,
even if its used in test its nice to clear all potential issues,
upgrading to newer version is possible, in fact we can use most recent one (v0.0.0-20220823224334-20c2bfdbfe24) without any issues
would you be willing to issue a PR for that ?
hello @oktalz
Apologies for the late reply. I tried running the e2e tests for the latest commit, and all the e2e_parallel one passed, but some of the e2e_sequential ones didn't.
After modifying the go.mod file to update the golang.org/x/sys dependency I got the same results, however: all parallel tests passed, all the sequential tests that passed before still passed, and the sequential ones that failed before still failed. I attach below the output of go test for the sequential tests.
The echo-app testing application worked as expected before and after the update, as well as the integration tests.
Not sure if I missed something while running those tests. If so, please let me know and I'll run them again properly. Otherwise, do you think I should go ahead and open that PR?
e2e_sequential tests output (click to expand)
? github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e [no test files]
=== RUN TestAccessControlSuite
=== RUN TestAccessControlSuite/Test_Blacklist
=== RUN TestAccessControlSuite/Test_Blacklist/Inline
=== RUN TestAccessControlSuite/Test_Blacklist/Patternfile
=== RUN TestAccessControlSuite/Test_Whitelist
=== RUN TestAccessControlSuite/Test_Whitelist/Inline
=== RUN TestAccessControlSuite/Test_Whitelist/Patternfile
--- PASS: TestAccessControlSuite (28.51s)
--- PASS: TestAccessControlSuite/Test_Blacklist (8.78s)
--- PASS: TestAccessControlSuite/Test_Blacklist/Inline (4.32s)
--- PASS: TestAccessControlSuite/Test_Blacklist/Patternfile (4.47s)
--- PASS: TestAccessControlSuite/Test_Whitelist (8.59s)
--- PASS: TestAccessControlSuite/Test_Whitelist/Inline (4.20s)
--- PASS: TestAccessControlSuite/Test_Whitelist/Patternfile (4.39s)
PASS
ok github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e/access-control 28.542s
=== RUN TestCorsSuite
=== RUN TestCorsSuite/Test_Configmap_Alone
=== RUN TestCorsSuite/Test_Configmap_Alone/Default
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsOriginAlone
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsMethodsAlone
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsMethodsHeadersAlone
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsMethodsAgeAlone
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsMethodsCredentialAlone
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsDisable
=== RUN TestCorsSuite/Test_Configmap_Alone/CorsMethodsCredentialDisable
=== RUN TestCorsSuite/Test_Ingress_Alone
=== RUN TestCorsSuite/Test_Ingress_Alone/Default
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsOriginAlone
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsMethodsAlone
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsMethodsHeadersAlone
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsMethodsAgeAlone
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsMethodsCredentialAlone
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsDisable
=== RUN TestCorsSuite/Test_Ingress_Alone/CorsMethodsCredentialDisable
--- PASS: TestCorsSuite (53.02s)
--- PASS: TestCorsSuite/Test_Configmap_Alone (23.80s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/Default (4.17s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsOriginAlone (2.23s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsMethodsAlone (2.20s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsMethodsHeadersAlone (2.19s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsMethodsAgeAlone (2.19s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsMethodsCredentialAlone (2.19s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsDisable (2.22s)
--- PASS: TestCorsSuite/Test_Configmap_Alone/CorsMethodsCredentialDisable (6.22s)
--- PASS: TestCorsSuite/Test_Ingress_Alone (17.76s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/Default (2.19s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsOriginAlone (2.22s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsMethodsAlone (2.26s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsMethodsHeadersAlone (2.20s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsMethodsAgeAlone (2.21s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsMethodsCredentialAlone (2.19s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsDisable (2.24s)
--- PASS: TestCorsSuite/Test_Ingress_Alone/CorsMethodsCredentialDisable (2.24s)
PASS
ok github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e/cors 53.029s
=== RUN TestEndpointsSuite
=== RUN TestEndpointsSuite/Test_HTTP_Reach
=== RUN TestEndpointsSuite/Test_HTTP_Reach/4-replicas
http_test.go:34:
Error Trace: http_test.go:34
suite.go:77
Error: Condition never satisfied
Test: TestEndpointsSuite/Test_HTTP_Reach/4-replicas
=== RUN TestEndpointsSuite/Test_HTTP_Reach/8-replicas
http_test.go:34:
Error Trace: http_test.go:34
suite.go:77
Error: Condition never satisfied
Test: TestEndpointsSuite/Test_HTTP_Reach/8-replicas
=== RUN TestEndpointsSuite/Test_HTTP_Reach/2-replicas
http_test.go:34:
Error Trace: http_test.go:34
suite.go:77
Error: Condition never satisfied
Test: TestEndpointsSuite/Test_HTTP_Reach/2-replicas
=== RUN TestEndpointsSuite/Test_HTTP_Reach/0-replicas
=== RUN TestEndpointsSuite/Test_HTTP_Reach/3-replicas
=== RUN TestEndpointsSuite/Test_Non_Ready_Endpoints
=== RUN TestEndpointsSuite/Test_TCP_Reach
--- FAIL: TestEndpointsSuite (207.20s)
--- FAIL: TestEndpointsSuite/Test_HTTP_Reach (189.51s)
--- FAIL: TestEndpointsSuite/Test_HTTP_Reach/4-replicas (60.22s)
--- FAIL: TestEndpointsSuite/Test_HTTP_Reach/8-replicas (60.26s)
--- FAIL: TestEndpointsSuite/Test_HTTP_Reach/2-replicas (60.21s)
--- PASS: TestEndpointsSuite/Test_HTTP_Reach/0-replicas (2.22s)
--- PASS: TestEndpointsSuite/Test_HTTP_Reach/3-replicas (2.21s)
--- PASS: TestEndpointsSuite/Test_Non_Ready_Endpoints (4.39s)
--- PASS: TestEndpointsSuite/Test_TCP_Reach (2.46s)
FAIL
FAIL github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e/endpoints 207.207s
=== RUN TestGlobalConfigSuite
=== RUN TestGlobalConfigSuite/TestMaxconn
maxconn_test.go:26:
Error Trace: maxconn_test.go:26
Error: Condition never satisfied
Test: TestGlobalConfigSuite/TestMaxconn
=== RUN TestGlobalConfigSuite/Test_Proxy_Protocol
=== RUN TestGlobalConfigSuite/Test_Proxy_Protocol/Source_IP_OK
=== RUN TestGlobalConfigSuite/Test_Proxy_Protocol/Source_IP_KO
proxy_protocol.go:46: Result: HTTP/1.1 400 Bad request
Content-length: 90
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
--- FAIL: TestGlobalConfigSuite (72.54s)
--- FAIL: TestGlobalConfigSuite/TestMaxconn (62.51s)
--- PASS: TestGlobalConfigSuite/Test_Proxy_Protocol (4.64s)
--- PASS: TestGlobalConfigSuite/Test_Proxy_Protocol/Source_IP_OK (2.21s)
--- PASS: TestGlobalConfigSuite/Test_Proxy_Protocol/Source_IP_KO (2.24s)
FAIL
FAIL github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e/global-config 72.562s
=== RUN TestMapUpdateSuite
=== RUN TestMapUpdateSuite/Test_Update
=== RUN TestMapUpdateSuite/Test_Update/Update
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 703
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 702
update_test.go:39: 701
update_test.go:39: 701
update_test.go:39: 701
update_test.go:39: 701
update_test.go:39: 701
update_test.go:39: 701
update_test.go:39: 701
update_test.go:39: 701
update_test.go:34:
Error Trace: update_test.go:34
suite.go:77
Error: Condition never satisfied
Test: TestMapUpdateSuite/Test_Update/Update
--- FAIL: TestMapUpdateSuite (75.58s)
--- FAIL: TestMapUpdateSuite/Test_Update (60.34s)
--- FAIL: TestMapUpdateSuite/Test_Update/Update (60.33s)
FAIL
FAIL github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e/map-updates 75.590s
=== RUN TestTLSAuthSuite
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:51: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
suite_test.go:48:
Error Trace: suite_test.go:48
suite.go:118
suite_test.go:69
Error: Condition never satisfied
Test: TestTLSAuthSuite
=== RUN TestTLSAuthSuite/Test_Client_TLS_Auth
=== RUN TestTLSAuthSuite/Test_Client_TLS_Auth/no_client_cert
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": EOF
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:31: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:28:
Error Trace: client_auth.go:28
suite.go:77
Error: Condition never satisfied
Test: TestTLSAuthSuite/Test_Client_TLS_Auth/no_client_cert
=== RUN TestTLSAuthSuite/Test_Client_TLS_Auth/correct_client_cert
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:47: Get "https://e2e-tests-tls-auth.test": http: server gave HTTP response to HTTPS client
client_auth.go:44:
Error Trace: client_auth.go:44
suite.go:77
Error: Condition never satisfied
Test: TestTLSAuthSuite/Test_Client_TLS_Auth/correct_client_cert
=== RUN TestTLSAuthSuite/Test_Client_TLS_Auth/wrong_client_cert
client_auth.go:60:
Error Trace: client_auth.go:60
suite.go:77
Error: Condition never satisfied
Test: TestTLSAuthSuite/Test_Client_TLS_Auth/wrong_client_cert
--- FAIL: TestTLSAuthSuite (246.36s)
--- FAIL: TestTLSAuthSuite/Test_Client_TLS_Auth (180.00s)
--- FAIL: TestTLSAuthSuite/Test_Client_TLS_Auth/no_client_cert (60.00s)
--- FAIL: TestTLSAuthSuite/Test_Client_TLS_Auth/correct_client_cert (60.00s)
--- FAIL: TestTLSAuthSuite/Test_Client_TLS_Auth/wrong_client_cert (60.00s)
FAIL
FAIL github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e/tls-auth 246.371s
FAIL
@monrax please create PR regardless, e2e test are timeout sensitive, and sometimes and on some platforms, they can fail without obvious reason.
in our local CI we have experienced this behavior in past, so it might be that kind+our setup does not work well on your machine.
I will certainly try to run it locally as well, but at least we will have more info what tests dislike.
can I ask what OS/docker you have installed locally ?
@oktalz I have created the corresponding PR. By the time I did this, Trivy detected a new vulnerability, this time in the golang.org/x/net module with high severity: CVE-2022-27664 (I attach the output below). That dependency is used in the crs/generated/clientset/versioned/clientset.go file when importing the k8s rest k8s.io/client-go/rest module.
I've updated both the golang.org/x/net and golang.org/x/sys dependencies to the latest version available where both vulnerabilities have been patched. I've also ran all tests again locally, with similar output as before: all tests passed except for a couple e2e_sequential ones (I believe the same test suites as before). The #485 PR includes both upgrades. I hope this is OK.
I've been using a couple EC2 instances running Ubuntu 22.04 and Amazon Linux 2 with sizes t3.large and t3.micro, respectively. One thing to note is that back when I ran tests last time (2 weeks ago), I was able to make builds just fine in the smaller machine as well as the larger one, but now I tried running tests again (before modifying the go.mod and go.sum files), and I could only do so in the larger one. For the smaller one, it just gets stuck in step 7 of the build/Dockerfile (the go build step) when building the image using the deploy/tests/create.sh script.
Please, let me know if I need to add something else to the PR, and I'll modify it accordingly.
Latest Trivy output (click to expand)
go.mod (gomod)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬───────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH │ 0.0.0-20220225172249-27dd8689420f │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
├──────────────────┼────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM │ 0.0.0-20220227234510-4e6760a101f9 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │
└──────────────────┴────────────────┴──────────┴───────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}