consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Backport of [NET-8601] security: upgrade vault/api to remove go-jose.v2 into release/1.18.x

Open hc-github-team-consul-core opened this issue 9 months ago • 1 comments

Backport

This PR is auto-generated from #20910 to be assessed for backporting due to the inclusion of the label backport/1.18.

:rotating_light:

Warning automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, not including, the commit where the merge conflict occurred.

The person who merged in the original PR is: @zalimeni This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

This dependency has an open vulnerability (GO-2024-2631 AKA CVE-2024-28180), and is no longer needed by the latest vault/api. This is a follow-up to the upgrade of go-jose/v3 in this repository to make all our dependencies consolidate on v3.

Also remove the recently added security scan triage block for GO-2024-2631, which was added due to incorrect reports that go-jose/[email protected] was impacted; in reality, is was this indirect client dependency (not impacted by CVE) that the scanner was flagging. A bug report has been filed to address the incorrect reporting.

This PR will fail some backports due to go.mod/go.sum conflicts, but opening w/ labels to ensure we don't forget. I'll fix up the backports that fail.

Description

  • Upgrade vault/api to latest
  • Remove triage block for go-jose from scanner config

Testing & Reproduction steps

CI including Security Scan continue to pass.

Links

Follow-up to https://github.com/hashicorp/consul/pull/20901

PR Checklist

  • [ ] updated test coverage
  • [ ] external facing docs updated
  • [x] appropriate backport labels added
  • [x] not a security concern
Overview of commits
  • 1c8e398d097328bb822675bfcca4db9656b7f8b6

hc-github-team-consul-core avatar May 04 '24 00:05 hc-github-team-consul-core

CLA assistant check
All committers have signed the CLA.

hashicorp-cla-app[bot] avatar May 04 '24 00:05 hashicorp-cla-app[bot]