harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

[Cherrypick to v2.11] bump up beego to v2.2.1 (#20555)

Open hajnalmt opened this issue 1 year ago • 3 comments

Bump up beego v2.2.1

Comprehensive Summary of your change

Cherry-picking MinerYang's commit: https://github.com/goharbor/harbor/pull/20555/files There were High security vulnerabilities in the beego versions <2.2.1

GHSA-wr3p-r5fj-wf9 GHSA-r6qh-j42j-pw64

I've checked and it seems none of them affects Harbor. Please confirm my take on this one. Even though this does not affect Harbor it would be nice to have this in at least on the latest release.

Please indicate you've done the following:

  • [X] Well Written Title and Summary of the PR
  • [x] Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
  • [x] Accepted the DCO. Commits without the DCO will delay acceptance.
  • [x] Made sure tests are passing and test coverage is added if needed.
  • [X] Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

hajnalmt avatar Oct 04 '24 10:10 hajnalmt

This is not in out plan for 2.11. So will close this for now.

MinerYang avatar Oct 14 '24 09:10 MinerYang

@MinerYang, Why is that not a good fix for 2.11.x and good 2.12.x? This is a critical security and stability relevant backport for a version that is still under support, We should not close backports of stability relevant PRs without any discussion!

Vad1mo avatar Oct 17 '24 11:10 Vad1mo

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Please upload report for BASE (release-2.11.0@cdbef9d). Learn more about missing BASE report.

Additional details and impacted files

Impacted file tree graph

@@                Coverage Diff                @@
##             release-2.11.0   #21000   +/-   ##
=================================================
  Coverage                  ?   66.33%           
=================================================
  Files                     ?     1044           
  Lines                     ?   113939           
  Branches                  ?     2845           
=================================================
  Hits                      ?    75577           
  Misses                    ?    34241           
  Partials                  ?     4121
Flag Coverage Δ
unittests 66.33% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/lib/orm/query.go 76.27% <100.00%> (ø)
src/pkg/artifact/dao/dao.go 57.63% <100.00%> (ø)
src/pkg/task/dao/execution.go 61.82% <100.00%> (ø)
src/pkg/task/dao/task.go 64.31% <100.00%> (ø)

codecov[bot] avatar Oct 17 '24 11:10 codecov[bot]

To avoid any uncertainty in the Harbor patch release, we prefer not to upgrade the minor version of Beego; instead, we would like to stick with the patch release. Upgrading to a minor release would introduce code changes that we would like to avoid.

To address the CVEs, I will discuss with the Beego maintainer to see if they can provide a patch for Harbor. If they are unable to assist, we can consider merging this PR.

@Vad1mo What are your thoughts on this approach?

wy65701436 avatar Oct 21 '24 10:10 wy65701436

Let's merge this PR to fix CVEs in v2.11.2

reasonerjt avatar Nov 13 '24 09:11 reasonerjt