scanner icon indicating copy to clipboard operation
scanner copied to clipboard

Published 20 hours ago verified publisher icon stackrox

chore(deps): remove github.com/mholt/archiver/v3 dependency

Open RTann opened this issue 10 months ago • 5 comments

https://github.com/mholt/archiver/pull/396 has yet to land so github.com/mholt/archiver/v3 is still affected by CVE-2024-0406. This repository is not affected by this vulnerability.

This PR removes the dependency to:

  • minimize dependencies
  • ensure security scanners do not claim Scanner is affected, when it is not

Implementation is completely based on https://github.com/mholt/archiver/blob/v3.5.1/zip.go#L140.

Note: I want to make sure the diff-dumps still give the same data, but that step is failing at the moment... In any case, it doesn't hurt to start the review process

RTann avatar Apr 10 '24 23:04 RTann

/retest

RTann avatar Apr 15 '24 20:04 RTann

/retest

RTann avatar Apr 15 '24 23:04 RTann

/retest

RTann avatar Apr 17 '24 23:04 RTann

This PR and subsequent scanner dependency update in stackrox/stackrox should help with https://github.com/stackrox/stackrox/security/dependabot/270

msugakov avatar May 03 '24 10:05 msugakov

Looks like code was removed related to handling symlinks, was that because in the various workflows that use WriteZip we know symlinks are not being used?

Yes, WriteZip is only used by generate-dump and diff-dumps, and we do not use symlinks for either (that I know of).

(rest looks OK to me - holding approve for a successful diff-dump / test)

I'm also waiting for diff-dump. Running into space issues in CI, though it seems unique to this PR, so I wonder if I messed something up, I'm getting unlucky, or GHA allocates different resources for PR vs push to master branch

RTann avatar May 06 '24 22:05 RTann

@RTann: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-tests 39f7e091f4d437d6e396e1261c613faf44953c79 link false /test e2e-tests
ci/prow/slim-e2e-tests 39f7e091f4d437d6e396e1261c613faf44953c79 link false /test slim-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar May 28 '24 17:05 openshift-ci[bot]