Skip to content

[release 1.13] security: up deps in release branch #3463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 28 commits into from
Jun 27, 2024
Merged

[release 1.13] security: up deps in release branch #3463

merged 28 commits into from
Jun 27, 2024

Conversation

sicoyle
Copy link
Contributor

@sicoyle sicoyle commented Jun 25, 2024

Description

I had issues cherry picking my merged commit directly from the main branch as it was bringing in a lot of other changes, so manually copy/pasted. For the cloudflare worker stuff I did up the dep and then recompile everything so that should be g2g.

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

  • Code compiles correctly
  • Created/updated tests
  • Extended the documentation / Created issue in the https://github.com/dapr/docs/ repo: dapr/docs#[issue number]

@sicoyle sicoyle requested review from a team as code owners June 25, 2024 17:42
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 25, 2024

will revert the go version bump in a bit. Didn't realize that was in my changes as well, but already switched to dapr/dapr updates for this

ItalyPaleAle
ItalyPaleAle suggested changes Jun 25, 2024
View reviewed changes
Copy link
Contributor

@ItalyPaleAle ItalyPaleAle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally in a release branch we should never update dependencies unless they contain security issues or critical bug fixes. I am concerned with the fact that this PR updates A LOT of dependencies, including SDKs for cloud services.

sicoyle added 2 commits June 25, 2024 15:38
@sicoyle
fix: address feedback
eb7d579 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: update field name
c6feaaa 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 25, 2024
edited
Loading

Ideally in a release branch we should never update dependencies unless they contain security issues or critical bug fixes. I am concerned with the fact that this PR updates A LOT of dependencies, including SDKs for cloud services.

These are all for security vulnerabilities based on my PR desc here: #3390

@ItalyPaleAle
Copy link
Contributor

Ideally in a release branch we should never update dependencies unless they contain security issues or critical bug fixes. I am concerned with the fact that this PR updates A LOT of dependencies, including SDKs for cloud services.

These are all for security vulnerabilities based on my PR desc here: #3390

I see the go.mod contains a lot more deps updated than the ones you list in #3390, including SDKs for all cloud providers.

@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 25, 2024
edited
Loading

I see the go.mod contains a lot more deps updated than the ones you list in #3390, including SDKs for all cloud providers.

I def did not do a go get -u ... on everything. Let me see what I can do. Part of this could also be that I had to copy/paste based on my other PR, so maybe just need to not grab less changes. I'm working on it 😁

@ItalyPaleAle
Copy link
Contributor

I see the go.mod contains a lot more deps updated than the ones you list in #3390, including SDKs for all cloud providers.

I def did not do a go get -u ... on everything. Let me see what I can do. Part of this could also be that I had to copy/paste based on my other PR, so maybe just need to not grab less changes. I'm working on it 😁

Here's my tip:

  1. Reset to main: git fetch --all && get reset --hard origin/main
  2. Open the go.mod file (the main one) and update the deps that you listed in the table, and only those
  3. make modtidy-all

sicoyle added 9 commits June 25, 2024 17:04
@sicoyle
fix: this for sure is needed by runtime
ff74136 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: redo go mod bumps
3adcc20 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: use kit new release
adc0473 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: more fixing on kit versions
cb91685 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
style: making linter happy
207d072 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: see if this makes things happy
d5785b2 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: update test func sigs
f9c6189 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: mod tidy all
3d079ab 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix(tests): update func sig too
2de07a6 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle sicoyle requested a review from ItalyPaleAle June 26, 2024 15:58
@sicoyle
fix: mod tidy
a18e5a1 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 26, 2024

flaky failure?

--- FAIL: Test_EndToEnd (0.19s)
    --- FAIL: Test_EndToEnd/local (0.06s)
        --- FAIL: Test_EndToEnd/local/consoleLog_multiple_requests (0.02s)
            e2e_test.go:118: 
                	Error Trace:	/home/runner/work/components-contrib/components-contrib/middleware/http/wasm/internal/e2e_test.go:118
                	            				/home/runner/work/components-contrib/components-contrib/middleware/http/wasm/internal/e2e_test.go:173
                	Error:      	"time=\"2024-06-26T16:07:13.331155155Z\" level=info msg=\"main ConsoleLog\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.33158788Z\" level=info msg=\"main ConsoleLog\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331608729Z\" level=info msg=\"request[0] ConsoleLog\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331616583Z\" level=debug msg=\"wasm stdout: main Stdout\\nmain Stdout\\nrequest[0] Stdout\\n\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331621553Z\" level=debug msg=\"wasm stderr: main Stderr\\nmain Stderr\\nrequest[0] Stderr\\n\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331631812Z\" level=info msg=\"request[1] ConsoleLog\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.33163606Z\" level=debug msg=\"wasm stdout: request[1] Stdout\\n\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331639516Z\" level=debug msg=\"wasm stderr: request[1] Stderr\\n\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331648322Z\" level=info msg=\"request[2] ConsoleLog\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.33165221Z\" level=debug msg=\"wasm stdout: request[2] Stdout\\n\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\ntime=\"2024-06-26T16:07:13.331655425Z\" level=debug msg=\"wasm stderr: request[2] Stderr\\n\" instance=fv-az1215-760 scope=Test_EndToEnd type=log ver=unknown\n" does not contain "level=debug msg=\"wasm stdout: main Stdout\\nrequest[0] Stdout\\n\""
                	Test:       	Test_EndToEnd/local/consoleLog_multiple_requests
FAIL

ItalyPaleAle
ItalyPaleAle suggested changes Jun 26, 2024
View reviewed changes
go.mod Outdated
cloud.google.com/go/pubsub v1.33.0
cloud.google.com/go/secretmanager v1.11.2
cloud.google.com/go/storage v1.33.0
cloud.google.com/go/pubsub v1.36.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was the Google Cloud SDK updated? This was not in the table with the list of vulnerabilities

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is required due to bumping the grpc package to the version without a security vulnerability. I just tried downgrading it back and it bumps us down for grpc pkg unfortunately

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See if using 1.60.1 requires bumping too, see other thread

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think i got it now

sicoyle added 2 commits June 26, 2024 11:21
@sicoyle
fix: up sarama version
39de17d 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: use avro version previously used
0a02139 
Signed-off-by: Samantha Coyle <[email protected]>
@berndverst berndverst changed the title security: up deps in release branch [release 1.13] security: up deps in release branch Jun 26, 2024
@sicoyle sicoyle requested a review from ItalyPaleAle June 26, 2024 19:36
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 26, 2024

@ItalyPaleAle are these transient failures in the build..? I think it's ready ready ready, but yeah need help knowing if these failures are flaky or not 🚀 🤓 ⭐

ItalyPaleAle
ItalyPaleAle suggested changes Jun 26, 2024
View reviewed changes
common/component/cloudflare/worker-src/package.json Outdated
@@ -2,7 +2,7 @@
"private": true,
"name": "dapr-cfworkers-client",
"description": "Client code for Dapr to interact with Cloudflare Workers",
"version": "20230517",
"version": "20230625",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"version": "20230625",
"version": "20240625",

:)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has not been resolved. The date is 1 year off...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

sicoyle added 3 commits June 26, 2024 16:22
@sicoyle
fix: address feedback
3fdf254 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
style: one require block
5e2e5a7 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: update date
788bc84 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle sicoyle requested a review from ItalyPaleAle June 26, 2024 21:25
sicoyle added 2 commits June 26, 2024 16:30
@sicoyle
fix: last bits of feedback
60e054a 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
fix: go mod tidy
b02a988 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 26, 2024

pls note that make modtidy-all with specifying my go version for go 1.21 creates two require blocks in the tests/certification go mod. That needs to stay to keep linter happy. I think I've addressed everything :)

ItalyPaleAle and others added 4 commits June 26, 2024 15:12
@ItalyPaleAle
Update state/azure/cosmosdb/cosmosdb_query.go
9e0b47e 
Signed-off-by: Alessandro (Ale) Segala <[email protected]>
@sicoyle
fix(build): revert an old change based on version change
e919d31 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
Merge branch 'release-branch-sec-vul-fixing' of github.com:sicoyle/co…
bfdfa92 
…mponents-contrib into release-branch-sec-vul-fixing
@sicoyle
fix: mod tidy
7c24253 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 27, 2024

anything else @ItalyPaleAle or g2g? :)

@ItalyPaleAle
Copy link
Contributor

There's one comment left PTAL

@sicoyle
fix: update date
84b5503 
Signed-off-by: Samantha Coyle <[email protected]>
@sicoyle
Copy link
Contributor Author

sicoyle commented Jun 27, 2024

done addressing feedback. Anything else?

@ItalyPaleAle ItalyPaleAle merged commit af98674 into dapr:release-1.13 Jun 27, 2024
87 of 93 checks passed
@ItalyPaleAle ItalyPaleAle mentioned this pull request Jun 27, 2024
Closed
@berndverst berndverst added this to the v1.14 milestone Jul 23, 2024
@artursouza artursouza removed this from the v1.14 milestone Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ItalyPaleAle ItalyPaleAle ItalyPaleAle approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sicoyle @ItalyPaleAle @artursouza @berndverst