OCPBUGS-87977: Bump github.com/containernetworking/cni v0.8.0 -> v1.3.0#3031
OCPBUGS-87977: Bump github.com/containernetworking/cni v0.8.0 -> v1.3.0#3031asood-rh wants to merge 1 commit into
Conversation
Fixes CVE-2021-20206 (path traversal in CNI plugin FindInPath). CNO only uses cnitypes.Route and cnitypes.DNS from pkg/types and never calls the vulnerable functions, but the module is compiled into the binary and scanners correctly flag it. v1.3.0 is the version standardized across the OpenShift networking ecosystem (multus-cni, sriov-cni, ovn-kubernetes, etc.). Signed-off-by: Arti Sood <asood@redhat.com>
openshift-ci-robot
added
jira/valid-reference
|
@asood-rh: This pull request references Jira Issue OCPBUGS-87977, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Walkthrough
ChangesDependency Version Bumps
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v1.3.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope ... [truncated 17329 characters] ... red in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n" Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
go.mod (1)
8-8: Missing supply-chain security practices: hash verification and artifact signing.The go.mod file pins exact versions, which is good practice, but the review context does not mention:
- Hash verification in go.sum: Ensure the corresponding
go.sumfile is updated and committed to lock transitive dependency hashes.- Artifact signing: OpenShift projects should validate artifacts signed with Sigstore/cosign to ensure provenance.
- SBOM generation: Consider whether your build process generates Software Bill of Materials (SBOM) attestations for supply-chain transparency.
These are not blockers for this PR but represent operational hardening for supply-chain security.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 8, Ensure supply-chain security practices are in place for the containernetworking/cni v1.3.0 dependency addition. First, verify that the corresponding go.sum file is updated and committed to lock both the direct dependency and transitive dependency hashes for containernetworking/cni v1.3.0. Second, establish a practice to validate that artifacts from dependencies like containernetworking/cni are signed with Sigstore/cosign to ensure provenance authenticity. Third, configure your build process to generate Software Bill of Materials (SBOM) attestations alongside your artifacts to provide supply-chain transparency and traceability for downstream consumers.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@go.mod`:
- Line 8: Ensure supply-chain security practices are in place for the
containernetworking/cni v1.3.0 dependency addition. First, verify that the
corresponding go.sum file is updated and committed to lock both the direct
dependency and transitive dependency hashes for containernetworking/cni v1.3.0.
Second, establish a practice to validate that artifacts from dependencies like
containernetworking/cni are signed with Sigstore/cosign to ensure provenance
authenticity. Third, configure your build process to generate Software Bill of
Materials (SBOM) attestations alongside your artifacts to provide supply-chain
transparency and traceability for downstream consumers.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 63170045-3f62-4c96-8de1-115bc62d6c52
⛔ Files ignored due to path filters (11)
go.sumis excluded by!**/*.sumvendor/github.com/containernetworking/cni/pkg/types/args.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/containernetworking/cni/pkg/types/types.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/.golangci.ymlis excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/doc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/netns_linux.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/netns_others.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/nshandle_linux.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/vishvananda/netns/nshandle_others.gois excluded by!**/vendor/**,!vendor/**vendor/modules.txtis excluded by!**/vendor/**,!vendor/**
📒 Files selected for processing (1)
go.mod
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: asood-rh, jcaamano, raphaelvrosa The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/retest |
|
/test e2e-metal-ipi-ovn-ipv6-ipsec |
|
Based on RCA retest it. /test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade |
|
Based on RCA /test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade |
|
/test e2e-aws-ovn-fdp-qe |
|
Logged bug https://redhat.atlassian.net/browse/OCPBUGS-89238 for three IPSec job failures |
|
/test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade |
|
/test e2e-aws-ovn-upgrade |
|
/test e2e-aws-ovn-fdp-qe |
|
/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw |
|
/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade |
|
/test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade |
|
/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade |
|
/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw |
|
/verified by CI |
openshift-ci-robot
added
the
verified
|
@asood-rh: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@asood-rh: This pull request references Jira Issue OCPBUGS-87977, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: asood-rh. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/override ci/prow/e2e-aws-ovn-upgrade-ipsec |
|
@asood-rh: asood-rh unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
e2e-metal-ipi-ovn-dualstack-bgp-local-gw job failure RCA This is an important distinction — the mirror server itself is not returning 403. Rather, a proxy server between the CI worker and the mirror is rejecting the HTTPS CONNECT request to openshift-mirror-list.ci-systems.workers.dev. Since curl got no data, the piped tar command failed with gzip: stdin: unexpected end of file, causing the entire step to error out. |
@kyrtapz Could you please override three jobs? |
|
/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw |
|
/test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade |
|
/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade |
|
/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw |
|
@asood-rh: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/ovn-kubernetes#3234 openshift/ovn-kubernetes#3235 |
5 participants
Fixes CVE-2021-20206 (path traversal in CNI plugin FindInPath).
CNO only uses cnitypes.Route and cnitypes.DNS from pkg/types and
never calls the vulnerable functions, but the module is compiled
into the binary and scanners correctly flag it.
v1.3.0 is the version standardized across the OpenShift networking
ecosystem (multus-cni, sriov-cni, ovn-kubernetes, etc.).
Tested the fix.
make build
make test
Verified the update
Summary by CodeRabbit
Release Notes