Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade module k8s.io/client-go in internal/backend/remote-state/kubernetes #36318

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Upgrade module k8s.io/client-go in internal/backend/remote-state/kubernetes #36318

wants to merge 2 commits into from
+272 −318

Conversation

mmtevelde
Copy link

@mmtevelde mmtevelde commented Jan 14, 2025
edited
Loading

I'm proposing bumping the k8s.io/client-go go module in internal/backend/remote-state/kubernetes. The rationale is that Prisma Cloud container vulnerability scanning reports a vulnerability on the indirect dependency github.com/emicklei/go-restful/v3 in this module.
For reference: within the Prisma Cloud ecosystem, this vulnerability is referred to as PRISMA-2022-0227, rated 7.5 - High. The vulnerability is fixed in versions v.3.10.0 and upwards of github.com/emicklei/go-restful/v3.
A similar question was asked on HashiCorp Discuss here. To illustrate, a similar issue was raised on Kubernetes link.

My workflow for creating this PR:

  1. go -C internal/backend/remote-state/kubernetes get -u k8s.io/client-go to upgrade the module
  2. make syncdeps as per instructions I found in this repo
  3. go test ./... to verify tests are still passing

Fixes #36319

Target Release

1.11.x

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Jan 14, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@mmtevelde mmtevelde mentioned this pull request Jan 14, 2025
Open
@mmtevelde mmtevelde marked this pull request as ready for review January 14, 2025 15:20
@mmtevelde mmtevelde requested review from a team as code owners January 14, 2025 15:20
@crw
Copy link
Contributor

crw commented Jan 14, 2025

Thanks, I've notified the appropriate team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backend/k8s enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix vulnerability reported by Prisma Cloud on module github.com/emicklei/go-restful/v3
2 participants
@mmtevelde @crw