Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang.org/x/crypto lib to address vulnerability #6133

Merged
merged 1 commit into from
Jan 2, 2025
Merged

Upgrade golang.org/x/crypto lib to address vulnerability #6133

merged 1 commit into from
Jan 2, 2025

Conversation

katrogan
Copy link
Contributor

@katrogan katrogan commented Jan 2, 2025
edited by flyte-bot
Loading

Why are the changes needed?

As detailed in https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45337, the crypto library contains a vulnerability that may be susceptible to an authorization bypass

This CVE suggests that this is mitigated in v0.31.0

What changes were proposed in this pull request?

See PR title

How was this patch tested?

Verified flyte single binary compiled and tests passed.

Setup process

Screenshots

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

Docs link

Summary by Bito

Critical security update to address CVE-2024-45337 by upgrading golang.org/x/crypto from various older versions to v0.31.0 across multiple Flyte components. The update includes related golang.org/x dependencies (sync, sys, term, text) to ensure compatibility and maintain system security.

Unit tests added: False

Estimated effort to review (1-5, lower is better): 5

@katrogan
Upgrade golang.org/x/crypto lib to address vulnerability
51698c7 
Signed-off-by: Katrina Rogan <katroganGH@gmail.com>
@flyte-bot
Copy link
Collaborator

flyte-bot commented Jan 2, 2025
edited
Loading

Code Review Agent Run #a02962

Actionable Suggestions - 0
Review Details
  • Files reviewed - 20 · Commit Range: 51698c7..51698c7
    • boilerplate/flyte/golang_support_tools/go.mod
    • boilerplate/flyte/golang_support_tools/go.sum
    • datacatalog/go.mod
    • datacatalog/go.sum
    • flyteadmin/go.mod
    • flyteadmin/go.sum
    • flytecopilot/go.mod
    • flytecopilot/go.sum
    • flytectl/go.mod
    • flytectl/go.sum
    • flyteidl/go.mod
    • flyteidl/go.sum
    • flyteplugins/go.mod
    • flyteplugins/go.sum
    • flytepropeller/go.mod
    • flytepropeller/go.sum
    • flytestdlib/go.mod
    • flytestdlib/go.sum
    • go.mod
    • go.sum
  • Files skipped - 0
  • Tools
    • Golangci-lint (Linter) - ✖︎ Failed
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • GOVULNCHECK (Security Vulnerability) - ✖︎ Failed
    • OWASP (Security Vulnerability) - ✔︎ Successful
    • SNYK (Security Vulnerability) - ✔︎ Successful

AI Code Review powered by Bito Logo

@codecov Codecov
Copy link

codecov bot commented Jan 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 37.01%. Comparing base (61838b4) to head (51698c7).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #6133   +/-   ##
=======================================
  Coverage   37.01%   37.01%           
=======================================
  Files        1318     1318           
  Lines      132525   132525           
=======================================
+ Hits        49052    49054    +2     
+ Misses      79228    79226    -2     
  Partials     4245     4245
Flag Coverage Δ
unittests-datacatalog 51.58% <ø> (ø)
unittests-flyteadmin 54.25% <ø> (+0.02%) ⬆️
unittests-flytecopilot 30.99% <ø> (ø)
unittests-flytectl 62.29% <ø> (-0.05%) ⬇️
unittests-flyteidl 7.23% <ø> (ø)
unittests-flyteplugins 53.86% <ø> (ø)
unittests-flytepropeller 42.59% <ø> (ø)
unittests-flytestdlib 55.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@flyte-bot
Copy link
Collaborator

Changelist by Bito

This pull request implements the following key changes.

Key Change Files Impacted
Other Improvements - Security Dependency Updates

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions
Other Improvements - Security Dependency Updates

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies including crypto to v0.31.0

go.mod - Updated golang.org/x dependencies including crypto to v0.31.0

go.mod - Updated golang.org/x dependencies including crypto to v0.31.0

@katrogan katrogan merged commit fd9a378 into master Jan 2, 2025
56 checks passed
@katrogan katrogan deleted the upgrade-crypto-lib branch January 2, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Future-Outlier Future-Outlier Future-Outlier approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@katrogan @flyte-bot @Future-Outlier