Bug 1887864

Summary: Clean up dependencies to avoid invalid scan flagging
Product: OpenShift Container Platform Reporter: Paul Weil <pweil>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: aos-bugs, jhadvig, jokerman, mwhitehe, spadgett, yanpzhan, yapei
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Console vendors 'runc' module in v0.1.1 version which contains potential security issue. Consequence: frog xray flags the 'runc' dependency as a potential vulnerability Fix: Pin 'runc' module to the v1.0.0-rc8 which contains the fix Result: 'runc' dependency is not flagged as a potential vulnerability
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:25:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1892428    

Description Paul Weil 2020-10-13 13:46:09 UTC 
As noted in https://access.redhat.com/support/cases/#/case/02771740 the console container may be flagged due to dependencies in vendors/modulest.txt.

A recent example of this was from jfrog xray flagging the runc dependency for CVE-2019-5736.  

Though this dependency is vendored (the code exists in vendor directories) the console does not actually use this one in particular anywhere.  

Investigate if we can clean up any dependencies to prevent invalid flagging during security scans.  

In addition to any clean up, we should review dependencies that can be updated to ensure we have the latest fixes
Comment 15 Jakub Hadvig 2020-10-27 08:29:41 UTC 
Matthew we updated the opencontainers/runc module to 1.0.0-rc8 which should carry fix.
Do we need to backport the fix to 4.6?
Comment 16 Matthew Whitehead 2020-10-28 14:52:31 UTC 
Yes, please backport to 4.6. The customer is also running 4.5.7 and 4.5.11, so backporting to 4.5.x is desired.
Comment 17 Yanping Zhang 2020-10-29 07:18:06 UTC 
Fix is not contained in payload: 4.7.0-0.nightly-2020-10-27-051128, wait for new build.
Comment 18 Yadan Pei 2020-11-06 02:02:23 UTC 
Clone latest console repo
$ go mod graph | grep opencontainers/runc
github.com/deislabs/oras.1 github.com/opencontainers/runc.1
github.com/Microsoft/hcsshim.7 github.com/opencontainers/runc.0-20190115041553-12f6a991201f   (is a dependency of deislabs/oras)
github.com/openshift/library-go.0-20200424095618-2aeb4725dadf github.com/opencontainers/runc.0-20191031171055-b133feaeeb2e
$ go list -m all | grep opencontainers/runc (OK)
github.com/opencontainers/runc v0.1.1 => github.com/opencontainers/runc v1.0.0-rc8.0.20190926150303-84373aaa560b
$ go list -m all | grep deislabs/oras
github.com/deislabs/oras v0.8.1
$ go list -m all | grep openshift/library-go  (OK)
github.com/openshift/library-go v0.0.0-20200424095618-2aeb4725dadf

Moving to VERIFIED, let me know if it is wrong
Comment 24 errata-xmlrpc 2021-02-24 15:25:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633