Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1887864 - Clean up dependencies to avoid invalid scan flagging
Summary: Clean up dependencies to avoid invalid scan flagging
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.7.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1892428
TreeView+ depends on / blocked
 
Reported: 2020-10-13 13:46 UTC by Paul Weil
Modified: 2021-02-24 15:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Console vendors 'runc' module in v0.1.1 version which contains potential security issue. Consequence: frog xray flags the 'runc' dependency as a potential vulnerability Fix: Pin 'runc' module to the v1.0.0-rc8 which contains the fix Result: 'runc' dependency is not flagged as a potential vulnerability
Clone Of:
Environment:
Last Closed: 2021-02-24 15:25:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 6990 0 None closed Bug 1887864: Update library-go and replace runc module for v1.0.0-rc8 version 2021-01-26 20:05:25 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:26:09 UTC

Description Paul Weil 2020-10-13 13:46:09 UTC
As noted in https://access.redhat.com/support/cases/#/case/02771740 the console container may be flagged due to dependencies in vendors/modulest.txt.

A recent example of this was from jfrog xray flagging the runc dependency for CVE-2019-5736.  

Though this dependency is vendored (the code exists in vendor directories) the console does not actually use this one in particular anywhere.  

Investigate if we can clean up any dependencies to prevent invalid flagging during security scans.  

In addition to any clean up, we should review dependencies that can be updated to ensure we have the latest fixes

Comment 15 Jakub Hadvig 2020-10-27 08:29:41 UTC
Matthew we updated the opencontainers/runc module to 1.0.0-rc8 which should carry fix.
Do we need to backport the fix to 4.6?

Comment 16 Matthew Whitehead 2020-10-28 14:52:31 UTC
Yes, please backport to 4.6. The customer is also running 4.5.7 and 4.5.11, so backporting to 4.5.x is desired.

Comment 17 Yanping Zhang 2020-10-29 07:18:06 UTC
Fix is not contained in payload: 4.7.0-0.nightly-2020-10-27-051128, wait for new build.

Comment 18 Yadan Pei 2020-11-06 02:02:23 UTC
Clone latest console repo
$ go mod graph | grep opencontainers/runc
github.com/deislabs/oras@v0.8.1 github.com/opencontainers/runc@v0.1.1
github.com/Microsoft/hcsshim@v0.8.7 github.com/opencontainers/runc@v0.0.0-20190115041553-12f6a991201f   (is a dependency of deislabs/oras)
github.com/openshift/library-go@v0.0.0-20200424095618-2aeb4725dadf github.com/opencontainers/runc@v0.0.0-20191031171055-b133feaeeb2e
$ go list -m all | grep opencontainers/runc (OK)
github.com/opencontainers/runc v0.1.1 => github.com/opencontainers/runc v1.0.0-rc8.0.20190926150303-84373aaa560b
$ go list -m all | grep deislabs/oras
github.com/deislabs/oras v0.8.1
$ go list -m all | grep openshift/library-go  (OK)
github.com/openshift/library-go v0.0.0-20200424095618-2aeb4725dadf

Moving to VERIFIED, let me know if it is wrong

Comment 24 errata-xmlrpc 2021-02-24 15:25:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.