Bug 1887864 - Clean up dependencies to avoid invalid scan flagging
Summary: Clean up dependencies to avoid invalid scan flagging
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
Depends On:
Blocks: 1892428
TreeView+ depends on / blocked
Reported: 2020-10-13 13:46 UTC by Paul Weil
Modified: 2021-02-24 15:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Console vendors 'runc' module in v0.1.1 version which contains potential security issue. Consequence: frog xray flags the 'runc' dependency as a potential vulnerability Fix: Pin 'runc' module to the v1.0.0-rc8 which contains the fix Result: 'runc' dependency is not flagged as a potential vulnerability
Clone Of:
Last Closed: 2021-02-24 15:25:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift console pull 6990 0 None closed Bug 1887864: Update library-go and replace runc module for v1.0.0-rc8 version 2021-01-26 20:05:25 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:26:09 UTC

Description Paul Weil 2020-10-13 13:46:09 UTC
As noted in https://access.redhat.com/support/cases/#/case/02771740 the console container may be flagged due to dependencies in vendors/modulest.txt.

A recent example of this was from jfrog xray flagging the runc dependency for CVE-2019-5736.  

Though this dependency is vendored (the code exists in vendor directories) the console does not actually use this one in particular anywhere.  

Investigate if we can clean up any dependencies to prevent invalid flagging during security scans.  

In addition to any clean up, we should review dependencies that can be updated to ensure we have the latest fixes

Comment 15 Jakub Hadvig 2020-10-27 08:29:41 UTC
Matthew we updated the opencontainers/runc module to 1.0.0-rc8 which should carry fix.
Do we need to backport the fix to 4.6?

Comment 16 Matthew Whitehead 2020-10-28 14:52:31 UTC
Yes, please backport to 4.6. The customer is also running 4.5.7 and 4.5.11, so backporting to 4.5.x is desired.

Comment 17 Yanping Zhang 2020-10-29 07:18:06 UTC
Fix is not contained in payload: 4.7.0-0.nightly-2020-10-27-051128, wait for new build.

Comment 18 Yadan Pei 2020-11-06 02:02:23 UTC
Clone latest console repo
$ go mod graph | grep opencontainers/runc
github.com/deislabs/oras.1 github.com/opencontainers/runc.1
github.com/Microsoft/hcsshim.7 github.com/opencontainers/runc.0-20190115041553-12f6a991201f   (is a dependency of deislabs/oras)
github.com/openshift/library-go.0-20200424095618-2aeb4725dadf github.com/opencontainers/runc.0-20191031171055-b133feaeeb2e
$ go list -m all | grep opencontainers/runc (OK)
github.com/opencontainers/runc v0.1.1 => github.com/opencontainers/runc v1.0.0-rc8.0.20190926150303-84373aaa560b
$ go list -m all | grep deislabs/oras
github.com/deislabs/oras v0.8.1
$ go list -m all | grep openshift/library-go  (OK)
github.com/openshift/library-go v0.0.0-20200424095618-2aeb4725dadf

Moving to VERIFIED, let me know if it is wrong

Comment 24 errata-xmlrpc 2021-02-24 15:25:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.