1887864 – Clean up dependencies to avoid invalid scan flagging

Bug 1887864 - Clean up dependencies to avoid invalid scan flagging

Summary: Clean up dependencies to avoid invalid scan flagging

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Jakub Hadvig
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1892428
TreeView+	depends on / blocked

Reported:	2020-10-13 13:46 UTC by Paul Weil
Modified:	2021-02-24 15:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Console vendors 'runc' module in v0.1.1 version which contains potential security issue. Consequence: frog xray flags the 'runc' dependency as a potential vulnerability Fix: Pin 'runc' module to the v1.0.0-rc8 which contains the fix Result: 'runc' dependency is not flagged as a potential vulnerability
Clone Of:
Environment:
Last Closed:	2021-02-24 15:25:41 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift console pull 6990	0	None	closed	Bug 1887864: Update library-go and replace runc module for v1.0.0-rc8 version	2021-01-26 20:05:25 UTC
Red Hat Product Errata	RHSA-2020:5633	0	None	None	None	2021-02-24 15:26:09 UTC

Description Paul Weil 2020-10-13 13:46:09 UTC

As noted in https://access.redhat.com/support/cases/#/case/02771740 the console container may be flagged due to dependencies in vendors/modulest.txt.

A recent example of this was from jfrog xray flagging the runc dependency for CVE-2019-5736.  

Though this dependency is vendored (the code exists in vendor directories) the console does not actually use this one in particular anywhere.  

Investigate if we can clean up any dependencies to prevent invalid flagging during security scans.  

In addition to any clean up, we should review dependencies that can be updated to ensure we have the latest fixes

Comment 15 Jakub Hadvig 2020-10-27 08:29:41 UTC

Matthew we updated the opencontainers/runc module to 1.0.0-rc8 which should carry fix.
Do we need to backport the fix to 4.6?

Comment 16 Matthew Whitehead 2020-10-28 14:52:31 UTC

Yes, please backport to 4.6. The customer is also running 4.5.7 and 4.5.11, so backporting to 4.5.x is desired.

Comment 17 Yanping Zhang 2020-10-29 07:18:06 UTC

Fix is not contained in payload: 4.7.0-0.nightly-2020-10-27-051128, wait for new build.

Comment 18 Yadan Pei 2020-11-06 02:02:23 UTC

Clone latest console repo
$ go mod graph | grep opencontainers/runc
github.com/deislabs/oras.1 github.com/opencontainers/runc.1
github.com/Microsoft/hcsshim.7 github.com/opencontainers/runc.0-20190115041553-12f6a991201f   (is a dependency of deislabs/oras)
github.com/openshift/library-go.0-20200424095618-2aeb4725dadf github.com/opencontainers/runc.0-20191031171055-b133feaeeb2e
$ go list -m all | grep opencontainers/runc (OK)
github.com/opencontainers/runc v0.1.1 => github.com/opencontainers/runc v1.0.0-rc8.0.20190926150303-84373aaa560b
$ go list -m all | grep deislabs/oras
github.com/deislabs/oras v0.8.1
$ go list -m all | grep openshift/library-go  (OK)
github.com/openshift/library-go v0.0.0-20200424095618-2aeb4725dadf

Moving to VERIFIED, let me know if it is wrong

Comment 24 errata-xmlrpc 2021-02-24 15:25:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.