1905909 – Clean up dependencies to avoid invalid scan flagging

Bug 1905909 - Clean up dependencies to avoid invalid scan flagging

Summary: Clean up dependencies to avoid invalid scan flagging

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.5.z
Assignee:	Jakub Hadvig
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:	1892428
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-09 10:12 UTC by Jakub Hadvig
Modified:	2021-01-20 05:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-20 05:49:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift console pull 7477	0	None	closed	[release-4.5] Bug 1905909: Update library-go and replace runc module for v1.0.0-rc8 version	2021-01-26 17:37:11 UTC
Red Hat Product Errata	RHBA-2021:0033	0	None	None	None	2021-01-20 05:49:54 UTC

Comment 3 Yadan Pei 2020-12-17 02:29:10 UTC

# oc adm release info quay.io/openshift-release-dev/ocp-release:4.5.24-x86_64 --pullspecs | grep console
  console                                        quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e0a4721b2093737e13a1b18ec60eabc52b5913b91e454985ad9c4b7a07563e8e
  console-operator                               quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:904dfa6b13281aa52212ab36e1f4897fca911ce90a0d0c06ec94b0fcb1edbf92

# oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e0a4721b2093737e13a1b18ec60eabc52b5913b91e454985ad9c4b7a07563e8e | grep commit
             io.openshift.build.commit.id=b98c074346e2b8133e3b38961132aede34d306d9
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/b98c074346e2b8133e3b38961132aede34d306d9

change path to console repo and release-4.5 branch

[yapei@New_Mac console]$ git checkout -b release-4.5 -t origin/release-4.5
Checking out files: 100% (5609/5609), done.
Branch 'release-4.5' set up to track remote branch 'release-4.5' from 'origin'.
Switched to a new branch 'release-4.5'

[yapei@New_Mac console]$ git checkout b98c074346e2b8133e3b38961132aede34d306d9    // specific commit(the one we got from previous step)
Note: checking out 'b98c074346e2b8133e3b38961132aede34d306d9'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at b98c07434 Merge pull request #7178 from openshift-cherrypick-robot/cherry-pick-7172-to-release-4.5

[yapei@New_Mac console]$ git log | grep '#7477'   // nothing returned

PR7477 is not included in 4.5.24 yet

Comment 6 Yadan Pei 2021-01-06 09:27:40 UTC

# oc adm release info registry.ci.openshift.org/ocp/release:4.5.0-0.nightly-2021-01-05-230719 --pullspecs | grep console
  console                                        quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3f400f1e8f50bf1fba43d21168d5e50772eb4f3b21191f44ad36973bb9c004a5
  console-operator                               quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:af9641f209aede384c27df240dbe6b7ca3e1f456d4767bc813601db9616b1a80

# oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3f400f1e8f50bf1fba43d21168d5e50772eb4f3b21191f44ad36973bb9c004a5 | grep commit
             io.openshift.build.commit.id=df94fa8e60b16b97d55b03f47ccbb78b31e29971
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/df94fa8e60b16b97d55b03f47ccbb78b31e29971

[root@preserved-qe-ui-rhel-1 console]# git fetch origin 
remote: Enumerating objects: 1577, done.
remote: Counting objects: 100% (1577/1577), done.
remote: Compressing objects: 100% (33/33), done.
remote: Total 2060 (delta 1544), reused 1564 (delta 1542), pack-reused 483
Receiving objects: 100% (2060/2060), 371.24 KiB | 0 bytes/s, done.
Resolving deltas: 100% (1663/1663), completed with 557 local objects.
From github.com:openshift/console
   36558f2..61790f4  master     -> origin/master
   8eb625c..1ea1c4f  release-4.6 -> origin/release-4.6
   36558f2..61790f4  release-4.7 -> origin/release-4.7
   36558f2..61790f4  release-4.8 -> origin/release-4.8

[root@preserved-qe-ui-rhel-1 console]# git checkout release-4.5
Switched to branch 'release-4.5'
[root@preserved-qe-ui-rhel-1 console]# git rebase origin/release-4.5
Current branch release-4.5 is up to date.
[root@preserved-qe-ui-rhel-1 console]# git checkout df94fa8e60b16b97d55b03f47ccbb78b31e29971
Note: checking out 'df94fa8e60b16b97d55b03f47ccbb78b31e29971'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at df94fa8... Merge pull request #7477 from jhadvig/BZ-

In commmit df94fa8e60b16b97d55b03f47ccbb78b31e29971 we can see #7477 is merged

# go mod graph
go: k8s.io/apiextensions-apiserver.2 requires
	k8s.io/kube-openapi.0-20200121204235-bf4fb3bd569c requires
	github.com/ghodss/yaml.0-20150909031657-73d445a93680: invalid version: git fetch --unshallow -f https://github.com/ghodss/yaml in /root/odev/pkg/mod/cache/vcs/5c75ad62eb9c289b6ed86c76998b4ab8c8545a841036e879d703a2bbc5fcfcea: exit status 128:
	fatal: git fetch-pack: expected shallow list

`go mod graph` returns error 

Moving back for further investigation

Comment 7 Jakub Hadvig 2021-01-11 16:25:12 UTC

Yadan not sure the if the test is right. The fixing commit is '0dfbba35cdb19fddceaf3b150062db7965c9e719'

Checked out the latest `release-4.5` branch.

`go mod graph` command works as expected.

Also the `runc` module is in the proper version, based on the `vendor/modules.txt`

Can you please re-check. Thanks

Comment 8 Yadan Pei 2021-01-13 06:39:58 UTC

Jakub, I checked again and it's working 

[yapei@New_Mac console]$ git checkout df94fa8e60b16b97d55b03f47ccbb78b31e29971
Note: checking out 'df94fa8e60b16b97d55b03f47ccbb78b31e29971'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at df94fa8e6 Merge pull request #7477 from jhadvig/BZ-
[yapei@New_Mac console]$ go mod graph | grep opencontainers/runc
github.com/deislabs/oras.1 github.com/opencontainers/runc.1
github.com/Microsoft/hcsshim.7 github.com/opencontainers/runc.0-20190115041553-12f6a991201f
github.com/openshift/library-go.0-20200424095618-2aeb4725dadf github.com/opencontainers/runc.0-20191031171055-b133feaeeb2e
[yapei@New_Mac console]$ go list -m all | grep opencontainers/runc
github.com/opencontainers/runc v0.1.1 => github.com/opencontainers/runc v1.0.0-rc8.0.20190926150303-84373aaa560b

[yapei@New_Mac console]$ go list -m all | grep openshift/library-go
github.com/openshift/library-go v0.0.0-20200424095618-2aeb4725dadf

Moving to VERIFIED

Comment 10 errata-xmlrpc 2021-01-20 05:49:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.27 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0033

Note You need to log in before you can comment on or make changes to this bug.