Skip to content

chore(deps): Migrate to github.com/go-jose/go-jose/v3 #7750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2024
Merged

chore(deps): Migrate to github.com/go-jose/go-jose/v3 #7750

merged 1 commit into from
Apr 8, 2024

Conversation

@isibeni
Copy link
Contributor

@isibeni isibeni commented Mar 12, 2024
edited
Loading

Changes

Stop using archived gopkg.in/square/go-jose.v2 pkg
Switch to github.com/go-jose/go-jose/v3 instead

Fixes CVE-2024-28180

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • pre-commit Passed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Mar 12, 2024
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 12, 2024
edited
Loading

CLA Not Signed

@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 12, 2024
@tekton-robot
Copy link
Collaborator

tekton-robot commented Mar 12, 2024

Hi @isibeni. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

khrm
khrm reviewed Mar 15, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 15, 2024
@khrm
Copy link
Contributor

khrm commented Mar 15, 2024

I think the dependable bot would raise a pr for this. It did in other repos.

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 18, 2024
@isibeni
Copy link
Contributor Author

isibeni commented Mar 25, 2024

took me a while to get my CLA approval.

Trying to rebase now but I'm struggling to run go mod tidy as this commit 59c241e introduced containerd 1.17.14 which seems to require go 1.21

When running go mod tidy it would also bump the go version in the go.mod file.

When trying to run go mod tidy for version 1.19 it fails:

$ go mod tidy -go=1.19
go: github.com/containerd/[email protected] requires [email protected], but 1.19 is requested

I guess an update to 1.21. is needed or am I missing sth?

@vdemeester
Copy link
Member

vdemeester commented Mar 25, 2024

@isibeni yes, most likely an update to go 1.21 is required.

@isibeni
Copy link
Contributor Author

isibeni commented Mar 26, 2024

@vdemeester How are go updates usually handled in tekton?

Just a plain PR that is bumping the version in go.mod?

Or is there a bigger process involved?

Or can I just bump it within my PR?

@vdemeester
Copy link
Member

vdemeester commented Mar 27, 2024

@vdemeester How are go updates usually handled in tekton?

Just a plain PR that is bumping the version in go.mod?

Or is there a bigger process involved?

Or can I just bump it within my PR?

Yes, you can update it in go.mod. We may need to check if the test-runner image used in the CI is using Go 1.21, but we'll quickly see it if you bump it (and if that's the case, we'll just have to update the reference of the image in the CI configuration). No huge process to follow 😉

@tekton-robot tekton-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note-none Denotes a PR that doesnt merit a release note. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 4, 2024
@isibeni
Copy link
Contributor Author

isibeni commented Apr 4, 2024

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label Apr 4, 2024
@isibeni
Copy link
Contributor Author

isibeni commented Apr 5, 2024

/retest

@isibeni
chore(deps): Migrate to github.com/go-jose/go-jose/v3
9cab47e 
Stop using archived gopkg.in/square/go-jose.v2 pkg
Switch to github.com/go-jose/go-jose/v3 instead

Fixes CVE-2024-28180
@tekton-robot
Copy link
Collaborator

tekton-robot commented Apr 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 5, 2024
@afrittoli
Copy link
Member

afrittoli commented Apr 8, 2024

Thanks @isibeni - this will address https://pkg.go.dev/vuln/GO-2024-2631 as well.

afrittoli
afrittoli reviewed Apr 8, 2024
View reviewed changes
Copy link
Member

@afrittoli afrittoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!
We will have to backport this, but that will also mean updating the go version for LTS releases.
/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 8, 2024
@tekton-robot tekton-robot merged commit c19b6e6 into tektoncd:main Apr 8, 2024
@isibeni
Copy link
Contributor Author

isibeni commented Apr 8, 2024

Thanks for merging!!!

@vdemeester
Copy link
Member

vdemeester commented Apr 8, 2024

/cherry-pick release-v0.56.x

@vdemeester
Copy link
Member

vdemeester commented Apr 8, 2024

/cherry-pick release-v0.53.x

@vdemeester
Copy link
Member

vdemeester commented Apr 8, 2024

/cherry-pick release-v0.50.x

@vdemeester
Copy link
Member

vdemeester commented Apr 8, 2024

/cherry-pick release-v0.47.x

@tekton-robot
Copy link
Collaborator

tekton-robot commented Apr 8, 2024

@vdemeester: #7750 failed to apply on top of branch "release-v0.56.x":

Applying: chore(deps): Migrate to github.com/go-jose/go-jose/v3
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
Removing vendor/gopkg.in/square/go-jose.v2/symmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/signing.go
Removing vendor/gopkg.in/square/go-jose.v2/shared.go
Removing vendor/gopkg.in/square/go-jose.v2/opaque.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/errors.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
Removing vendor/gopkg.in/square/go-jose.v2/jws.go
Removing vendor/gopkg.in/square/go-jose.v2/jwk.go
Removing vendor/gopkg.in/square/go-jose.v2/jwe.go
Removing vendor/gopkg.in/square/go-jose.v2/json/tags.go
Removing vendor/gopkg.in/square/go-jose.v2/json/stream.go
Removing vendor/gopkg.in/square/go-jose.v2/json/scanner.go
Removing vendor/gopkg.in/square/go-jose.v2/json/indent.go
Removing vendor/gopkg.in/square/go-jose.v2/json/encode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/decode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/README.md
Removing vendor/gopkg.in/square/go-jose.v2/json/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/encoding.go
Removing vendor/gopkg.in/square/go-jose.v2/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/crypter.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
Removing vendor/gopkg.in/square/go-jose.v2/asymmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/README.md
Removing vendor/gopkg.in/square/go-jose.v2/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md
Removing vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
Removing vendor/gopkg.in/square/go-jose.v2/.travis.yml
Removing vendor/gopkg.in/square/go-jose.v2/.gitignore
Removing vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
Auto-merging go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 chore(deps): Migrate to github.com/go-jose/go-jose/v3
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-v0.56.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot
Copy link
Collaborator

tekton-robot commented Apr 8, 2024

@vdemeester: #7750 failed to apply on top of branch "release-v0.53.x":

Applying: chore(deps): Migrate to github.com/go-jose/go-jose/v3
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
Removing vendor/gopkg.in/square/go-jose.v2/symmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/signing.go
Removing vendor/gopkg.in/square/go-jose.v2/shared.go
Removing vendor/gopkg.in/square/go-jose.v2/opaque.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/errors.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
Removing vendor/gopkg.in/square/go-jose.v2/jws.go
Removing vendor/gopkg.in/square/go-jose.v2/jwk.go
Removing vendor/gopkg.in/square/go-jose.v2/jwe.go
Removing vendor/gopkg.in/square/go-jose.v2/json/tags.go
Removing vendor/gopkg.in/square/go-jose.v2/json/stream.go
Removing vendor/gopkg.in/square/go-jose.v2/json/scanner.go
Removing vendor/gopkg.in/square/go-jose.v2/json/indent.go
Removing vendor/gopkg.in/square/go-jose.v2/json/encode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/decode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/README.md
Removing vendor/gopkg.in/square/go-jose.v2/json/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/encoding.go
Removing vendor/gopkg.in/square/go-jose.v2/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/crypter.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
Removing vendor/gopkg.in/square/go-jose.v2/asymmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/README.md
Removing vendor/gopkg.in/square/go-jose.v2/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md
Removing vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
Removing vendor/gopkg.in/square/go-jose.v2/.travis.yml
Removing vendor/gopkg.in/square/go-jose.v2/.gitignore
Removing vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
Auto-merging go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 chore(deps): Migrate to github.com/go-jose/go-jose/v3
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-v0.53.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot
Copy link
Collaborator

tekton-robot commented Apr 8, 2024

@vdemeester: #7750 failed to apply on top of branch "release-v0.50.x":

Applying: chore(deps): Migrate to github.com/go-jose/go-jose/v3
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
Removing vendor/gopkg.in/square/go-jose.v2/symmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/signing.go
Removing vendor/gopkg.in/square/go-jose.v2/shared.go
Removing vendor/gopkg.in/square/go-jose.v2/opaque.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/errors.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
Removing vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
Removing vendor/gopkg.in/square/go-jose.v2/jws.go
Removing vendor/gopkg.in/square/go-jose.v2/jwk.go
Removing vendor/gopkg.in/square/go-jose.v2/jwe.go
Removing vendor/gopkg.in/square/go-jose.v2/json/tags.go
Removing vendor/gopkg.in/square/go-jose.v2/json/stream.go
Removing vendor/gopkg.in/square/go-jose.v2/json/scanner.go
Removing vendor/gopkg.in/square/go-jose.v2/json/indent.go
Removing vendor/gopkg.in/square/go-jose.v2/json/encode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/decode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/README.md
Removing vendor/gopkg.in/square/go-jose.v2/json/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/encoding.go
Removing vendor/gopkg.in/square/go-jose.v2/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/crypter.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
Removing vendor/gopkg.in/square/go-jose.v2/asymmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/README.md
Removing vendor/gopkg.in/square/go-jose.v2/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md
Removing vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
Removing vendor/gopkg.in/square/go-jose.v2/.travis.yml
Removing vendor/gopkg.in/square/go-jose.v2/.gitignore
Removing vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
Auto-merging go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 chore(deps): Migrate to github.com/go-jose/go-jose/v3
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-v0.50.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot
Copy link
Collaborator

tekton-robot commented Apr 8, 2024

@vdemeester: #7750 failed to apply on top of branch "release-v0.47.x":

Patch is empty.
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-v0.47.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vdemeester
Copy link
Member

vdemeester commented Apr 8, 2024

Alright, will have to do those manually 😛

@vdemeester
Copy link
Member

vdemeester commented Apr 8, 2024

for what is worth, here are the cherry-picks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@afrittoli afrittoli afrittoli left review comments

@vdemeester vdemeester vdemeester approved these changes

@jerop jerop Awaiting requested review from jerop

+1 more reviewer

@khrm khrm khrm left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@afrittoli afrittoli

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@isibeni @tekton-robot @khrm @vdemeester @afrittoli