Skip to content

Upgrade golang.org/x/crypto lib to address vulnerability#6133

Merged
katrogan merged 1 commit intomasterfrom
upgrade-crypto-lib
Jan 2, 2025
Merged

Upgrade golang.org/x/crypto lib to address vulnerability#6133
katrogan merged 1 commit intomasterfrom
upgrade-crypto-lib

Conversation

@katrogan
Copy link
Contributor

@katrogan katrogan commented Jan 2, 2025
edited by flyte-bot
Loading

Why are the changes needed?

As detailed in https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45337, the crypto library contains a vulnerability that may be susceptible to an authorization bypass

This CVE suggests that this is mitigated in v0.31.0

What changes were proposed in this pull request?

See PR title

How was this patch tested?

Verified flyte single binary compiled and tests passed.

Setup process

Screenshots

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

Docs link

Summary by Bito

Critical security update to address CVE-2024-45337 by upgrading golang.org/x/crypto from various older versions to v0.31.0 across multiple Flyte components. The update includes related golang.org/x dependencies (sync, sys, term, text) to ensure compatibility and maintain system security.

Unit tests added: False

Estimated effort to review (1-5, lower is better): 5

@katrogan
Upgrade golang.org/x/crypto lib to address vulnerability
51698c7 
Signed-off-by: Katrina Rogan <katroganGH@gmail.com>
@flyte-bot
Copy link
Collaborator

flyte-bot commented Jan 2, 2025
edited
Loading

Code Review Agent Run #a02962

Actionable Suggestions - 0
Review Details
  • Files reviewed - 20 · Commit Range: 51698c7..51698c7
    • boilerplate/flyte/golang_support_tools/go.mod
    • boilerplate/flyte/golang_support_tools/go.sum
    • datacatalog/go.mod
    • datacatalog/go.sum
    • flyteadmin/go.mod
    • flyteadmin/go.sum
    • flytecopilot/go.mod
    • flytecopilot/go.sum
    • flytectl/go.mod
    • flytectl/go.sum
    • flyteidl/go.mod
    • flyteidl/go.sum
    • flyteplugins/go.mod
    • flyteplugins/go.sum
    • flytepropeller/go.mod
    • flytepropeller/go.sum
    • flytestdlib/go.mod
    • flytestdlib/go.sum
    • go.mod
    • go.sum
  • Files skipped - 0
  • Tools
    • Golangci-lint (Linter) - ✖︎ Failed
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • GOVULNCHECK (Security Vulnerability) - ✖︎ Failed
    • OWASP (Security Vulnerability) - ✔︎ Successful
    • SNYK (Security Vulnerability) - ✔︎ Successful

AI Code Review powered by Bito Logo

@codecov
Copy link

codecov bot commented Jan 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 37.01%. Comparing base (61838b4) to head (51698c7).
Report is 123 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #6133   +/-   ##
=======================================
  Coverage   37.01%   37.01%           
=======================================
  Files        1318     1318           
  Lines      132525   132525           
=======================================
+ Hits        49052    49054    +2     
+ Misses      79228    79226    -2     
  Partials     4245     4245
Flag Coverage Δ
unittests-datacatalog 51.58% <ø> (ø)
unittests-flyteadmin 54.25% <ø> (+0.02%) ⬆️
unittests-flytecopilot 30.99% <ø> (ø)
unittests-flytectl 62.29% <ø> (-0.05%) ⬇️
unittests-flyteidl 7.23% <ø> (ø)
unittests-flyteplugins 53.86% <ø> (ø)
unittests-flytepropeller 42.59% <ø> (ø)
unittests-flytestdlib 55.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@flyte-bot
Copy link
Collaborator

flyte-bot commented Jan 2, 2025

Changelist by Bito

This pull request implements the following key changes.

Key Change Files Impacted
Other Improvements - Security Dependency Updates

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions
Other Improvements - Security Dependency Updates

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies to latest versions

go.mod - Updated golang.org/x dependencies including crypto to v0.31.0

go.mod - Updated golang.org/x dependencies including crypto to v0.31.0

go.mod - Updated golang.org/x dependencies including crypto to v0.31.0

@katrogan katrogan merged commit fd9a378 into master Jan 2, 2025
54 checks passed
@katrogan katrogan deleted the upgrade-crypto-lib branch January 2, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Future-Outlier Future-Outlier Future-Outlier approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@katrogan @flyte-bot @Future-Outlier