Merge pull request #462 from IBM/prep-v0.13.17

prepare v0.13.17

CHANGELOG.md

@@ -13,6 +13,13 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## v-next
 
+## v0.13.17
+
+Released: 2024-07-15
+
+* Remediates NIST-CVE-2024-6104 in github.com/hashicorp/go-retryablehttp
+* Remediates CVE-2024-24789, CVE-2024-24790 using go-toolset:1.21.11 
+
 
 ## v0.13.16
 

Dockerfile

@@ -1,6 +1,6 @@
 # This first stage of the build uses go-toolset to build the portieris binary creates
 # a simplified operating system image that satisfies vulnerability scanning requirements
-FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.20.12 as builder
+FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.21.11 AS builder
 ARG PORTIERIS_VERSION=undefined
 
 # switch to root user as we need to run yum and rpm to ensure packages are up to date
@@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
     -tags containers_image_openpgp -o /opt/app-root/bin/portieris ./cmd/portieris
 RUN go version -m -v /opt/app-root/bin/portieris | (grep dep || true) | awk '{print "{\"Path\": \""$2 "\", \"Version\": \"" $3 "\"}"}' > /deps.jsonl
 
-FROM registry.access.redhat.com/ubi8/go-toolset:1.20.12 as installer
+FROM registry.access.redhat.com/ubi8/go-toolset:1.21.11 AS installer
 ARG TARGETOS TARGETARCH
 USER root
 RUN yum update -y
@@ -48,7 +48,7 @@ RUN rpm --root /image --initdb \
 
 
 # Check dependencies for vulnerabilities
-FROM --platform=$BUILDPLATFORM sonatypecommunity/nancy:alpine as nancy
+FROM --platform=$BUILDPLATFORM sonatypecommunity/nancy:alpine AS nancy
 COPY --from=builder /deps.jsonl /
 COPY /.nancy-ignore /
 RUN cat /deps.jsonl | nancy --skip-update-check --loud sleuth --no-color

Makefile

@@ -1,7 +1,7 @@
 GOFILES=$(shell find . -type f -name '*.go' -not -path "./code-generator/*" -not -path "./pkg/apis/*")
 GOPACKAGES=$(shell go list ./... | grep -v test/ | grep -v pkg/apis/)
 
-VERSION=v0.13.16
+VERSION=v0.13.17
 TAG=$(VERSION)
 GOTAGS='containers_image_openpgp'
 

go.mod

@@ -74,7 +74,7 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.6 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect

go.sum

@@ -383,6 +383,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM=
 github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=

helm/portieris/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: portieris
-version: v0.13.16
+version: v0.13.17
 description: Admission Controller webhook for enforcing image trust in your cluster
 maintainers:
   - name: Stuart Hayton

helm/portieris/values.yaml

@@ -15,7 +15,7 @@ image:
   host: icr.io/portieris
   pullSecret:
   image: portieris
-  tag: v0.13.16
+  tag: v0.13.17
   pullPolicy: Always
 
 service: