diff --git a/CHANGELOG.md b/CHANGELOG.md index d2a56361..63680ac1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,13 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## v-next +## v0.13.17 + +Released: 2024-07-15 + +* Remediates NIST-CVE-2024-6104 in github.com/hashicorp/go-retryablehttp +* Remediates CVE-2024-24789, CVE-2024-24790 using go-toolset:1.21.11 + ## v0.13.16 diff --git a/Dockerfile b/Dockerfile index 0208ccf5..3cb333cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This first stage of the build uses go-toolset to build the portieris binary creates # a simplified operating system image that satisfies vulnerability scanning requirements -FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.20.12 as builder +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.21.11 AS builder ARG PORTIERIS_VERSION=undefined # switch to root user as we need to run yum and rpm to ensure packages are up to date @@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ -tags containers_image_openpgp -o /opt/app-root/bin/portieris ./cmd/portieris RUN go version -m -v /opt/app-root/bin/portieris | (grep dep || true) | awk '{print "{\"Path\": \""$2 "\", \"Version\": \"" $3 "\"}"}' > /deps.jsonl -FROM registry.access.redhat.com/ubi8/go-toolset:1.20.12 as installer +FROM registry.access.redhat.com/ubi8/go-toolset:1.21.11 AS installer ARG TARGETOS TARGETARCH USER root RUN yum update -y @@ -48,7 +48,7 @@ RUN rpm --root /image --initdb \ # Check dependencies for vulnerabilities -FROM --platform=$BUILDPLATFORM sonatypecommunity/nancy:alpine as nancy +FROM --platform=$BUILDPLATFORM sonatypecommunity/nancy:alpine AS nancy COPY --from=builder /deps.jsonl / COPY /.nancy-ignore / RUN cat /deps.jsonl | nancy --skip-update-check --loud sleuth --no-color diff --git a/Makefile b/Makefile index 1c290be0..87f3f1de 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ GOFILES=$(shell find . -type f -name '*.go' -not -path "./code-generator/*" -not -path "./pkg/apis/*") GOPACKAGES=$(shell go list ./... | grep -v test/ | grep -v pkg/apis/) -VERSION=v0.13.16 +VERSION=v0.13.17 TAG=$(VERSION) GOTAGS='containers_image_openpgp' diff --git a/go.mod b/go.mod index 211ab1f3..db6a1c77 100644 --- a/go.mod +++ b/go.mod @@ -74,7 +74,7 @@ require ( github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.7.6 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect diff --git a/go.sum b/go.sum index b4339478..4954dda9 100644 --- a/go.sum +++ b/go.sum @@ -383,6 +383,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM= github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= diff --git a/helm/portieris/Chart.yaml b/helm/portieris/Chart.yaml index 32c78035..bd9edb3b 100644 --- a/helm/portieris/Chart.yaml +++ b/helm/portieris/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: portieris -version: v0.13.16 +version: v0.13.17 description: Admission Controller webhook for enforcing image trust in your cluster maintainers: - name: Stuart Hayton diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml index b4be5dd8..09da51a0 100644 --- a/helm/portieris/values.yaml +++ b/helm/portieris/values.yaml @@ -15,7 +15,7 @@ image: host: icr.io/portieris pullSecret: image: portieris - tag: v0.13.16 + tag: v0.13.17 pullPolicy: Always service: