SREP-3895 CVEs remediation, image rebuild#474
SREP-3895 CVEs remediation, image rebuild#474diakovnec wants to merge 1 commit intoopenshift:masterfrom
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: diakovnec The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughThe pull request updates the Go toolchain version from 1.25.3 to 1.25.7 in Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Makefile`:
- Line 20: The Makefile currently sets SYNCSET_GENERATOR_IMAGE to a floating tag
(SYNCSET_GENERATOR_IMAGE :=
registry.ci.openshift.org/openshift/release:golang-1.25); update this to an
immutable digest-pinned reference that matches the Go 1.25.7 toolchain used
elsewhere (e.g.,
registry.ci.openshift.org/openshift/release:<exact-tag>@sha256:<digest>),
replacing the floating tag with the exact tag@sha256 value so builds are
reproducible and consistent with go.mod/build/Dockerfile; ensure
SYNCSET_GENERATOR_IMAGE is the only changed symbol and verify the digest
corresponds to the Go 1.25.7 image.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ade8af48-1d15-4b32-bc0b-8eab50cb1aaa
📒 Files selected for processing (3)
Makefilebuild/Dockerfilego.mod
Makefile
Outdated
| PKG_IMG ?= $(IMG_REGISTRY)/$(IMG_ORG)/${BASE_PKG_IMG} | ||
|
|
||
| SYNCSET_GENERATOR_IMAGE := registry.ci.openshift.org/openshift/release:golang-1.21 | ||
| SYNCSET_GENERATOR_IMAGE := registry.ci.openshift.org/openshift/release:golang-1.25 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Current toolchain/image references =="
rg -n '^(go [0-9]+\.[0-9]+\.[0-9]+|SYNCSET_GENERATOR_IMAGE|ARG BASE_IMAGE)' go.mod Makefile build/Dockerfile
echo
python - <<'PY'
import re, pathlib
mk = pathlib.Path("Makefile").read_text()
m = re.search(r'^SYNCSET_GENERATOR_IMAGE\s*:?=\s*(\S+)', mk, re.M)
if not m:
raise SystemExit("SYNCSET_GENERATOR_IMAGE not found")
img = m.group(1)
print(f"SYNCSET_GENERATOR_IMAGE={img}")
print(f"uses_digest={'@sha256:' in img}")
print(f"has_patch_tag={bool(re.search(r':[^\s:@]*\\d+\\.\\d+\\.\\d+', img))}")
PYRepository: openshift/managed-cluster-validating-webhooks
Length of output: 612
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Correct Python script to verify SYNCSET_GENERATOR_IMAGE details
python3 <<'PY'
import re
import pathlib
mk = pathlib.Path("Makefile").read_text()
m = re.search(r'^SYNCSET_GENERATOR_IMAGE\s*:?=\s*(\S+)', mk, re.MULTILINE)
if not m:
raise SystemExit("SYNCSET_GENERATOR_IMAGE not found")
img = m.group(1)
print(f"SYNCSET_GENERATOR_IMAGE={img}")
print(f"has_digest={('@sha256:' in img)}")
# Check for patch-level tag
has_patch = bool(re.search(r':\d+\.\d+\.\d+', img))
print(f"has_patch_version={has_patch}")
PY
# Search for other image references in Makefile or CI configs
echo "== Looking for other image pins to establish pattern =="
rg -n 'IMAGE.*:=|@sha256:|golang-1\.' Makefile .github/ ci/ --type-list | head -20 || echo "CI config search completed"Repository: openshift/managed-cluster-validating-webhooks
Length of output: 699
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find CI/workflow files
echo "== CI Configuration Files =="
fd -e yaml -e yml -e sh | grep -E '(\.github|\.prow|ci|workflow)' | head -20
# Look at Makefile context around line 20
echo
echo "== Makefile context (lines 15-25) =="
sed -n '15,25p' Makefile
# Search for any other registry.ci.openshift.org references
echo
echo "== Other registry.ci references =="
rg 'registry\.ci\.openshift\.org' -B 2 -A 2Repository: openshift/managed-cluster-validating-webhooks
Length of output: 117
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Makefile context (lines 1-30) =="
head -30 Makefile
echo
echo "== Search for any image/tag patterns =="
rg 'registry\.' MakefileRepository: openshift/managed-cluster-validating-webhooks
Length of output: 1095
Pin the SYNCSET_GENERATOR_IMAGE to an immutable digest reference.
Line 20 uses a floating tag (golang-1.25). This can silently drift from the validated CVE-remediated toolchain pinned in go.mod (1.25.7) and build/Dockerfile (1.25.7-1774351791), breaking reproducibility and weakening security guarantees for generated SyncSet artifacts and tests.
Replace the floating tag with a specific digest-pinned reference from the OpenShift CI registry (e.g., registry.ci.openshift.org/openshift/release:<specific-tag>@sha256:<digest>). The exact digest should reference the same Go 1.25.7 toolchain patch used elsewhere in the build.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Makefile` at line 20, The Makefile currently sets SYNCSET_GENERATOR_IMAGE to
a floating tag (SYNCSET_GENERATOR_IMAGE :=
registry.ci.openshift.org/openshift/release:golang-1.25); update this to an
immutable digest-pinned reference that matches the Go 1.25.7 toolchain used
elsewhere (e.g.,
registry.ci.openshift.org/openshift/release:<exact-tag>@sha256:<digest>),
replacing the floating tag with the exact tag@sha256 value so builds are
reproducible and consistent with go.mod/build/Dockerfile; ensure
SYNCSET_GENERATOR_IMAGE is the only changed symbol and verify the digest
corresponds to the Go 1.25.7 image.
|
/retest |
|
@diakovnec: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1 participant
This PR addresses multiple CVEs that exist in the base image: