Skip to content

fix: Fixing git-urls dependency using another fork of the repo#17715

Closed
BKirov wants to merge 14 commits intoargoproj:masterfrom
BKirov:fix-git-urls
Closed

fix: Fixing git-urls dependency using another fork of the repo#17715
BKirov wants to merge 14 commits intoargoproj:masterfrom
BKirov:fix-git-urls

Conversation

@BKirov
Copy link

@BKirov BKirov commented Apr 3, 2024
edited
Loading

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@BKirov BKirov requested a review from a team as a code owner April 3, 2024 10:29
@BKirov BKirov requested a review from a team as a code owner April 3, 2024 10:41
@BKirov BKirov changed the title Fix git urls : Fixing git urls using another fork of the repo fix : Fixing git-urls dependency using another fork of the repo Apr 3, 2024
@BKirov BKirov changed the title fix : Fixing git-urls dependency using another fork of the repo fix: Fixing git-urls dependency using another fork of the repo Apr 3, 2024
@crenshaw-dev
Copy link
Member

crenshaw-dev commented Apr 3, 2024

Thanks, @BKirov! Can you fix the DCO check? Instructions are in the details link of the failed check.

@BKirov
Copy link
Author

BKirov commented Apr 3, 2024

Fixed @crenshaw-dev

jannfis
jannfis reviewed Apr 3, 2024
View reviewed changes
go.mod
github.com/tidwall/gjson v1.14.4 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect
Copy link
Member

@jannfis jannfis Apr 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering if we should use a replace rule to get rid of all the instances in github.com/whilp/git-urls across our dependencies.

Copy link
Member

@crenshaw-dev crenshaw-dev Apr 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah good idea, come to think of it @BKirov that's the only way to be sure we clear up your image scanners.

Copy link
Author

@BKirov BKirov Apr 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed , can you please approve

Copy link
Member

@crenshaw-dev crenshaw-dev Apr 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm. The vunlerable version is still showing up as an indirect dependency. Do you need two replaces?

github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect

@BKirov BKirov force-pushed the fix-git-urls branch 6 times, most recently from bc87931 to 1d1b334 Compare April 4, 2024 11:13
suhas-chikkanna and others added 12 commits April 4, 2024 14:25
@suhas-chikkanna
chore: Update USERS.md (argoproj#17683)
6ba068f 
Add Shield.com as one of the users in the USER.md file

Signed-off-by: suhas-chikkanna <162577490+suhas-chikkanna@users.noreply.github.com>
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
@kostis-codefresh
docs: clarify multiple sources example (argoproj#17698)
5316331 
Signed-off-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com>
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
6137fa2 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
c2c9b9d 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
48dc019 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
7d90eb2 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
468d47b 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
c08f49d 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
c0a04f3 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
b686045 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork)
97c547a 
Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
Replacing git-urls plugin from a new repo (fork) Signed-off-by: Boyan…
5fbabbd 
… Kirov <kirov.boyan@gmail.com>

Signed-off-by: Boyan Kirov <boyan.kirov@onetrust.com>
@BKirov
Copy link
Author

BKirov commented Apr 4, 2024

@crenshaw-dev @jannfis can you please approve

crenshaw-dev
crenshaw-dev requested changes Apr 4, 2024
View reviewed changes
go.mod
github.com/tidwall/gjson v1.14.4 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect
Copy link
Member

@crenshaw-dev crenshaw-dev Apr 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm. The vunlerable version is still showing up as an indirect dependency. Do you need two replaces?

github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect

@BKirov
Copy link
Author

BKirov commented Apr 4, 2024

@crenshaw-dev can you help with that ? where to put the second replace ? this line for the old github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect
was automatically created ....

@crenshaw-dev
Copy link
Member

crenshaw-dev commented Apr 4, 2024

@BKirov I'm not super up on how go mod works, but I think you could just add it after the existing replace.

was automatically created

Yep, because it's a transient dependency. So we haven't quite eliminated the vulnerable code yet.

@BKirov
Copy link
Author

BKirov commented Apr 4, 2024
edited
Loading

So i am addint it like that ? @crenshaw-dev
// Avoid CVE-2023-46402
github.com/whilp/git-urls v1.0.0 => github.com/chainguard-dev/git-urls v1.0.2
github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 => github.com/chainguard-dev/git-urls v1.0.2

`bkirov@OT-MAC-C02GX0AZQ6LX argo-cd % go mod tidy

go: github.com/chainguard-dev/git-urls@v1.0.2 used for two different module paths (github.com/chainguard-dev/git-urls and github.com/whilp/git-urls)`

crenshaw-dev
crenshaw-dev reviewed Apr 4, 2024
View reviewed changes
go.mod Outdated
github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.16.0

// Avoid CVE-2023-46402
github.com/whilp/git-urls v1.0.0 => github.com/chainguard-dev/git-urls v1.0.2
Copy link
Member

@crenshaw-dev crenshaw-dev Apr 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
github.com/whilp/git-urls v1.0.0 => github.com/chainguard-dev/git-urls v1.0.2
github.com/whilp/git-urls => github.com/chainguard-dev/git-urls v1.0.2

Ah. That oughta do it.

Copy link
Member

@crenshaw-dev crenshaw-dev Apr 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't commit the suggestion here though, do it locally and then run go mod tidy.

@BKirov
Copy link
Author

BKirov commented Apr 4, 2024

@crenshaw-dev I am getting this locally and then here too :

go: github.com/chainguard-dev/git-urls@v1.0.2 used for two different module paths (github.com/chainguard-dev/git-urls and github.com/whilp/git-urls)

@crenshaw-dev
Copy link
Member

crenshaw-dev commented Apr 4, 2024

Trying fresh here: #17732

@crenshaw-dev
Copy link
Member

crenshaw-dev commented Apr 4, 2024

Merged here: #17732

Thanks for your patience @BKirov, it turned out to be trickier than expected. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev requested changes

@jannfis jannfis jannfis left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@BKirov @crenshaw-dev @jannfis @suhas-chikkanna @kostis-codefresh