CVE-2024-6104: go-retryablehttp 0.7.7

[2uasimojo]

Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp
Description: Insertion of Sensitive Information into Log File
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036
Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65
From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
and 25 more...
Fixed in: 0.7.7

CVE-2024-6104

(not successfully cherry picked from commit 48a52a1)

[openshift-ci-robot]

@2uasimojo: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp
Description: Insertion of Sensitive Information into Log File
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036
Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65
From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
and 25 more...
Fixed in: 0.7.7

CVE-2024-6104

(not successfully cherry picked from commit 48a52a1)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.91%. Comparing base (a76abfc) to head (4cf4a4e).
Report is 2 commits behind head on mce-2.5.

Additional details and impacted files

@@             Coverage Diff             @@
##           mce-2.5    #2353      +/-   ##
===========================================
+ Coverage    57.87%   57.91%   +0.04%     
===========================================
  Files          187      187              
  Lines        26082    26326     +244     
===========================================
+ Hits         15095    15248     +153     
- Misses        9721     9792      +71     
- Partials      1266     1286      +20     

see 1 file with indirect coverage changes

[2uasimojo]

security would need a cherry-pick of #2319.

[2uasimojo]

/retest

Still expect security to fail on azidentity -- see #2387.

[2uasimojo]

/override "Red Hat Konflux / hive-mce-25-on-pull-request"

[openshift-ci]

@2uasimojo: Overrode contexts on behalf of 2uasimojo: Red Hat Konflux / hive-mce-25-on-pull-request

Details

In response to this:

/override "Red Hat Konflux / hive-mce-25-on-pull-request"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[2uasimojo]

/test all

...is what I meant. Get new results on this branch.

[2uasimojo]

/override ci/prow/security

[openshift-ci]

@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[2uasimojo]

/assign @suhanime

[2uasimojo]

/override "Red Hat Konflux / hive-mce-25-on-pull-request"

[openshift-ci]

@2uasimojo: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• Red Hat Konflux / hive-mce-25-on-pull-request

Only the following failed contexts/checkruns were expected:

• ci/prow/coverage
• ci/prow/e2e
• ci/prow/e2e-pool
• ci/prow/images
• ci/prow/security
• ci/prow/unit
• ci/prow/verify
• pull-ci-openshift-hive-master-coverage
• pull-ci-openshift-hive-master-e2e
• pull-ci-openshift-hive-master-e2e-pool
• pull-ci-openshift-hive-master-images
• pull-ci-openshift-hive-master-security
• pull-ci-openshift-hive-master-unit
• pull-ci-openshift-hive-master-verify
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override "Red Hat Konflux / hive-mce-25-on-pull-request"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[suhanime]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, suhanime

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo,suhanime]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@2uasimojo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	4cf4a4e	link	true	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[2uasimojo]

/cherry-pick mce-2.4

[openshift-cherrypick-robot]

@2uasimojo: #2353 failed to apply on top of branch "mce-2.4":

Applying: CVE-2024-6104: go-retryablehttp 0.7.7
.git/rebase-apply/patch:3111: trailing whitespace.
	
.git/rebase-apply/patch:3111: new blank line at EOF.
+
warning: 2 lines add whitespace errors.
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
Removing vendor/golang.org/x/sys/windows/empty.s
Removing vendor/golang.org/x/sys/unix/fstatfs_zos.go
Removing vendor/golang.org/x/sys/unix/epoll_zos.go
Auto-merging go.sum
CONFLICT (content): Merge conflict in go.sum
Auto-merging go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 CVE-2024-6104: go-retryablehttp 0.7.7
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick mce-2.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[2uasimojo]

mce-2.4: #2392