CVE-2024-6104: go-retryablehttp 0.7.7

[2uasimojo]

Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104
ACM-12349

(not successfully cherry picked from commit 4cf4a4e)

[openshift-ci-robot]

@2uasimojo: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104

(not successfully cherry picked from commit 4cf4a4e)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@2uasimojo: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104
ACM-12349

(not successfully cherry picked from commit 4cf4a4e)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@2uasimojo: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104
ACM-12349

(not successfully cherry picked from commit 4cf4a4e)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.59%. Comparing base (c167b11) to head (b9bebcf).

Additional details and impacted files

@@           Coverage Diff            @@
##           mce-2.4    #2392   +/-   ##
========================================
  Coverage    57.59%   57.59%           
========================================
  Files          187      187           
  Lines        25851    25851           
========================================
  Hits         14889    14889           
  Misses        9713     9713           
  Partials      1249     1249           

[2uasimojo]

/override ci/prow/security

Backport of #2387 will address

[openshift-ci]

@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security

Details

In response to this:

/override ci/prow/security

Backport of #2387 will address

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@2uasimojo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	b9bebcf	link	true	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[2uasimojo]

/assign @suhanime

[2uasimojo]

/cherry-pick mce-2.3

[openshift-cherrypick-robot]

@2uasimojo: #2392 failed to apply on top of branch "mce-2.3":

Applying: CVE-2024-6104: go-retryablehttp 0.7.7
.git/rebase-apply/patch:3109: trailing whitespace.
	
.git/rebase-apply/patch:3109: new blank line at EOF.
+
warning: 2 lines add whitespace errors.
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Removing vendor/golang.org/x/sys/windows/empty.s
Removing vendor/golang.org/x/sys/unix/fstatfs_zos.go
Removing vendor/golang.org/x/sys/unix/epoll_zos.go
Auto-merging go.sum
CONFLICT (content): Merge conflict in go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 CVE-2024-6104: go-retryablehttp 0.7.7
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick mce-2.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.