CORENET-7116: Fix security job - exclude vendor and upgrade to SHA256#3019
CORENET-7116: Fix security job - exclude vendor and upgrade to SHA256#3019jluhrsen wants to merge 2 commits into
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jluhrsen: This pull request references CORENET-7116 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (2)
WalkthroughThis pull request migrates hashing implementations to SHA-256 (utility CalculateHash and OVN-Kubernetes config-hash initializers) and adds a ChangesHash Algorithm Migration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope ... [truncated 17357 characters] ... red in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n" Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jluhrsen The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.snyk:
- Around line 1-6: Update the broken Snyk docs link in the .snyk file: remove or
replace the invalid URL
"https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-test"
with the current Snyk docs URL (or delete the reference entirely) so it no
longer returns 404; keep the other valid URL
("https://docs.snyk.io/snyk-cli/commands/ignore" or its redirect) as-is and
ensure the comment text still accurately reflects the referenced docs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: ea285fe1-523e-4de8-a4af-e5fd613c5012
📒 Files selected for processing (3)
.snykpkg/network/ovn_kubernetes.gopkg/util/k8s/unstructured.go
| # References: | ||
| # https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-test | ||
| # https://docs.snyk.io/snyk-cli/commands/ignore | ||
| exclude: | ||
| global: | ||
| - 'vendor/**' # Upstream dependencies (not project code) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify that the Snyk documentation URLs are valid and return HTTP 200
echo "Checking first documentation URL..."
curl -s -o /dev/null -w "%{http_code}" "https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-test"
echo "Checking second documentation URL..."
curl -s -o /dev/null -w "%{http_code}" "https://docs.snyk.io/snyk-cli/commands/ignore"Repository: openshift/cluster-network-operator
Length of output: 157
🏁 Script executed:
#!/bin/bash
set -euo pipefail
check_url () {
local url="$1"
echo "== $url =="
echo "-- HEAD (no redirect) --"
curl -sS -o /dev/null -w "HTTP:%{http_code}\n" -I "$url" || true
echo "-- GET follow redirects --"
# Print final HTTP code and the final effective URL
final_code=$(curl -sSL -o /dev/null -w "%{http_code}" "$url" || true)
final_url=$(curl -sSL -o /dev/null -w "%{url_effective}" "$url" || true)
echo "HTTP_AFTER_REDIRECTS:${final_code}"
echo "URL_EFFECTIVE:${final_url}"
echo
}
check_url "https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-test"
check_url "https://docs.snyk.io/snyk-cli/commands/ignore"Repository: openshift/cluster-network-operator
Length of output: 685
Fix broken Snyk docs reference in .snyk
https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-testreturns 404 (link needs updating/removal).https://docs.snyk.io/snyk-cli/commands/ignoreredirects tohttps://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/ignoreand works.
Otherwise, excluding vendor/** looks appropriate for scanning third-party dependencies.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.snyk around lines 1 - 6, Update the broken Snyk docs link in the .snyk
file: remove or replace the invalid URL
"https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-test"
with the current Snyk docs URL (or delete the reference entirely) so it no
longer returns 404; keep the other valid URL
("https://docs.snyk.io/snyk-cli/commands/ignore" or its redirect) as-is and
ensure the comment text still accurately reflects the referenced docs.
jluhrsen
changed the title
|
/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade |
Snyk was scanning vendored upstream dependencies which are not under our direct control. Related: CORENET-7116 Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Snyk scanner flags SHA1 and MD5 as weak hash algorithms even though we only use them for config change detection. Upgrading to SHA256 eliminates the warnings. Related: CORENET-7116 Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
/retest |
|
@jluhrsen: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Snyk scanner flags SHA1 and MD5 usage as weak hash algorithms even though they're only used for config change detection (not cryptographic purposes). Upgrading to SHA256 eliminates the scanner warnings without changing functionality.
Changes:
Related: CORENET-7116
Summary by CodeRabbit