Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump go to 1.22.6 #610

Open
wants to merge 3 commits into
base: eng
Choose a base branch
from
Open

bump go to 1.22.6 #610

wants to merge 3 commits into from

Conversation

BergCyrill
Copy link

Due to unfixed CVEs in go <1.22.4 bump the used go version to build the provider to 1.22.6

The CVE (CVE-2024-24790) scores a 9.8 in the national vulnerability database.

@vmwclabot
Copy link
Member

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@BergCyrill
Copy link
Author

All commits are signed & signoff was made according to the dco. I don't unterstand why the vmwclabot doesn't recognize this, I think it is a false behaviour.

@BergCyrill BergCyrill marked this pull request as ready for review August 20, 2024 07:31
@vmwclabot
Copy link
Member

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@vmwclabot
Copy link
Member

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@BergCyrill
Copy link
Author

Ok tried to fix the dco-required label-issue. Worked for me on the terraform-provider-nsxt github project but not here.

@vmwclabot
Copy link
Member

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@vmwclabot
Copy link
Member

@BergCyrill, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@BergCyrill
Copy link
Author

Linting should now work with selected go toolchain version. The clabot still behaves weird.

@BergCyrill
Copy link
Author

Is there anything that prevents this PR from being merged? The provider is currently unusable for me since it will not pass vulnerability checks.

@tenthirtyam
Copy link

The DCO issue is related to the author mismatch in f930556 where [email protected] is using instead of [email protected].

commit dc48680d554cde221465f7baab18c728697947f7 (HEAD -> bump-go-1.22.6, origin/bump-go-1.22.6)
Author: Cyrill Berg <[email protected]>
Date:   Tue Aug 27 20:44:16 2024 +0200

    build: seperate toolchain version definition
    
    Signed-off-by: Cyrill Berg <[email protected]>

commit 819aea41da34d5709f5f0aa5dc1d8675f44306ac
Author: Cyrill Berg <[email protected]>
Date:   Tue Aug 27 20:40:43 2024 +0200

    ci: bump used golangci lint to supported version
    
    Signed-off-by: Cyrill Berg <[email protected]>

commit f9305564d2cc69d041add802de4a23bb55c69daf
Author: Cyrill Berg <[email protected]>
Date:   Tue Aug 20 08:56:59 2024 +0200

    bump go to 1.22.6
    
    Signed-off-by: Cyrill Berg <[email protected]>

Try:

git checkout f9305564d2cc69d041add802de4a23bb55c69daf

git commit --amend --author="Cyrill Berg <[email protected]>"

git push --force

@BergCyrill
Copy link
Author

Thank you, I have totally overlooked this little detail in the commit author field. Should be better now.

@tenthirtyam
Copy link

Thank you, I have totally overlooked this little detail in the commit author field. Should be better now.

Looks good!

@BergCyrill
Copy link
Author

@tenthirtyam is there anything I could do to get this PR merged and released?

@BergCyrill
Copy link
Author

Anyone who can give an update on this? It gives a bad feeling if high severity CVE are not fixed for such a long time even when someone tries to contribute. I'm willing to help just give me a hint what is missing?!

@tenthirtyam
Copy link

I'll ping the PM tomorrow.

@tenthirtyam
Copy link

PMs have been informed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BergCyrill @vmwclabot @tenthirtyam