[
https://issues.apache.org/jira/browse/YUNIKORN-2416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17819494#comment-17819494
]
Yu-Lin Chen edited comment on YUNIKORN-2416 at 2/22/24 7:17 AM:
----------------------------------------------------------------
Hi [~chia7712],
The replace directives for golang.org/x module were introduced to address CVE
in YUNIKORN-1449.
After rerunning the CVE check with the latest go.mod, only golang.org/x/net
must be replaced.
Currently, we are replacing the issue package in all the yunikorn-projects.
However, I believe we should only replace it in the highest-hierarchy project
where we detected CVE.
Let go module propagate the safer dependencies.
yunikorn-scheduler-interface(replace) -> yunikorn-core(replace) ->
yunikorn-y8shim(replace)
yunikorn-scheduler-interface(replace) ->
yunikorn-core({*}{color:#0747a6}indirect{color}{*}) ->
yunikorn-y8shim({*}{color:#0747a6}indirect{color}{*})
was (Author: yu-lin chen):
Hi [~chia7712],
The replace directives for golang.org/x module were introduced to address CVE
in YUNIKORN-1449.
After rerunning the CVE check with the latest go.mod, only golang.org/x/net
must be replaced.
Currently, we are replacing the issue package in all the yunikorn-projects.
However, I believe we should only replace it in the highest-hierarchy project
where we detected CVE.
Let go module propagate the safer dependencies.
yunikorn-y8shim(replace) -> yunikorn-core(replace) ->
yunikorn-y8shim(replace)
yunikorn-y8shim(replace) ->
yunikorn-core({*}{color:#0747a6}indirect{color}{*}) ->
yunikorn-y8shim({*}{color:#0747a6}indirect{color}{*})
> Cleanup replace directives
> --------------------------
>
> Key: YUNIKORN-2416
> URL: https://issues.apache.org/jira/browse/YUNIKORN-2416
> Project: Apache YuniKorn
> Issue Type: Improvement
> Reporter: Chia-Ping Tsai
> Assignee: Yu-Lin Chen
> Priority: Minor
>
> The replace directives should be used only if
> 1. the dependency is indirect, AND
> 2. the indirect version is too old or has CVEs
> For example: core repo has following deps in the replace
> golang.org/x/crypto => golang.org/x/crypto v0.18.0
> this should be removed since the indirect version is v0.19.0
> golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
> this should be removed since we don't use it actually, and golangci-lint is
> replacement in our CI.
> golang.org/x/net => golang.org/x/net v0.20.0
> this should be removed since this dep is used directly
> golang.org/x/sys => golang.org/x/sys v0.16.0
> this should be removed since the indirect version is v0.17.0
> golang.org/x/text => golang.org/x/text v0.14.0
> this should be removed since the indirect version is v0.14.0
> golang.org/x/tools => golang.org/x/tools v0.17.0
> this is the only one we should keep in the replace since the resolved version
> is v0.6.0 and it is too stale (released on Feb 8, 2023)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
