Bug 1216492

Summary: VUL-0: container-diff: go1.19 is EOL
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: rfrohl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382739/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1215611    

Description Marcus Meissner 2023-10-23 11:12:56 UTC 
container-diff currently was last built against:

SUSE:SLE-12-SP4:Update/container-diff was built with SUSE:SLE-12:Update/go1.12-1.12.9-1.9.1
SUSE:SLE-15:Update/container-diff was built with SUSE:SLE-15:Update/go1.11-1.11.13-1.18.1


While it has unversioned go requires, a rebuilt against go1.21 currently reports:

[   22s] + BUILDTAGS=                                                                                                                                        
[   22s] + go build -tags '' -buildmode=pie -ldflags '-s -w -X github.com/GoogleContainerTools/container-diff/version.version=v0.15.0' -o bin/container-diff 
+github.com/GoogleContainerTools/container-diff                                                                                                              
[   22s] no required module provides package github.com/GoogleContainerTools/container-diff: go.mod file not found in current directory or any parent        
+directory; see 'go help modules'                                                                                                                            
[   22s] error: Bad exit status from /var/tmp/rpm-tmp.ILU98p (%build)                                                                                        
[   22s]                                                                                                                                                     

probably needs to be converted to more modern go.

perhaps also we can just use the Factory version?
Comment 1 Marcus Meissner 2023-10-27 09:28:49 UTC 
we revieweed usecases, so far its unlikely the outdated go would cause security problems.

so currently we do not insist on a fix.