Bug 1216492 - VUL-0: container-diff: go1.19 is EOL
Summary: VUL-0: container-diff: go1.19 is EOL
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382739/
Whiteboard:
Keywords:
Depends on:
Blocks: 1215611
  Show dependency treegraph
 
Reported: 2023-10-23 11:12 UTC by Marcus Meissner
Modified: 2024-06-05 13:58 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2023-10-23 11:12:56 UTC 
container-diff currently was last built against:

SUSE:SLE-12-SP4:Update/container-diff was built with SUSE:SLE-12:Update/go1.12-1.12.9-1.9.1
SUSE:SLE-15:Update/container-diff was built with SUSE:SLE-15:Update/go1.11-1.11.13-1.18.1


While it has unversioned go requires, a rebuilt against go1.21 currently reports:

[   22s] + BUILDTAGS=                                                                                                                                        
[   22s] + go build -tags '' -buildmode=pie -ldflags '-s -w -X github.com/GoogleContainerTools/container-diff/version.version=v0.15.0' -o bin/container-diff 
+github.com/GoogleContainerTools/container-diff                                                                                                              
[   22s] no required module provides package github.com/GoogleContainerTools/container-diff: go.mod file not found in current directory or any parent        
+directory; see 'go help modules'                                                                                                                            
[   22s] error: Bad exit status from /var/tmp/rpm-tmp.ILU98p (%build)                                                                                        
[   22s]                                                                                                                                                     

probably needs to be converted to more modern go.

perhaps also we can just use the Factory version?
Comment 1 Marcus Meissner 2023-10-27 09:28:49 UTC 
we revieweed usecases, so far its unlikely the outdated go would cause security problems.

so currently we do not insist on a fix.