Skip to content

fix: [NPM] [CVEs] Update go.mod to Fix NPM golang.org/x/net CVE-2025-22870 #3518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 22, 2025
Merged

fix: [NPM] [CVEs] Update go.mod to Fix NPM golang.org/x/net CVE-2025-22870 #3518

merged 6 commits into from
Mar 22, 2025

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Mar 20, 2025

Reason for Change:
Updates the go.mod golang.org/x/net from v0.35.0 to v0.36.0 to resolve CVE-2025-22870 present in v0.35.0

Issue Fixed:
Trivy scan of NPM on current v1.5 release (v1.5.44):

mcr.microsoft.com/containernetworking/azure-npm:v1.5.44 (ubuntu 20.04)
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/azure-npm (gobinary)
============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.34.0           │ 0.36.0        │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:  │
│                  │                │          │        │                   │               │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22870                │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Trivy scan of NPM after go.mod golang.org/x/net v0.36.0 update:

acnpublic.azurecr.io/azure-npm:v1.5.45Fix (ubuntu 20.04)
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Requirements:

Notes:

@rayaisaiah
fix: [NPM] Reduce/Refactor Noisy NPM Logs (#3468)
fb3ce45 
* removed all logs from npm dataplane (except error/warning logs)

* removed all logs from npm controller (except error/warning logs)

* restored logs that are ununused by current npm (v2)

* removed test files

* resolved comments

* keep log related to reconciling chain placement when the chain is not in the right place

* added bootup logs back

* Removed two more noisy logs

* Add loglevel config option when printing application insight logs

* Updated all non-error/warning logs to commented out and with a vap TODO

* fixed typo

* small typo fix

* updated configmap with loglevel

* updated default value

* added a default value for loglevel

* fixed typo in json

* removed comma

* changed loglevel to info in configmap

* add a short sleep in TestNetPolInBackgroundSkipAddAfterRemove

* test remove dataplane changes to see if race condition fixes

* Revert "test remove dataplane changes to see if race condition fixes"

This reverts commit 08697eb.

* test

* Revert "test"

This reverts commit 449c2af.

* test

* update dataplane to test if changes are flagged in race

* added stop channels to unit tests to avoid race condtiions

* add non noisy logs back

* increased time

* revert time change after RunPeriodicTasks

* test with 1000 seconds

* 5000 milliseconds

* tweaked the delay

* update to 1500 for defer

* increased to 1500

* increase to 2000

* removed kubernetes
@rayaisaiah
Merge branch 'release/v1.5' of https://github.com/Azure/azure-contain…
284a4d7 
…er-networking into release/v1.5
@rayaisaiah
bumped golang.org/x/net package to v0.36.0 to resolve CVE for npm
433e3ab
Copilot AI review requested due to automatic review settings March 20, 2025 23:16
@rayaisaiah rayaisaiah requested a review from a team as a code owner March 20, 2025 23:16
@rayaisaiah rayaisaiah requested a review from vipul-21 March 20, 2025 23:16
Copilot AI reviewed Mar 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • go.mod: Language not supported

@rayaisaiah rayaisaiah added npm Related to NPM. linux labels Mar 20, 2025
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Mar 20, 2025

/azp run Azure Container Networking PR

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Mar 20, 2025

/azp run NPM Conformance Tests

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Mar 20, 2025

/azp run NPM Scale Test

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 20, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 20, 2025

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

1 similar comment
@azure-pipelines
Copy link

azure-pipelines bot commented Mar 20, 2025

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

@rayaisaiah rayaisaiah enabled auto-merge March 20, 2025 23:19
huntergregory
huntergregory previously approved these changes Mar 20, 2025
View reviewed changes
@huntergregory huntergregory disabled auto-merge March 20, 2025 23:24
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Mar 20, 2025
edited
Loading

Manually ran scale and conformance pipelines since there is no (direct) change to npm directory

scale: https://msazure.visualstudio.com/One/_build/results?buildId=118731448&view=results
conformance: https://msazure.visualstudio.com/One/_build/results?buildId=118731454&view=results

huntergregory
huntergregory previously approved these changes Mar 21, 2025
View reviewed changes
@rayaisaiah rayaisaiah closed this Mar 21, 2025
@rayaisaiah rayaisaiah reopened this Mar 21, 2025
@rayaisaiah rayaisaiah enabled auto-merge March 21, 2025 17:12
@rayaisaiah rayaisaiah added this pull request to the merge queue Mar 21, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 21, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Mar 21, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 21, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Mar 21, 2025
Merged via the queue into release/v1.5 with commit b544f8c Mar 22, 2025
10 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/fix-npm-cve-2025-22870 branch March 22, 2025 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vipul-21 vipul-21 Awaiting requested review from vipul-21 vipul-21 is a code owner automatically assigned from Azure/azure-sdn-members

+1 more reviewer

@huntergregory huntergregory huntergregory approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rayaisaiah @huntergregory