Skip to content

fix: update golang.org/x/net to v0.38.0 in pvcviewer-controller #790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
asaadbalum wants to merge 1 commit into
base: notebooks-v1
Choose a base branch
from
Open

fix: update golang.org/x/net to v0.38.0 in pvcviewer-controller #790

asaadbalum wants to merge 1 commit into from
+15 −15

Conversation

@asaadbalum
Copy link

@asaadbalum asaadbalum commented Dec 9, 2025
edited
Loading

Description

Update golang.org/x/net from v0.24.0 to v0.38.0 in the pvcviewer-controller to fix security vulnerabilities.

CVEs Fixed:

Related Issue: Closes #782 (PR 1)

Changes

Updated dependencies in components/pvcviewer-controller/go.mod:

Dependency Old Version New Version
golang.org/x/net v0.24.0 v0.38.0
golang.org/x/sys v0.19.0 v0.31.0
golang.org/x/term v0.19.0 v0.30.0
golang.org/x/text v0.14.0 v0.23.0
golang.org/x/tools v0.20.0 v0.22.0

Note: The additional golang.org/x/* packages are transitive dependencies of golang.org/x/net. They were automatically updated by go mod tidy to maintain compatibility.

Testing

Local Build & Tests

Test Result
go mod tidy ✅ Pass
go vet ./... ✅ No issues
make manager ✅ Builds cleanly
Unit tests (10/10) ✅ 65.4% coverage
staticcheck ./... ✅ No new issues

CVE Verification (Trivy Scan)

=== Searching for CVE-2025-22870 ===
NOT FOUND - FIXED ✅

=== Searching for CVE-2025-22872 ===
NOT FOUND - FIXED ✅

=== Current golang.org/x/net version ===
golang.org/x/net v0.38.0 // indirect

End-to-End Cluster Verification

Environment:

  • Fedora 42 (kernel 6.14.2)
  • Kind cluster with Podman
  • Kubeflow notebooks-v1

Custom Image Deployed:
ghcr.io/kubeflow/notebooks/pvcviewer-controller:dcfd8fb

All Kubeflow Pods Running:

pvcviewer-controller-manager-794458c69b-gf5nk       3/3     Running
volumes-web-app-deployment-5698b6c5c9-5p4kp         2/2     Running
notebook-controller-deployment-c4f4fb986-h2k95      2/2     Running
jupyter-web-app-deployment-555bd4c7f6-wwdl4         2/2     Running
centraldashboard-5f49c896c7-m2v8l                   2/2     Running
...

Controller Logs (healthy):

INFO  controller-runtime.builder  Registering a mutating webhook
INFO  controller-runtime.builder  Registering a validating webhook  
INFO  setup  starting manager
successfully acquired lease kubeflow/57a72bdf.kubeflow.org
INFO  Starting Controller  {"controller": "pvcviewer"}
INFO  Starting workers  {"worker count": 1}

Dashboard Verification:

  • ✅ Login with Dex authentication
  • ✅ Central Dashboard loads
  • ✅ Volumes page functional
  • ✅ PVCViewer webhooks registered

Acceptance Criteria

  • Run go mod tidy to ensure dependencies are clean
  • Run make manager to build the controller
  • Run unit tests to verify functionality
  • CI workflows pass (unit, integration, multi-arch tests)
  • Deploy to notebooks-v1 cluster and verify PVCViewer component
  • Verify CVEs are fixed via Trivy scan

Signed-off-by: Asaad Balum [email protected]

@github-project-automation github-project-automation bot moved this to Needs Triage in Kubeflow Notebooks Dec 9, 2025
@google-oss-prow
Copy link

google-oss-prow bot commented Dec 9, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot added the area/controller area - related to controller components label Dec 9, 2025
@google-oss-prow google-oss-prow bot requested a review from kimwnasptd December 9, 2025 08:20
@google-oss-prow google-oss-prow bot added the area/v1 area - version - kubeflow notebooks v1 label Dec 9, 2025
@asaadbalum asaadbalum marked this pull request as draft December 9, 2025 08:21
@google-oss-prow google-oss-prow bot requested a review from liavweiss December 9, 2025 08:41
@asaadbalum asaadbalum changed the title fix(pvcviewer-controller): update golang.org/x/net to v0.38.0 fix: update golang.org/x/net to v0.38.0 in pvcviewer-controller Dec 9, 2025
@asaadbalum
fix: update golang.org/x/net to v0.38.0 in pvcviewer-controller
dcfd8fb 
Update golang.org/x/net from v0.24.0 to v0.38.0 to fix:
- CVE-2025-22870
- CVE-2025-22872

This update also bumps related transitive dependencies:
- golang.org/x/sys: v0.19.0 → v0.31.0
- golang.org/x/term: v0.19.0 → v0.30.0
- golang.org/x/text: v0.14.0 → v0.23.0
- golang.org/x/tools: v0.20.0 → v0.22.0

Testing performed:
- go mod tidy - completed successfully
- go vet ./... - no issues found
- make manager - controller builds cleanly
- Unit tests - all 10 tests pass with 65.4% coverage

Part of: kubeflow#782

Signed-off-by: Asaad Balum <[email protected]>
@asaadbalum asaadbalum force-pushed the 782/fix-pvcviewer-golang-x-net-cve branch from 1cb1b59 to dcfd8fb Compare December 9, 2025 09:08
@asaadbalum asaadbalum marked this pull request as ready for review December 9, 2025 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@TobiasGoerke TobiasGoerke Awaiting requested review from TobiasGoerke

@liavweiss liavweiss Awaiting requested review from liavweiss

Assignees

No one assigned

Labels

area/controller area - related to controller components area/v1 area - version - kubeflow notebooks v1 size/M

Projects

Kubeflow Notebooks
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asaadbalum