Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-3146

Update version of josephburnett/jd used by couchbase-fluent-bit

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • None
    • build, logging
    • None
    • Build Team 2023 Sprint 10
    • 0

    Description

      Our Black Duck scans for couchbase-fluent-bit are failing, and the reason after considerable investigation appears to be that Google screwed up:

      • couchbase-fluent-bit depends on github.com/josephburnett/jd v1.5.1
      • Google's proxy.golang.org serves up incorrect code for this module (the source code itself says it's "1.5.0" but it doesn't seem to correspond exactly to any version in Git history)
      • Google's sumdb.golang.org serves up the checksum h1:QmLNUewdF2CAezYKe1f/UIP9M5D9GtC+N7/qIyj3Pi8= for that module, which corresponds to the bad source code
      • Our Black Duck scan environment uses our internal Go proxy http://goproxy.build.couchbase.com/
      • Our proxy downloads unknown modules directly from the source (GitHub in this case), but trusts sumdb.golang.org for the checksums, and for this module they don't match
      • Hence, go module operations like "go mod why -m all" will fail for couchbase-fluent-bit if you have GOPROXY=http://goproxy.build.couchbase.com/ (or any proxy other than proxy.golang.org, likely)
      • Black Duck scans attempt to run that command, and fail

       

       

      Attachments

        Activity

          People

            ceej Chris Hillery
            ceej Chris Hillery
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty