CVE-2024-3727 oadp-1.4 GO-2024-2842: bump github.com/containers/image…

[weshayutin]

CVE-2024-3727 oadp-1.4 GO-2024-2842: bump github.com/containers/image/v5 v5.30.2

[openshift-ci-robot]

@weshayutin: No Jira issue with key GO-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

In response to this:

CVE-2024-3727 oadp-1.4 GO-2024-2842: bump github.com/containers/image/v5 v5.30.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[weshayutin]

note:
go mod tidy
go: finding module for package github.com/migtools/udistribution/pkg/image/udistribution
go: finding module for package github.com/moby/docker-image-spec/specs-go/v1
go: found github.com/migtools/udistribution/pkg/image/udistribution in github.com/migtools/udistribution v0.0.6
go: found github.com/moby/docker-image-spec/specs-go/v1 in github.com/moby/docker-image-spec v1.3.1
go: github.com/konveyor/openshift-velero-plugin/velero-plugins/common imports
github.com/migtools/udistribution/pkg/image/udistribution: github.com/migtools/[email protected]: parsing go.mod:
module declares its path as: github.com/kaovilai/udistribution
but was required as: github.com/migtools/udistribution

[kaovilai]

How is this dependency being replaced/updated with?

[kaovilai]

Why don't we run

git reset --hard upstream/oadp-1.4 && go get github.com/containers/image/[email protected] && go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] && go mod tidy

here and this should be good.

[weshayutin]

is the migtools/udistribution something we need always manually put back in? It's removed after running go get github.com/containers/image/v5

happy to put it back

[weshayutin]

k. see your suggestion.. thank you

[weshayutin]

ran git reset --hard upstream/oadp-1.4 && go get github.com/containers/image/[email protected] && go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] && go mod tidy

got the same result.. I'll bow out and let someone w/ more chops play here.

[kaovilai]

Had to do essentially

GOTOOLCHAIN=go1.19 go get github.com/containers/image/[email protected] && go get github.com/migtools/[email protected] && go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] && go mod tidy;

lets see if unit test passes.

[openshift-ci]

@weshayutin: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, shubham-pampattiwar, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kaovilai,shubham-pampattiwar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kaovilai]

/lgtm