Skip to content

[WIP] Do not Merge, Build image use only.#246

Closed
HigashikataZhangsuke wants to merge 2 commits intospectro-masterfrom
Fix-Day2OPs
Closed

[WIP] Do not Merge, Build image use only.#246
HigashikataZhangsuke wants to merge 2 commits intospectro-masterfrom
Fix-Day2OPs

Conversation

@HigashikataZhangsuke
Copy link

@HigashikataZhangsuke HigashikataZhangsuke commented Dec 12, 2025

Do not Merge, Build image use only.

@spectro-prow
Copy link

spectro-prow commented Dec 12, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: HigashikataZhangsuke
To complete the pull request process, please assign after the PR has been reviewed.
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 12, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2025-3754
    • Module: github.com/cloudflare/circl
    • Found in: v1.3.7
    • Fixed in: v1.6.1
    • Example Traces:
      1. cmd/clusterctl/internal/test/fake_github.go:24:2: test.init calls github.init, which eventually calls ed448.init
      2. cmd/clusterctl/internal/test/fake_github.go:24:2: test.init calls github.init, which eventually calls ed25519.init
      3. cmd/clusterctl/internal/test/fake_github.go:24:2: test.init calls github.init, which eventually calls x448.init
      4. cmd/clusterctl/internal/test/fake_github.go:24:2: test.init calls github.init, which eventually calls x25519.init
      5. cmd/clusterctl/internal/test/fake_github.go:24:2: test.init calls github.init, which eventually calls ed25519.init

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 12, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion int64 -> int32, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:107:63
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:104:70
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/contract/types.go:129:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/test/envtest/environment.go:89:47
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:189:26
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:123:26
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1207:37
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1206:33
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1205:40
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1204:28
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:690:26
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:678:27
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:253:33
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:238:35
      1. File: /home/runner/work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:726:14
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/util/util.go:61:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/util/conversion/conversion.go:160:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go:616:43
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go:478:33
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go:468:40
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go:411:43
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go:307:43
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go:269:43
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller_phases.go:95:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/framework/machinedeployment_helpers.go:379:100
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/framework/machinedeployment_helpers.go:378:96
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/framework/machinedeployment_helpers.go:377:93
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/e2e/clusterclass_rollout.go:226:46
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/e2e/clusterclass_rollout.go:225:81
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/e2e/clusterclass_rollout.go:224:77
    • ... (truncated), run gosec locally to capture all failure for the rule G404
  3. G402: TLS InsecureSkipVerify set true., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/test/infrastructure/inmemory/pkg/server/mux.go:466:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/controlplane/kubeadm/internal/workload_cluster.go:469:62

Please review these findings and fix the issues before merging.

@HigashikataZhangsuke
Copy link
Author

HigashikataZhangsuke commented Feb 24, 2026

Done in PEM-10055

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes

Assignees

No one assigned

Labels

do not merge do-not-merge/work-in-progress size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HigashikataZhangsuke @spectro-prow