From 5c5323c83de16df4e125e68432f2a5bec8427c29 Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Tue, 28 Jan 2025 17:07:04 -0800
Subject: [PATCH 1/8] Upgrade golang/x/net for CVE-2023-39325 and
 CVE-2023-44487

---
 .../CVE-2022-41273.patch                      | 124 ------------------
 .../CVE-2024-45338.patch                      |  64 ---------
 ...pplication-gateway-kubernetes-ingress.spec |  13 +-
 ...olang-x-net-updated-to-version0-34-0.patch |   3 +
 4 files changed, 11 insertions(+), 193 deletions(-)
 delete mode 100644 SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch
 delete mode 100644 SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch
 create mode 100644 SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch

diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch
deleted file mode 100644
index 9357743fb59..00000000000
--- a/SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-diff --git a/http2/hpack/hpack.go b/http2/hpack/hpack.go
-index b184a27..7a1d976 100644
---- a/http2/hpack/hpack.go
-+++ b/http2/hpack/hpack.go
-@@ -359,6 +359,7 @@
- 
- 	var hf HeaderField
- 	wantStr := d.emitEnabled || it.indexed()
-+	var undecodedName undecodedString
- 	if nameIdx > 0 {
- 		ihf, ok := d.at(nameIdx)
- 		if !ok {
-@@ -366,15 +367,27 @@
- 		}
- 		hf.Name = ihf.Name
- 	} else {
--		hf.Name, buf, err = d.readString(buf, wantStr)
-+		undecodedName, buf, err = d.readString(buf)
- 		if err != nil {
- 			return err
- 		}
- 	}
--	hf.Value, buf, err = d.readString(buf, wantStr)
-+	undecodedValue, buf, err := d.readString(buf)
- 	if err != nil {
- 		return err
- 	}
-+	if wantStr {
-+		if nameIdx <= 0 {
-+			hf.Name, err = d.decodeString(undecodedName)
-+			if err != nil {
-+				return err
-+			}
-+		}
-+		hf.Value, err = d.decodeString(undecodedValue)
-+		if err != nil {
-+			return err
-+		}
-+	}
- 	d.buf = buf
- 	if it.indexed() {
- 		d.dynTab.add(hf)
-@@ -459,46 +472,52 @@
- 	return 0, origP, errNeedMore
- }
- 
--// readString decodes an hpack string from p.
-+// readString reads an hpack string from p.
- //
--// wantStr is whether s will be used. If false, decompression and
--// []byte->string garbage are skipped if s will be ignored
--// anyway. This does mean that huffman decoding errors for non-indexed
--// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
--// is returning an error anyway, and because they're not indexed, the error
--// won't affect the decoding state.
--func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
-+// It returns a reference to the encoded string data to permit deferring decode costs
-+// until after the caller verifies all data is present.
-+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
- 	if len(p) == 0 {
--		return "", p, errNeedMore
-+		return u, p, errNeedMore
- 	}
- 	isHuff := p[0]&128 != 0
- 	strLen, p, err := readVarInt(7, p)
- 	if err != nil {
--		return "", p, err
-+		return u, p, err
- 	}
- 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
--		return "", nil, ErrStringLength
-+		// Returning an error here means Huffman decoding errors
-+		// for non-indexed strings past the maximum string length
-+		// are ignored, but the server is returning an error anyway
-+		// and because the string is not indexed the error will not
-+		// affect the decoding state.
-+		return u, nil, ErrStringLength
- 	}
- 	if uint64(len(p)) < strLen {
--		return "", p, errNeedMore
-+		return u, p, errNeedMore
- 	}
--	if !isHuff {
--		if wantStr {
--			s = string(p[:strLen])
--		}
--		return s, p[strLen:], nil
--	}
-+	u.isHuff = isHuff
-+	u.b = p[:strLen]
-+	return u, p[strLen:], nil
-+}
- 
--	if wantStr {
--		buf := bufPool.Get().(*bytes.Buffer)
--		buf.Reset() // don't trust others
--		defer bufPool.Put(buf)
--		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
--			buf.Reset()
--			return "", nil, err
--		}
--		s = buf.String()
--		buf.Reset() // be nice to GC
-+type undecodedString struct {
-+	isHuff bool
-+	b      []byte
-+}
-+
-+func (d *Decoder) decodeString(u undecodedString) (string, error) {
-+	if !u.isHuff {
-+		return string(u.b), nil
- 	}
--	return s, p[strLen:], nil
-+	buf := bufPool.Get().(*bytes.Buffer)
-+	buf.Reset() // don't trust others
-+	var s string
-+	err := huffmanDecode(buf, d.maxStrLen, u.b)
-+	if err == nil {
-+		s = buf.String()
-+	}
-+	buf.Reset() // be nice to GC
-+	bufPool.Put(buf)
-+	return s, err
- }
diff --git a/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch b/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch
deleted file mode 100644
index ecfb199d033..00000000000
--- a/SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 16acb322637a8ee779fa757345d7aef0ac16e69e Mon Sep 17 00:00:00 2001
-From: Rohit Rawat <xordux@gmail.com>
-Date: Thu, 2 Jan 2025 10:22:13 +0000
-Subject: [PATCH] Fix CVE CVE-2024-45338 in
- application-gateway-kubernetes-ingress
-
----
- vendor/golang.org/x/net/html/doctype.go | 2 +-
- vendor/golang.org/x/net/html/foreign.go | 3 +--
- vendor/golang.org/x/net/html/parse.go   | 4 ++--
- 3 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
-index c484e5a..bca3ae9 100644
---- a/vendor/golang.org/x/net/html/doctype.go
-+++ b/vendor/golang.org/x/net/html/doctype.go
-@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
- 			}
- 		}
- 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
--			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
-+			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
- 			quirks = true
- 		}
- 	}
-diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
-index 9da9e9d..e8515d8 100644
---- a/vendor/golang.org/x/net/html/foreign.go
-+++ b/vendor/golang.org/x/net/html/foreign.go
-@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
- 		if n.Data == "annotation-xml" {
- 			for _, a := range n.Attr {
- 				if a.Key == "encoding" {
--					val := strings.ToLower(a.Val)
--					if val == "text/html" || val == "application/xhtml+xml" {
-+					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
- 						return true
- 					}
- 				}
-diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
-index 291c919..d93fe03 100644
---- a/vendor/golang.org/x/net/html/parse.go
-+++ b/vendor/golang.org/x/net/html/parse.go
-@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
- 			if p.tok.DataAtom == a.Input {
- 				for _, t := range p.tok.Attr {
- 					if t.Key == "type" {
--						if strings.ToLower(t.Val) == "hidden" {
-+						if strings.EqualFold(t.Val, "hidden") {
- 							// Skip setting framesetOK = false
- 							return true
- 						}
-@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
- 			return inHeadIM(p)
- 		case a.Input:
- 			for _, t := range p.tok.Attr {
--				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
-+				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
- 					p.addElement()
- 					p.oe.pop()
- 					return true
--- 
-2.39.4
-
diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
index 99e94cf9042..920dfb17e3d 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.7.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -24,8 +24,8 @@ Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2022-21698.patch
-Patch1:         CVE-2022-41273.patch
-Patch2:         CVE-2024-45338.patch
+# CVE-2022-41273, CVE-2024-45338, CVE-2023-39325, CVE-2023-44487
+Patch1:         golang-x-net-updated-to-version0-34-0.patch
 
 BuildRequires:  golang >= 1.13
 
@@ -39,8 +39,7 @@ to act as the ingress for an AKS cluster.
 rm -rf vendor
 tar -xf %{SOURCE1} --no-same-owner
 %patch 0 -p1 -d vendor/github.com/prometheus/client_golang
-%patch 1 -p1 -d vendor/golang.org/x/net
-%patch 2 -p1
+%patch 1 -p1
 
 %build
 export VERSION=%{version}
@@ -59,6 +58,10 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Tue Jan 28 2025 Gary Swalling <gaswal@@microsoft.com> - 1.7.2-4
+- Update golang.org/x/net to 0.34.0 for CVE-2023-39325, CVE-2023-44487
+- Removed golang.org/x/net patches which are no longer needed
+
 * Tue Dec 31 2024 Rohit Rawat <rohitrawat@microsoft.com> - 1.7.2-3
 - Add patch for CVE-2024-45338
 
diff --git a/SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch b/SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch
new file mode 100644
index 00000000000..80218bce409
--- /dev/null
+++ b/SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch
@@ -0,0 +1,3 @@
+This patch fixes CVE-2022-41273, CVE-2024-45338, CVE-2023-39325, CVE-2023-44487 - gaswal 2025-01-28
+Updated golang.org/x/net to version 0.34.0 in vendor tarball...nothing to patch.
+---

From 5b622f0404ae759f98e8903b6e3fdb8cee347cc0 Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Tue, 28 Jan 2025 17:41:23 -0800
Subject: [PATCH 2/8] remove empty patch, scanner will detect updated
 gotlang/x/net

---
 .../application-gateway-kubernetes-ingress.spec                | 3 ---
 .../golang-x-net-updated-to-version0-34-0.patch                | 3 ---
 2 files changed, 6 deletions(-)
 delete mode 100644 SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch

diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
index 920dfb17e3d..365b854ae02 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -24,8 +24,6 @@ Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2022-21698.patch
-# CVE-2022-41273, CVE-2024-45338, CVE-2023-39325, CVE-2023-44487
-Patch1:         golang-x-net-updated-to-version0-34-0.patch
 
 BuildRequires:  golang >= 1.13
 
@@ -39,7 +37,6 @@ to act as the ingress for an AKS cluster.
 rm -rf vendor
 tar -xf %{SOURCE1} --no-same-owner
 %patch 0 -p1 -d vendor/github.com/prometheus/client_golang
-%patch 1 -p1
 
 %build
 export VERSION=%{version}
diff --git a/SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch b/SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch
deleted file mode 100644
index 80218bce409..00000000000
--- a/SPECS/application-gateway-kubernetes-ingress/golang-x-net-updated-to-version0-34-0.patch
+++ /dev/null
@@ -1,3 +0,0 @@
-This patch fixes CVE-2022-41273, CVE-2024-45338, CVE-2023-39325, CVE-2023-44487 - gaswal 2025-01-28
-Updated golang.org/x/net to version 0.34.0 in vendor tarball...nothing to patch.
----

From e87be71357397a80a5ec7ad71a818807c632216f Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Wed, 29 Jan 2025 10:27:24 -0800
Subject: [PATCH 3/8] add release to vendor tarball

---
 .../application-gateway-kubernetes-ingress.spec                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
index 365b854ae02..cb1133fd0b7 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -20,7 +20,7 @@ Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/
 #           --mtime="2021-04-26 00:00Z" \
 #           --owner=0 --group=0 --numeric-owner \
 #           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-#           -cf %%{name}-%%{version}-vendor.tar.gz vendor
+#           -cf %%{name}-%%{version}-%%{release}-vendor.tar.gz vendor
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2022-21698.patch

From e7c3033fac31ff58b4803ceb6b15af81df1d62d7 Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Wed, 29 Jan 2025 16:00:53 -0800
Subject: [PATCH 4/8] follow docker-compose example for
 generate_source_tarball.sh

---
 .../generate_source_tarball.sh                | 41 +++++++++++++------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
index fcab42ea772..de08190a344 100755
--- a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
+++ b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
@@ -7,15 +7,17 @@ set -e
 
 PKG_VERSION=""
 SRC_TARBALL=""
+VENDOR_VERSION="2"
 OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 # parameters:
 #
-# --srcTarball  : src tarball file
-#                 this file contains the 'initial' source code of the component
-#                 and should be replaced with the new/modified src code
-# --outFolder   : folder where to copy the new tarball(s)
-# --pkgVersion  : package version
+# --srcTarball    : src tarball file
+#                   this file contains the 'initial' source code of the component
+#                   and should be replaced with the new/modified src code
+# --outFolder     : folder where to copy the new tarball(s)
+# --pkgVersion    : package version
+# --vendorVersion : vendor version
 #
 PARAMS=""
 while (( "$#" )); do
@@ -47,6 +49,15 @@ while (( "$#" )); do
             exit 1
         fi
         ;;
+        --vendorVersion)
+        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+            VENDOR_VERSION=$2
+            shift 2
+        else
+            echo "Error: Argument for $1 is missing" >&2
+            exit 1
+        fi
+        ;;
         -*|--*=) # unsupported flags
         echo "Error: Unsupported flag $1" >&2
         exit 1
@@ -58,9 +69,10 @@ while (( "$#" )); do
   esac
 done
 
-echo "--srcTarball   -> $SRC_TARBALL"
-echo "--outFolder    -> $OUT_FOLDER"
-echo "--pkgVersion   -> $PKG_VERSION"
+echo "--srcTarball      -> $SRC_TARBALL"
+echo "--outFolder       -> $OUT_FOLDER"
+echo "--pkgVersion      -> $PKG_VERSION"
+echo "--vendorVersion   -> $VENDOR_VERSION"
 
 if [ -z "$PKG_VERSION" ]; then
     echo "--pkgVersion parameter cannot be empty"
@@ -75,10 +87,15 @@ function cleanup {
 }
 trap cleanup EXIT
 
+TARBALL_FOLDER="$tmpdir/tarballFolder"
+mkdir -p $TARBALL_FOLDER
+cp $SRC_TARBALL $tmpdir
+
 pushd $tmpdir > /dev/null
 
-NAME_VER="application-gateway-kubernetes-ingress-$PKG_VERSION"
-VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-vendor.tar.gz"
+PKG_NAME="application-gateway-kubernetes-ingress"
+NAME_VER="$PKG_NAME-$PKG_VERSION"
+VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-govendor-v$VENDOR_VERSION.tar.gz"
 
 echo "Unpacking source tarball..."
 tar -xf $SRC_TARBALL
@@ -92,7 +109,7 @@ tar  --sort=name \
      --mtime="2021-04-26 00:00Z" \
      --owner=0 --group=0 --numeric-owner \
      --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-     -cf "$VENDOR_TARBALL" vendor
+     -czf "$VENDOR_TARBALL" vendor
 
 popd > /dev/null
-echo "application-gateway-kubernetes-ingress vendored modules are available at $VENDOR_TARBALL"
+echo "$PKG_NAME vendored modules are available at $VENDOR_TARBALL"

From 5918f960f57ed56199f90179f228363380dbac27 Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Thu, 30 Jan 2025 13:47:23 -0800
Subject: [PATCH 5/8] use vendor tarball v1, uploaded to blob store

---
 ...-gateway-kubernetes-ingress.signatures.json |  2 +-
 ...application-gateway-kubernetes-ingress.spec | 18 ++++--------------
 .../generate_source_tarball.sh                 |  2 +-
 3 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
index 1492f857abb..a5cf132e56f 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "application-gateway-kubernetes-ingress-1.7.2-vendor.tar.gz": "c7ed26c959d032de3be6b14717ea0703b3543df299c77aa1d553f11b13b88a0e",
+    "application-gateway-kubernetes-ingress-1.7.2-govendor-v1.tar.gz": "501be9b58865c93adc8f2c2c49d3fe8f57abbc5d97985c74f69024b434e5ae06",
     "application-gateway-kubernetes-ingress-1.7.2.tar.gz": "df1ca6b5a5c328521fea35d4fea5edc48e0214324986f263e2f7d960a8a6acd8"
   }
 }
diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
index cb1133fd0b7..5331002dc4a 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -9,20 +9,10 @@ Distribution:   Azure Linux
 Group:          Applications/Networking
 URL:            https://github.com/Azure/application-gateway-kubernetes-ingress
 Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Below is a manually created tarball, no download link.
-# We're using vendored Go modules from this tarball, since network is disabled during build time.
-# How to re-build this file:
-#   1. wget https://github.com/Azure/%%{name}/archive/refs/tags/%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
-#   2. tar -xf %%{name}-%%{version}.tar.gz
-#   3. cd %%{name}-%%{version}
-#   4. go mod vendor
-#   5. tar  --sort=name \
-#           --mtime="2021-04-26 00:00Z" \
-#           --owner=0 --group=0 --numeric-owner \
-#           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-#           -cf %%{name}-%%{version}-%%{release}-vendor.tar.gz vendor
-#
-Source1:        %{name}-%{version}-vendor.tar.gz
+# Leverage the `generate_source_tarball.sh` to create the vendor sources
+# NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store.
+# After fixing any possible CVE for the vendored source, we must bump v1 -> v2
+Source1:        %{name}-%{version}-govendor-v1.tar.gz
 Patch0:         CVE-2022-21698.patch
 
 BuildRequires:  golang >= 1.13
diff --git a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
index de08190a344..6609b85e3d2 100755
--- a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
+++ b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
@@ -7,7 +7,7 @@ set -e
 
 PKG_VERSION=""
 SRC_TARBALL=""
-VENDOR_VERSION="2"
+VENDOR_VERSION="1"
 OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 # parameters:

From 95abadb725e72f65a6fad94f35f5ff7181765706 Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Thu, 30 Jan 2025 14:12:52 -0800
Subject: [PATCH 6/8] support mod updates in script

---
 .../generate_source_tarball.sh                | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
index 6609b85e3d2..2a36d0ec2a1 100755
--- a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
+++ b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
@@ -9,6 +9,7 @@ PKG_VERSION=""
 SRC_TARBALL=""
 VENDOR_VERSION="1"
 OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+UPDATE_MODS=""
 
 # parameters:
 #
@@ -18,6 +19,7 @@ OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # --outFolder     : folder where to copy the new tarball(s)
 # --pkgVersion    : package version
 # --vendorVersion : vendor version
+# --updateMods    : go modules to update, comma separated list
 #
 PARAMS=""
 while (( "$#" )); do
@@ -58,6 +60,15 @@ while (( "$#" )); do
             exit 1
         fi
         ;;
+        --updateMods)
+        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+            UPDATE_MODS=$2
+            shift 2
+        else
+            echo "Error: Argument for $1 is missing" >&2
+            exit 1
+        fi
+        ;;
         -*|--*=) # unsupported flags
         echo "Error: Unsupported flag $1" >&2
         exit 1
@@ -73,6 +84,7 @@ echo "--srcTarball      -> $SRC_TARBALL"
 echo "--outFolder       -> $OUT_FOLDER"
 echo "--pkgVersion      -> $PKG_VERSION"
 echo "--vendorVersion   -> $VENDOR_VERSION"
+echo "--updateMods      -> $UPDATE_MODS"
 
 if [ -z "$PKG_VERSION" ]; then
     echo "--pkgVersion parameter cannot be empty"
@@ -104,6 +116,16 @@ cd "$NAME_VER"
 echo "Get vendored modules"
 go mod vendor
 
+if [ -n "$UPDATE_MODS" ]; then
+    echo "Update vendored modules"
+    IFS=',' read -r -a MODS <<< "$UPDATE_MODS"
+    for MODULE in "${MODS[@]}"
+    do
+        go get -u $MODULE
+    done
+    go mod vendor
+fi
+
 echo "Tar vendored modules"
 tar  --sort=name \
      --mtime="2021-04-26 00:00Z" \

From c2499bcc8fd4397bdf2995cc3c7b2380bf3e0cee Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Thu, 30 Jan 2025 14:45:56 -0800
Subject: [PATCH 7/8] fixed go mod update

---
 .../application-gateway-kubernetes-ingress.spec                | 2 +-
 .../generate_source_tarball.sh                                 | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
index 5331002dc4a..561bbf0e1c1 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@@ -86,7 +86,7 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 * Fri Feb 03 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.4.0-8
 - Bump release to rebuild with go 1.19.5
 
-* Tues Jan 24 2023 Adit Jha <aditjha@microsoft.com> - 1.4.0-7
+* Tue Jan 24 2023 Adit Jha <aditjha@microsoft.com> - 1.4.0-7
 - Bump release to rebuild vendor repoistory which contain patch fix for CVE-2021-4235, CVE-2022-3064
 
 * Wed Jan 18 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.4.0-6
diff --git a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
index 2a36d0ec2a1..cc2f5fb53e7 100755
--- a/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
+++ b/SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
@@ -117,12 +117,13 @@ echo "Get vendored modules"
 go mod vendor
 
 if [ -n "$UPDATE_MODS" ]; then
-    echo "Update vendored modules"
     IFS=',' read -r -a MODS <<< "$UPDATE_MODS"
     for MODULE in "${MODS[@]}"
     do
+        echo "Updating module: $MODULE"
         go get -u $MODULE
     done
+    go mod tidy
     go mod vendor
 fi
 

From fe6c45c845e2202581d6b752724fdb1c95d4035c Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Thu, 30 Jan 2025 15:32:26 -0800
Subject: [PATCH 8/8] update signature for new go vendor tarball

---
 .../application-gateway-kubernetes-ingress.signatures.json      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
index a5cf132e56f..85264aa8462 100644
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.signatures.json
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "application-gateway-kubernetes-ingress-1.7.2-govendor-v1.tar.gz": "501be9b58865c93adc8f2c2c49d3fe8f57abbc5d97985c74f69024b434e5ae06",
+    "application-gateway-kubernetes-ingress-1.7.2-govendor-v1.tar.gz": "68a30ac5712739f0758a1607b3c261398624f0c979e2e29bfeea4ea4655fec87",
     "application-gateway-kubernetes-ingress-1.7.2.tar.gz": "df1ca6b5a5c328521fea35d4fea5edc48e0214324986f263e2f7d960a8a6acd8"
   }
 }