microsoft · gjswalling · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025 · Jan 30, 2025
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "application-gateway-kubernetes-ingress-1.7.2-vendor.tar.gz": "c7ed26c959d032de3be6b14717ea0703b3543df299c77aa1d553f11b13b88a0e",
+    "application-gateway-kubernetes-ingress-1.7.2-govendor-v1.tar.gz": "68a30ac5712739f0758a1607b3c261398624f0c979e2e29bfeea4ea4655fec87",
     "application-gateway-kubernetes-ingress-1.7.2.tar.gz": "df1ca6b5a5c328521fea35d4fea5edc48e0214324986f263e2f7d960a8a6acd8"
   }
 }
@@ -2,30 +2,18 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.7.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/Networking
 URL:            https://github.com/Azure/application-gateway-kubernetes-ingress
 Source0:        https://github.com/Azure/application-gateway-kubernetes-ingress/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Below is a manually created tarball, no download link.
-# We're using vendored Go modules from this tarball, since network is disabled during build time.
-# How to re-build this file:
-#   1. wget https://github.com/Azure/%%{name}/archive/refs/tags/%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
-#   2. tar -xf %%{name}-%%{version}.tar.gz
-#   3. cd %%{name}-%%{version}
-#   4. go mod vendor
-#   5. tar  --sort=name \
-#           --mtime="2021-04-26 00:00Z" \
-#           --owner=0 --group=0 --numeric-owner \
-#           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-#           -cf %%{name}-%%{version}-vendor.tar.gz vendor
-#
-Source1:        %{name}-%{version}-vendor.tar.gz
+# Leverage the `generate_source_tarball.sh` to create the vendor sources
+# NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store.
+# After fixing any possible CVE for the vendored source, we must bump v1 -> v2
+Source1:        %{name}-%{version}-govendor-v1.tar.gz
 Patch0:         CVE-2022-21698.patch
-Patch1:         CVE-2022-41273.patch
-Patch2:         CVE-2024-45338.patch
 
 BuildRequires:  golang >= 1.13
 
@@ -39,8 +27,6 @@ to act as the ingress for an AKS cluster.
 rm -rf vendor
 tar -xf %{SOURCE1} --no-same-owner
 %patch 0 -p1 -d vendor/github.com/prometheus/client_golang
-%patch 1 -p1 -d vendor/golang.org/x/net
-%patch 2 -p1
 
 %build
 export VERSION=%{version}
@@ -59,6 +45,10 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Tue Jan 28 2025 Gary Swalling <gaswal@@microsoft.com> - 1.7.2-4
+- Update golang.org/x/net to 0.34.0 for CVE-2023-39325, CVE-2023-44487
+- Removed golang.org/x/net patches which are no longer needed
+
 * Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.7.2-3
 - Add patch for CVE-2024-45338
 
@@ -96,7 +86,7 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 * Fri Feb 03 2023 CBL-Mariner Servicing Account <[email protected]> - 1.4.0-8
 - Bump release to rebuild with go 1.19.5
 
-* Tues Jan 24 2023 Adit Jha <[email protected]> - 1.4.0-7
+* Tue Jan 24 2023 Adit Jha <[email protected]> - 1.4.0-7
 - Bump release to rebuild vendor repoistory which contain patch fix for CVE-2021-4235, CVE-2022-3064
 
 * Wed Jan 18 2023 CBL-Mariner Servicing Account <[email protected]> - 1.4.0-6

@@ -7,15 +7,19 @@ set -e
 
 PKG_VERSION=""
 SRC_TARBALL=""
+VENDOR_VERSION="1"
 OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+UPDATE_MODS=""
 
 # parameters:
 #
-# --srcTarball  : src tarball file
-#                 this file contains the 'initial' source code of the component
-#                 and should be replaced with the new/modified src code
-# --outFolder   : folder where to copy the new tarball(s)
-# --pkgVersion  : package version
+# --srcTarball    : src tarball file
+#                   this file contains the 'initial' source code of the component
+#                   and should be replaced with the new/modified src code
+# --outFolder     : folder where to copy the new tarball(s)
+# --pkgVersion    : package version
+# --vendorVersion : vendor version
+# --updateMods    : go modules to update, comma separated list
 #
 PARAMS=""
 while (( "$#" )); do
@@ -47,6 +51,24 @@ while (( "$#" )); do
             exit 1
         fi
         ;;
+        --vendorVersion)
+        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+            VENDOR_VERSION=$2
+            shift 2
+        else
+            echo "Error: Argument for $1 is missing" >&2
+            exit 1
+        fi
+        ;;
+        --updateMods)
+        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+            UPDATE_MODS=$2
+            shift 2
+        else
+            echo "Error: Argument for $1 is missing" >&2
+            exit 1
+        fi
+        ;;
         -*|--*=) # unsupported flags
         echo "Error: Unsupported flag $1" >&2
         exit 1
@@ -58,9 +80,11 @@ while (( "$#" )); do
   esac
 done
 
-echo "--srcTarball   -> $SRC_TARBALL"
-echo "--outFolder    -> $OUT_FOLDER"
-echo "--pkgVersion   -> $PKG_VERSION"
+echo "--srcTarball      -> $SRC_TARBALL"
+echo "--outFolder       -> $OUT_FOLDER"
+echo "--pkgVersion      -> $PKG_VERSION"
+echo "--vendorVersion   -> $VENDOR_VERSION"
+echo "--updateMods      -> $UPDATE_MODS"
 
 if [ -z "$PKG_VERSION" ]; then
     echo "--pkgVersion parameter cannot be empty"
@@ -75,10 +99,15 @@ function cleanup {
 }
 trap cleanup EXIT
 
+TARBALL_FOLDER="$tmpdir/tarballFolder"
+mkdir -p $TARBALL_FOLDER
+cp $SRC_TARBALL $tmpdir
+
 pushd $tmpdir > /dev/null
 
-NAME_VER="application-gateway-kubernetes-ingress-$PKG_VERSION"
-VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-vendor.tar.gz"
+PKG_NAME="application-gateway-kubernetes-ingress"
+NAME_VER="$PKG_NAME-$PKG_VERSION"
+VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-govendor-v$VENDOR_VERSION.tar.gz"
 
 echo "Unpacking source tarball..."
 tar -xf $SRC_TARBALL
@@ -87,12 +116,23 @@ cd "$NAME_VER"
 echo "Get vendored modules"
 go mod vendor
 
+if [ -n "$UPDATE_MODS" ]; then
+    IFS=',' read -r -a MODS <<< "$UPDATE_MODS"
+    for MODULE in "${MODS[@]}"
+    do
+        echo "Updating module: $MODULE"
+        go get -u $MODULE
+    done
+    go mod tidy
+    go mod vendor
+fi
+
 echo "Tar vendored modules"
 tar  --sort=name \
      --mtime="2021-04-26 00:00Z" \
      --owner=0 --group=0 --numeric-owner \
      --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-     -cf "$VENDOR_TARBALL" vendor
+     -czf "$VENDOR_TARBALL" vendor
 
 popd > /dev/null
-echo "application-gateway-kubernetes-ingress vendored modules are available at $VENDOR_TARBALL"
+echo "$PKG_NAME vendored modules are available at $VENDOR_TARBALL"