Skip to content

fix: 28 CVEs in azure-iptables-monitor#4324

Open
timraymond wants to merge 4 commits intomasterfrom
traymond/fix-cves
Open

fix: 28 CVEs in azure-iptables-monitor#4324
timraymond wants to merge 4 commits intomasterfrom
traymond/fix-cves

Conversation

@timraymond
Copy link
Copy Markdown
Member

@timraymond timraymond commented Apr 8, 2026

Copilot AI review requested due to automatic review settings April 8, 2026 15:14
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the azure-iptables-monitor module/toolchain and dependency set to address a batch of Go and library CVEs, aligning the module with a newer Go toolchain and newer Kubernetes/prometheus-related dependencies.

Changes:

  • Bump azure-iptables-monitor to go 1.25.0 and add toolchain go1.25.9.
  • Update core dependencies (notably k8s.io/* to v0.34.1, testify to v1.10.0, and various indirect deps).
  • Update the azure-iptables-monitor Docker build stage to use a Go 1.25 Azure Linux base image digest.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
azure-iptables-monitor/go.mod Raises Go/toolchain versions and updates direct/indirect module requirements.
azure-iptables-monitor/go.sum Updates module checksums to match the new dependency graph.
azure-iptables-monitor/Dockerfile Updates the pinned Go builder image digest to the 1.25 Azure Linux variant.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread azure-iptables-monitor/go.mod
Comment on lines 28 to 33
@@ -18,46 +31,42 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cilium/ebpf v0.19.0
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go.mod doesn’t appear to be in canonical go mod tidy form: there are three separate require blocks, and a direct dependency (github.com/cilium/ebpf) is listed alongside many // indirect deps. This makes future dependency updates/merges harder and risks keeping stale indirect requirements. Please re-run go mod tidy (and commit the resulting go.mod/go.sum) so direct deps are grouped consistently and unused indirect requirements are removed.

Copilot uses AI. Check for mistakes.
@rbtr rbtr enabled auto-merge April 8, 2026 16:37
@rbtr
Copy link
Copy Markdown
Collaborator

rbtr commented Apr 8, 2026

/azp run Azure Container Networking PR

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 8, 2026

Azure Pipelines successfully started running 1 pipeline(s).

rbtr
rbtr requested changes Apr 8, 2026
View reviewed changes
Comment thread azure-iptables-monitor/Dockerfile
Comment on lines 1 to 2
# !! AUTOGENERATED - DO NOT EDIT !!
# SOURCE: azure-iptables-monitor/Dockerfile.tmpl
Copy link
Copy Markdown
Collaborator

@rbtr rbtr Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missed this

jpayne3506
jpayne3506 reviewed Apr 8, 2026
View reviewed changes
Comment thread azure-iptables-monitor/Dockerfile Outdated
# mcr.microsoft.com/oss/go/microsoft/golang:1.24-azurelinux3.0
FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:bc7423b52b62e8f0281b5f7f564eb1862dc315bc57e1373c6a81e87ef3ac39ab AS go
# mcr.microsoft.com/oss/go/microsoft/golang:1.25-azurelinux3.0
FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:8eb433398e85315f79fd5ad1bcf791a67519c2ce0277b627e244374d513a94e6 AS go
Copy link
Copy Markdown
Contributor

@jpayne3506 jpayne3506 Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msft-go 1.25+ requires additional changes to dockerfiles due to default systemcrypto usage. I planned to take care of this soon for the entire repo

nairashu
nairashu reviewed Apr 8, 2026
View reviewed changes
Comment thread azure-iptables-monitor/Dockerfile

# mcr.microsoft.com/oss/go/microsoft/golang:1.24-azurelinux3.0
FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:bc7423b52b62e8f0281b5f7f564eb1862dc315bc57e1373c6a81e87ef3ac39ab AS go
# mcr.microsoft.com/oss/go/microsoft/golang:1.25-azurelinux3.0
Copy link
Copy Markdown
Contributor

@nairashu nairashu Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile is autogenerated (!! AUTOGENERATED - DO NOT EDIT !! on line 1). Do we edit the file directly of run the make command to generate the dockerfile.

Copy link
Copy Markdown
Contributor

@nairashu nairashu Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if @rbtr is referring to the same comment.

@timraymond
Clean up go.mod require blocks in azure-iptables-monitor
4e69fe0 
The go.mod had three separate require blocks with a direct dependency
(cilium/ebpf) mixed into an indirect block. Move cilium/ebpf into the
direct dependency block and run go mod tidy to produce canonical form
so future dependency updates and merges are cleaner.
@timraymond
Opt out of systemcrypto in Dockerfile templates for Go 1.25
e9d5b0f 
Microsoft's Go 1.25 fork defaults to system-provided cryptography via
the systemcrypto GOEXPERIMENT, which requires cgo and OpenSSL at build
time. All Dockerfile templates in this repo build with CGO_ENABLED=0.

As pointed out by @jpayne3506, bumping to msft-go 1.25 requires
additional Dockerfile changes to handle the new default. Set
GOEXPERIMENT=nosystemcrypto in all six source Dockerfile templates so
that CGO_ENABLED=0 builds continue to work. This opt-out can be removed
when a proper systemcrypto migration is done repo-wide.
@timraymond timraymond requested review from a team as code owners April 10, 2026 19:15
@timraymond
Copy link
Copy Markdown
Member Author

timraymond commented Apr 10, 2026

/azp run Azure Container Networking PR

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 10, 2026

Azure Pipelines successfully started running 1 pipeline(s).

timraymond
timraymond commented Apr 10, 2026
View reviewed changes
Comment thread .pipelines/build/dockerfiles/azure-ipam.Dockerfile Outdated
@timraymond
Bump Go image to 1.25 and regenerate Dockerfiles
d25576a 
Update GO_IMG in build/images.mk from 1.24 to 1.25 and regenerate all
Dockerfiles via make dockerfiles. As pointed out by @nairashu, the
Dockerfiles are autogenerated from templates and should not be edited
directly. This replaces the manual Dockerfile edit with proper
template-based rendering.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@QxBytes QxBytes Awaiting requested review from QxBytes QxBytes is a code owner

@santhoshmprabhu santhoshmprabhu Awaiting requested review from santhoshmprabhu santhoshmprabhu is a code owner

@jpayne3506 jpayne3506 Awaiting requested review from jpayne3506

@rbtr rbtr Awaiting requested review from rbtr

@nairashu nairashu Awaiting requested review from nairashu

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@timraymond @rbtr @nairashu @jpayne3506