Bumping helm and oras for security updates

[allaryin]

Helm v3.9.0 patches against CVE-2022-21235 by intentionally updating its dependency on mastermind/vcs.

It unfortunately does not resolve CVE-2021-25741, which is caused by importing an old version of k8s.io/kubernetes.

Directly importing k8s.io/kubernetes is unsupported, so fixing that issue directly does not work, but a minor bump to ORAS (from v1.1.0 to v1.1.1) and reiterating that bump by ensuring that microsoft/hcsshim is also updated to the version requested by oras v1.1.1 means that hcsshim is no longer importing the old k8s.io/kubernetes release.

Helm's main branch has this ORAS version update, but this has not yet been published in a numbered release tag.

[allaryin]

Unsure why make deps is failing in pipeline. Everything seems to work fine locally?

alauritzen@ws:/mnt/e/src/helm-s3$ make deps && echo $?
0
alauritzen@ws:/mnt/e/src/helm-s3$ make test-unit && echo $?
go test $(go list ./... | grep -v e2e)
?       github.com/hypnoglow/helm-s3/cmd/helms3 [no test files]
?       github.com/hypnoglow/helm-s3/internal/awss3     [no test files]
ok      github.com/hypnoglow/helm-s3/internal/awsutil   0.878s
ok      github.com/hypnoglow/helm-s3/internal/helmutil  0.022s
0

Helm 3.9 is requiring go 1.17 - is the ci worker running with an old go compiler?

[hypnoglow]

Thank you for this patch!

Yep, the project is currently built against Go 1.16. I guess we can update Go to 1.17 in a separate PR and then rebase this branch onto it. WDYT?

[allaryin]

Bumping to 1.17 makes sense to me, Go 1.18 has been out for months now :)

[allaryin]

Go 1.17 update in #170

[hypnoglow]

Please rebase this branch onto master after Go 1.17 update.

[codecov]

Codecov Report

Merging #169 (fca7434) into master (88815cc) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #169   +/-   ##
=======================================
  Coverage   45.27%   45.27%           
=======================================
  Files          18       18           
  Lines         466      466           
=======================================
  Hits          211      211           
  Misses        245      245           
  Partials       10       10           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 88815cc...fca7434. Read the comment docs.

[allaryin]

Trying to find why helm 3.9 wasn't tested...

[allaryin]

@hypnoglow -- OKAY. I believe we're good now.

Two notes about the change:

1. GitHub workflow isn't running e2e test against helm 3.9.0, but I can't commit that change.
2. There are a couple of hopefully temporary unpleasant go mod revision overrides set because of upstream dependencies. Both are commented.

• First is the necessary change to pull in required updates to fix the CVE's in question. The helm project itself needs to update their version of oras to pull down a newer version of microsoft/hcsshim. So this override can hopefully go away whenever updating to a new version of helm that imports a version of oras >= 1.1.1 (and hcsshim >= 0.9.2).
• Second is necessary because index_v2.go is using ghodss/yaml, which has not been updated in a few years, and which imports an older version of check.v1. The override can go away if/when index_v2 is rewritten with different yaml handling.

One other thing I observed while looking at this - CircleCI is complaining about deprecated docker images. I attempted a switch to use their newer containers, but there are problems with root permissions and that change is best made in isolation of any other changes.

[hypnoglow]

@allaryin thank you!

One other thing I observed while looking at this - CircleCI is complaining about deprecated docker images. I attempted a switch to use their newer containers, but there are problems with root permissions and that change is best made in isolation of any other changes.

We are in the process of migrating to GitHub Actions, so hopefully this will not be an issue in the near future.