KubeVirt · GitHub is using SonarCloud for multiple years to run CI on new PRs.
Recently, at least since July 23rd, some backport PRs failing SonarCloud CI, because unmodified lines are detected as relevant.
For example [release-v0.19] Fix runbook_url test by kubevirt-bot · Pull Request #1013 · kubevirt/ssp-operator · GitHub , which is a modification of two lines, is detected by SonarCloud as 13k new lines in SonarCloud .
Is this a config issue on kubevirt side?
1 Like
Colin
(Colin)
August 5, 2024, 5:59am
4
Hey @dominikholler
This probably relates to some changes made to the analysis of “external” (forked) PRs.
Hey there! @dreamorosi @mark1011 @moorec-aws
Really happy to let you know that the analysis of external PRs has been turned back on, and we are now confident that the analysis results accurately reflect what has changed in the PR. Kudos to @Julien_HENRY for his work on this.
Please give it a try and let us know if you notice anything out of place.
I’ll make sure the team sees this, but both our experts are on holiday (August in France…), so I’m not sure when it will get looked at.
At least, I see that most of your PRs are passing and behaving appropriately , so I hope the inconvenience isn’t too great. Thanks for your patience.
1 Like
Hi @dominikholler
Just to confirm: are you using Automatic Analysis, or do you trigger the analysis with your own CI?
I tried to reproduce your issue:
create a fork of your repo
create another fork
create a branch from the release-v0.19
branch and introduce an issue
submit this as a pull request upstream, targeting the release-v0.19
branch
Everything is working fine so far.
Is your bot doing some extra steps?
Hi , thanks for having a look.
I am not aware that we run sonar cloud on our own, we just enabled the most simple path, which might be Automatic Analysis.
I also do not see the issue happening anymore.
We also disabled sonarcloud because of this issue in https://sonarcloud.io/project/pull_requests_list?id=kubevirt_kubevirt , which is more complex. Let me check if we can enable it again.
I am unsure if I understand the sonarcloud analysis of
kubevirt:release-v0.18
← kubevirt:renovate/release-v0.18-go-golang.org-x-net-vulnerability
opened 09:25AM - 28 Aug 24 UTC
This PR contains the following updates:
| Package | Type | Update | Change |
|-… --|---|---|---|
| golang.org/x/net | indirect | minor | `v0.17.0` -> `v0.23.0` |
---
### HTTP/2 CONTINUATION flood in net/http
BIT-golang-2023-45288 / [CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) / [GHSA-4v7x-pqxf-cx7m](https://togithub.com/advisories/GHSA-4v7x-pqxf-cx7m) / [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687)
<details>
<summary>More information</summary>
#### Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.
This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
The fix sets a limit on the amount of excess header frames we will process before closing a connection.
#### Severity
Unknown
#### References
- [https://go.dev/issue/65051](https://go.dev/issue/65051)
- [https://go.dev/cl/576155](https://go.dev/cl/576155)
- [https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M](https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2687) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
</details>
---
### net/http, x/net/http2: close connections when receiving too many headers
BIT-golang-2023-45288 / [CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) / [GHSA-4v7x-pqxf-cx7m](https://togithub.com/advisories/GHSA-4v7x-pqxf-cx7m) / [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687)
<details>
<summary>More information</summary>
#### Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288)
- [https://go.dev/cl/576155](https://go.dev/cl/576155)
- [https://go.dev/issue/65051](https://go.dev/issue/65051)
- [https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M](https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT)
- [https://nowotarski.info/http2-continuation-flood-technical-details](https://nowotarski.info/http2-continuation-flood-technical-details)
- [https://pkg.go.dev/vuln/GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687)
- [https://security.netapp.com/advisory/ntap-20240419-0009](https://security.netapp.com/advisory/ntap-20240419-0009)
- [http://www.openwall.com/lists/oss-security/2024/04/03/16](http://www.openwall.com/lists/oss-security/2024/04/03/16)
- [http://www.openwall.com/lists/oss-security/2024/04/05/4](http://www.openwall.com/lists/oss-security/2024/04/05/4)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4v7x-pqxf-cx7m) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).
in
https://sonarcloud.io/summary/new_code?id=kubevirt_ssp-operator&pullRequest=1058
Does sonarcloud detect 13k new lines?
Hi @dominikholler ,
We deployed last Monday a change in the way automatic analysis checks out the code of a PR. Before it was analyzing the refs/remote/pull/X/merge
Git reference, which contains the result of the merge of your PR head branch with the target branch. We faced many issues with this approach, for example when there are merge conflicts, and I wonder if your issue is not another symptom.
Anyway, we are now fetching from refs/remote/pull/X/head
, like many CIs, so I am confident it should produce more reliable results.
May I ask you to retry automatic analysis, and let us know how it goes?
Thanks