From 3b9790d5c6dab14ccd569fe43b8aa2477d53437e Mon Sep 17 00:00:00 2001 From: Zichen Yu <1062955096@qq.com> Date: Tue, 2 Jun 2026 19:07:51 +0800 Subject: [PATCH 1/2] fix: remediate Harbor dependency vulnerabilities --- .tekton/all-in-one.yaml | 2 +- subtree/harbor/make/patches/patch-amd64.sh | 3 +-- subtree/harbor/src/go.mod | 2 +- subtree/harbor/src/go.sum | 3 ++- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 4192ea0ab..516c6e7cb 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -206,7 +206,7 @@ spec: TRIVY_ADAPTER_VERSION=v0.34.3-alauda-1 # renovate: datasource=golang-version depName=go - export GOLANG_IMAGE_VERSION=1.26.2 + export GOLANG_IMAGE_VERSION=1.26.3 TRIVY_DOWNLOAD_URL=https://github.com/AlaudaDevops/trivy/releases/download/${TRIVY_VERSION}/trivy_Linux_${ARCH}.tar.gz TRIVY_ADAPTER_DOWNLOAD_URL=https://github.com/AlaudaDevops/harbor-scanner-trivy/releases/download/${TRIVY_ADAPTER_VERSION}/harbor-scanner-trivy_${TRIVY_ADAPTER_VERSION#v}_Linux_${ARCH}.tar.gz diff --git a/subtree/harbor/make/patches/patch-amd64.sh b/subtree/harbor/make/patches/patch-amd64.sh index 8bc0868cc..ab6468003 100755 --- a/subtree/harbor/make/patches/patch-amd64.sh +++ b/subtree/harbor/make/patches/patch-amd64.sh @@ -25,7 +25,7 @@ change_base_image "tests/test-engine-image" # swagger # renovate: datasource=golang-version depName=go -export GOLANG_IMAGE_VERSION=1.26.2 +export GOLANG_IMAGE_VERSION=1.26.3 sed -i 's/node:16.18.0/docker-mirrors.alauda.cn\/library\/node:16.18.0/' "Makefile" sed -i 's/registry.npmjs.org/internal-mirrors.alauda.cn\/repository\/npm\//g' "Makefile" @@ -70,4 +70,3 @@ cat make/photon/registry/Dockerfile.binary - diff --git a/subtree/harbor/src/go.mod b/subtree/harbor/src/go.mod index fd72481af..7b0a9edde 100644 --- a/subtree/harbor/src/go.mod +++ b/subtree/harbor/src/go.mod @@ -91,7 +91,7 @@ require ( github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect + github.com/Azure/go-ntlmssp v0.1.1 // indirect github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/Unknwon/goconfig v0.0.0-20160216183935-5f601ca6ef4d // indirect diff --git a/subtree/harbor/src/go.sum b/subtree/harbor/src/go.sum index d724a2ba0..7e9731239 100644 --- a/subtree/harbor/src/go.sum +++ b/subtree/harbor/src/go.sum @@ -39,8 +39,9 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw= +github.com/Azure/go-ntlmssp v0.1.1/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= From 94cbfa65ec819e005651c24c92d9ba9bc84e15aa Mon Sep 17 00:00:00 2001 From: Zichen Yu <1062955096@qq.com> Date: Tue, 2 Jun 2026 19:40:01 +0800 Subject: [PATCH 2/2] fix: update Harbor binary release versions --- .tekton/all-in-one.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 516c6e7cb..99cff9c2e 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -200,10 +200,10 @@ spec: # download trivy and scanner-trivy # renovate: datasource=github-releases depName=trivy packageName=AlaudaDevops/trivy - TRIVY_VERSION=v0.68.3-alauda-4 + TRIVY_VERSION=v0.68.3-alauda-7 # renovate: datasource=github-releases depName=harbor-scanner-trivy packageName=AlaudaDevops/harbor-scanner-trivy - TRIVY_ADAPTER_VERSION=v0.34.3-alauda-1 + TRIVY_ADAPTER_VERSION=v0.34.3-alauda-2 # renovate: datasource=golang-version depName=go export GOLANG_IMAGE_VERSION=1.26.3