[ASCII-1615] Replace github.com/mholt/archiver/v3 third party library with custom package pkg/util/archive
#25498
Conversation
…package pkg/util/archive The libray includes the vulnerability CVE-2024-0406. Technically speaking we are not affected by this in production as we do not uncompress tar files. Still, it is a good opportunity to evaluate if we need a third party library for zip opertaions. We decided to remove the third party dependency by vendoring some of its code. That has the benefit that we are no longer affected by the CVE-2024-0406 and that we not longer depend on a third party dependency.
GustavoCaso
force-pushed
the
replace-archive-package-to-create-zip-file
branch
from
c714578
to
23014bf
Compare
GustavoCaso
changed the title
github.com/mholt/archiver/v3 third party library with custom package pkg/util/archive
Go Package Import DifferencesBaseline: 4faaee8
|
Test changes on VMUse this command from test-infra-definitions to manually test this PR changes on a VM: inv create-vm --pipeline-id=34338108 --os-family=ubuntu |
Regression DetectorRegression Detector ResultsRun ID: f16f125c-1af9-43b8-bf26-7d1982d41983 Performance changes are noted in the perf column of each table:
No significant changes in experiment optimization goalsConfidence level: 90.00% There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
|
| perf | experiment | goal | Δ mean % | Δ mean % CI |
|---|---|---|---|---|
| ✅ | file_to_blackhole | % cpu utilization | -43.87 | [-48.81, -38.92] |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI |
|---|---|---|---|---|
| ➖ | basic_py_check | % cpu utilization | +1.61 | [-0.91, +4.13] |
| ➖ | pycheck_1000_100byte_tags | % cpu utilization | +1.14 | [-3.63, +5.91] |
| ➖ | idle | memory utilization | +0.10 | [+0.07, +0.13] |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.00 | [-0.20, +0.20] |
| ➖ | trace_agent_msgpack | ingress throughput | -0.00 | [-0.00, +0.00] |
| ➖ | trace_agent_json | ingress throughput | -0.01 | [-0.02, +0.01] |
| ➖ | file_tree | memory utilization | -0.01 | [-0.10, +0.08] |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.01 | [-0.05, +0.02] |
| ➖ | otel_to_otel_logs | ingress throughput | -0.15 | [-0.53, +0.23] |
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | -0.56 | [-3.39, +2.27] |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | -5.98 | [-26.28, +14.31] |
| ✅ | file_to_blackhole | % cpu utilization | -43.87 | [-48.81, -38.92] |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
GustavoCaso
force-pushed
the
replace-archive-package-to-create-zip-file
branch
from
dce7de9
to
b0fd718
Compare
pkg/util/archive/zip_test.go
Outdated
| assert.Error(t, err, "must have a .zip extension") | ||
| } | ||
|
|
||
| func TestZip_ExtistingDestuination(t *testing.T) { |
There was a problem hiding this comment.
| func TestZip_ExtistingDestuination(t *testing.T) { | |
| func TestZip_ExistingDestination(t *testing.T) { |
There was a problem hiding this comment.
@GustavoCaso Great work! Left a lot of comments but majority of them are naming non-blocking nits.
pkg/util/archive/zip.go
Outdated
|
|
||
| zipW := zip.NewWriter(out) | ||
| zipW.RegisterCompressor(zip.Deflate, func(out io.Writer) (io.WriteCloser, error) { | ||
| return flate.NewWriter(out, flate.DefaultCompression) |
There was a problem hiding this comment.
Is there any downside to using BestCompression?
There was a problem hiding this comment.
The previous code was using DefaultCompression that is why I decided to leave as it was. https://github.com/mholt/archiver/blob/e0c66cf15ec46b2e04e0c280b0b8178d14aa55dc/zip.go#L651
I'm ok changing it to BestCompression.
There was a problem hiding this comment.
Fair. Feel free to choose if you want to change it or not
pkg/util/archive/zip.go
Outdated
|
|
||
| zipW := zip.NewWriter(out) | ||
| zipW.RegisterCompressor(zip.Deflate, func(out io.Writer) (io.WriteCloser, error) { | ||
| return flate.NewWriter(out, flate.DefaultCompression) |
There was a problem hiding this comment.
Big question here - were the flares compressed using custom/optimized Deflate through a dependency? If so, we may be regressing in speed and file size in the output so it would be good to do at least a side-by-side size comparison. The changeover is likely acceptable but we should at least understand the impact.
There was a problem hiding this comment.
That is a great point.
There are two side to that question:
Do we want to reduce the number of imports?
Yes. In that case use the archive/zip package from the std
No. In that case use github.com/klauspost/compress/zip
Are performance degradation an issue for creating flares?
Yes. Use github.com/klauspost/compress/zip
No. Use archive/zip package from the std
in any case having a comparison table would be useful to answer the questions above. I will work on a comparison table 😄
There was a problem hiding this comment.
having a comparison table would be useful to answer the questions above
I think just a simple flare from both implementations should be fine and we can just check the file size.
For your questions:
- Do we want to reduce the number of imports? Yes
- Are performance degradation an issue for creating flares? No, as long as they're not drastic
There was a problem hiding this comment.
main_branch -> main
custom_branch|custom_version -> this branch
Both archive are the same size. Uncompressed custom branch is 0.1 MB smaller.
I think we good with the change 😄
|
|
||
| func TestZip_DoNotZipSymlinks(t *testing.T) { | ||
| tmpDestinationDir := t.TempDir() | ||
| zipTempLocation := filepath.Join(tmpDestinationDir, "destination.zip") |
There was a problem hiding this comment.
Not a blocker I feel like a lot of these tests have some common code that could be deduped
| {"bad/file.txt", "Mwa-ha-ha"}, | ||
| } | ||
|
|
||
| if createFileOutsideRoot { |
There was a problem hiding this comment.
We should also try at least minimally testing absolute paths (e.g. /usr/bin/badfile.sh)
GustavoCaso
force-pushed
the
replace-archive-package-to-create-zip-file
branch
from
fa1547c
to
9f4f978
Compare
GustavoCaso
changed the title
github.com/mholt/archiver/v3 third party library with custom package pkg/util/archive github.com/mholt/archiver/v3 third party library with custom package pkg/util/archive
|
/merge |
|
🚂 MergeQueue This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals. Use |
|
🚂 MergeQueue Pull request added to the queue. There are 2 builds ahead! (estimated merge in less than 1h) Use |
What does this PR do?
Remove the third part library
github.com/mholt/archiver/v3from the flare packageMotivation
The library includes the vulnerability CVE-2024-0406. Technically speaking we are not affected by this in production as we do not uncompress tar files. Still, it is a good opportunity to evaluate if we need a third party library for zip opertaions.
We decided to remove the third party dependency by vendoring some of its code.
That has the benefit that we are no longer affected by the CVE-2024-0406 and that we not longer depend on a third party dependency. Which removes a few packages from the main agent binary 🪄
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes