New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ASCII-1615] Replace github.com/mholt/archiver/v3
third party library with custom package pkg/util/archive
#25498
[ASCII-1615] Replace github.com/mholt/archiver/v3
third party library with custom package pkg/util/archive
#25498
Conversation
…package pkg/util/archive The libray includes the vulnerability CVE-2024-0406. Technically speaking we are not affected by this in production as we do not uncompress tar files. Still, it is a good opportunity to evaluate if we need a third party library for zip opertaions. We decided to remove the third party dependency by vendoring some of its code. That has the benefit that we are no longer affected by the CVE-2024-0406 and that we not longer depend on a third party dependency.
c714578
to
23014bf
Compare
github.com/mholt/archiver/v3
third party library with custom package pkg/util/archive
Go Package Import DifferencesBaseline: 4faaee8
|
Test changes on VMUse this command from test-infra-definitions to manually test this PR changes on a VM: inv create-vm --pipeline-id=34338108 --os-family=ubuntu |
Regression DetectorRegression Detector ResultsRun ID: f16f125c-1af9-43b8-bf26-7d1982d41983 Performance changes are noted in the perf column of each table:
No significant changes in experiment optimization goalsConfidence level: 90.00% There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
|
perf | experiment | goal | Δ mean % | Δ mean % CI |
---|---|---|---|---|
✅ | file_to_blackhole | % cpu utilization | -43.87 | [-48.81, -38.92] |
Fine details of change detection per experiment
perf | experiment | goal | Δ mean % | Δ mean % CI |
---|---|---|---|---|
➖ | basic_py_check | % cpu utilization | +1.61 | [-0.91, +4.13] |
➖ | pycheck_1000_100byte_tags | % cpu utilization | +1.14 | [-3.63, +5.91] |
➖ | idle | memory utilization | +0.10 | [+0.07, +0.13] |
➖ | uds_dogstatsd_to_api | ingress throughput | +0.00 | [-0.20, +0.20] |
➖ | trace_agent_msgpack | ingress throughput | -0.00 | [-0.00, +0.00] |
➖ | trace_agent_json | ingress throughput | -0.01 | [-0.02, +0.01] |
➖ | file_tree | memory utilization | -0.01 | [-0.10, +0.08] |
➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.01 | [-0.05, +0.02] |
➖ | otel_to_otel_logs | ingress throughput | -0.15 | [-0.53, +0.23] |
➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | -0.56 | [-3.39, +2.27] |
➖ | tcp_syslog_to_blackhole | ingress throughput | -5.98 | [-26.28, +14.31] |
✅ | file_to_blackhole | % cpu utilization | -43.87 | [-48.81, -38.92] |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, can we add (a lot of) tests though ?
dce7de9
to
b0fd718
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to have more tests around error paths, but this is good enough to merge
pkg/util/archive/zip_test.go
Outdated
assert.Error(t, err, "must have a .zip extension") | ||
} | ||
|
||
func TestZip_ExtistingDestuination(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func TestZip_ExtistingDestuination(t *testing.T) { | |
func TestZip_ExistingDestination(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@GustavoCaso Great work! Left a lot of comments but majority of them are naming non-blocking nits.
pkg/util/archive/zip.go
Outdated
|
||
zipW := zip.NewWriter(out) | ||
zipW.RegisterCompressor(zip.Deflate, func(out io.Writer) (io.WriteCloser, error) { | ||
return flate.NewWriter(out, flate.DefaultCompression) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any downside to using BestCompression
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The previous code was using DefaultCompression
that is why I decided to leave as it was. https://github.com/mholt/archiver/blob/e0c66cf15ec46b2e04e0c280b0b8178d14aa55dc/zip.go#L651
I'm ok changing it to BestCompression
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair. Feel free to choose if you want to change it or not
pkg/util/archive/zip.go
Outdated
|
||
zipW := zip.NewWriter(out) | ||
zipW.RegisterCompressor(zip.Deflate, func(out io.Writer) (io.WriteCloser, error) { | ||
return flate.NewWriter(out, flate.DefaultCompression) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Big question here - were the flares compressed using custom/optimized Deflate
through a dependency? If so, we may be regressing in speed and file size in the output so it would be good to do at least a side-by-side size comparison. The changeover is likely acceptable but we should at least understand the impact.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a great point.
There are two side to that question:
Do we want to reduce the number of imports?
Yes. In that case use the archive/zip
package from the std
No. In that case use github.com/klauspost/compress/zip
Are performance degradation an issue for creating flares?
Yes. Use github.com/klauspost/compress/zip
No. Use archive/zip
package from the std
in any case having a comparison table would be useful to answer the questions above. I will work on a comparison table 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having a comparison table would be useful to answer the questions above
I think just a simple flare from both implementations should be fine and we can just check the file size.
For your questions:
- Do we want to reduce the number of imports? Yes
- Are performance degradation an issue for creating flares? No, as long as they're not drastic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
func TestZip_DoNotZipSymlinks(t *testing.T) { | ||
tmpDestinationDir := t.TempDir() | ||
zipTempLocation := filepath.Join(tmpDestinationDir, "destination.zip") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker I feel like a lot of these tests have some common code that could be deduped
{"bad/file.txt", "Mwa-ha-ha"}, | ||
} | ||
|
||
if createFileOutsideRoot { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also try at least minimally testing absolute paths (e.g. /usr/bin/badfile.sh
)
fa1547c
to
9f4f978
Compare
github.com/mholt/archiver/v3
third party library with custom package pkg/util/archive
github.com/mholt/archiver/v3
third party library with custom package pkg/util/archive
/merge |
🚂 MergeQueue This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals. Use |
🚂 MergeQueue Pull request added to the queue. There are 2 builds ahead! (estimated merge in less than 1h) Use |
What does this PR do?
Remove the third part library
github.com/mholt/archiver/v3
from the flare packageMotivation
The library includes the vulnerability CVE-2024-0406. Technically speaking we are not affected by this in production as we do not uncompress tar files. Still, it is a good opportunity to evaluate if we need a third party library for zip opertaions.
We decided to remove the third party dependency by vendoring some of its code.
That has the benefit that we are no longer affected by the CVE-2024-0406 and that we not longer depend on a third party dependency. Which removes a few packages from the main agent binary 🪄
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes