Skip to content

PEM-8858: Update forklift version to 2.9 vesion #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shphadnis wants to merge 591 commits into
base: spectro-v2.7.0
Choose a base branch
from
Open

PEM-8858: Update forklift version to 2.9 vesion #22

shphadnis wants to merge 591 commits into from

Conversation

@shphadnis
Copy link

@shphadnis shphadnis commented Oct 31, 2025

No description provided.

red-hat-konflux bot and others added 30 commits June 5, 2025 15:36
@red-hat-konflux @mnecas
Update ovirt-populator-dev-preview to 12152b8
388289f 
Image created from 'https://github.com/kubev2v/forklift?rev=fef113294f3adc2a041c78b5bfc856798c87c16d'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
Update virt-v2v-dev-preview to 3561757
a04df18 
Image created from 'https://github.com/kubev2v/forklift?rev=fef113294f3adc2a041c78b5bfc856798c87c16d'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@rgolangh
xcopy-popualtor: For ontap, resolve luns using PV's internalName (kub…
97ab43a 
…ev2v#1960)

Motivation
Using the PVs volumeHandle may not be enough for some ontap
installation. The name of the LUN in ontap is set by the CSI driver, and
the default prefix, "trident_pvc_" that is controlled by the trident
configuration can be different. That breaks the resolve logic.

Modification
When using ontap, trident CSI is setting the real name of the lun using
the volume attribute 'internalName'. Using that looks is more reliable
than the heuristic with the volumeHandle

Result
ontap provider will work with whatever trident configuration
`TridentBackend.config.ontap_config.storage_prefix` is set to.

https://issues.redhat.com/browse/ECOPROJECT-2880

Signed-off-by: Roy Golan <rgolan@redhat.com>

Signed-off-by: Roy Golan <rgolan@redhat.com>
@mnecas
MTV-2330: Correct validation categories
4afe714 
Signed-off-by: Martin Necas <mnecas@redhat.com>
@red-hat-konflux @mnecas
Update populator-controller-dev-preview to 7f6c9a6
0e90659 
Image created from 'https://github.com/kubev2v/forklift?rev=fef113294f3adc2a041c78b5bfc856798c87c16d'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
Update validation-dev-preview to 8e01844
66eba4b 
Image created from 'https://github.com/kubev2v/forklift?rev=fef113294f3adc2a041c78b5bfc856798c87c16d'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
Update openstack-populator-dev-preview to d9df98b
fc8d0fb 
Image created from 'https://github.com/kubev2v/forklift?rev=fef113294f3adc2a041c78b5bfc856798c87c16d'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
Update ova-provider-server-dev-preview to 30a57ab
f0fa760 
Image created from 'https://github.com/kubev2v/forklift?rev=fef113294f3adc2a041c78b5bfc856798c87c16d'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
chore(deps): update registry.redhat.io/ubi9-minimal docker tag to v9.…
4e4e014 
…6-1747218906

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
Update quay.io/konflux-ci/operator-sdk-builder Docker digest to dad041e
211b1ba 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker…
5bf8e5d 
… tag to v1.23.6-1747333074

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
chore(deps): update registry.access.redhat.com/ubi8/go-toolset docker…
c80b46f 
… tag to v1.23.6-2.1747189110

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
chore(deps): update validation-dev-preview to dff1fef
a827372 
Image created from 'https://github.com/kubev2v/forklift?rev=4afe71467378c9280e32d58bab009b1b787d3f73'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@mnecas
Add missing VSPHERE_XCOPY_VOLUME_POPULATOR_IMAGE to manager
7ffd7a2 
Issue:
The forklift-volume-populator-controller is created with empty VSPHERE_XCOPY_VOLUME_POPULATOR_IMAGE.

Fix:
Add missing VSPHERE_XCOPY_VOLUME_POPULATOR_IMAGE to manager and run `make generate-manifests`

Signed-off-by: Martin Necas <mnecas@redhat.com>
@red-hat-konflux @mnecas
chore(deps): update forklift-controller-dev-preview to 3122af4
b7d7e54 
Image created from 'https://github.com/kubev2v/forklift?rev=7ffd7a2b052ef586b28e96c6dd9be6cfb4950b96'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
chore(deps): update registry.redhat.io/openshift4/ose-operator-sdk-rh…
322fa6c 
…el9 docker digest to 2a659b5

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@jonner
MTV-1745: Change inventory behavior for local 'host' providers (kubev…
3a4bc1d 
…2v#1923)

Rather than returning information from the collector database, use the
kubernetes client within the inventory controller to fetch information
for OCP 'host' providers.

See commit "inventory: Introduce concept of namespace-restricted host
providers" for a detailed explanation of changes in behavior for some
'host' providers.

---------

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
@red-hat-konflux @mnecas
chore(deps): update forklift-controller-dev-preview to d28df8d
f496101 
Image created from 'https://github.com/kubev2v/forklift?rev=3a4bc1dac4c35e16465a35b9adfdb8b00594108c'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@rgolangh
xcopy-populator: Fix the VMDisk parsing from path + tests (kubev2v#1906)
3bbefc1 
Signed-off-by: Roy Golan <rgolan@redhat.com>
@rgolangh @mnecas
xcopy-populator: Use the make 'build' target to build the container
483536e 
The build target contains the needed build tags to make sure the VIB
version is injected into the binary

Signed-off-by: Roy Golan <rgolan@redhat.com>
@mnecas
MTV-2687: Block warm migraiton without vddk
a8bcba2 
Issue:
Failed to migrate VM from vsphere provider skipped VDDK acceleration

Fix:
Block the warm plans migration without the VDDK as it's mandatory.

Ref: https://issues.redhat.com/browse/MTV-2687

Signed-off-by: Martin Necas <mnecas@redhat.com>
@red-hat-konflux @mnecas
chore(deps): update forklift-console-plugin-dev-preview to bfcacbd
9a49df9 
Image created from 'https://github.com/kubev2v/forklift-console-plugin?rev=48eb8800feb6b4fa6f3369dcd75b087737129001'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@yaacov @mnecas
Add vmware filename to PVC name teamplate data
6a3ae9a 
Signed-off-by: yaacov <kobi.zamir@gmail.com>
@Hazanel @mnecas
MTV-2669 | An incorrect IP address keeps the VMware provider stuck in…
2a1f480 
… a non-ready state

Issue:
Creating a VMware provider with wrong ip for example https://10.10.10.10/sdk ending with creating the provider with "undefined" state and the forkflift-controller gets stuck.

Fix:
1. Add a timeout to the tls-certificate method.
2. Change provider condition upon timeout
3. Update provider status after validation failure
Ref: https://issues.redhat.com/browse/MTV-2669

Signed-off-by: Elad <ehazan@redhat.com>
@red-hat-konflux @mnecas
chore(deps): update forklift-controller-dev-preview to 05d6791
a02050f 
Image created from 'https://github.com/kubev2v/forklift?rev=6a3ae9a9749acaeeb15794ca4e13fa9acce50de6'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@yaacov @mnecas
Add regexp string manipulation template helper
207cf4c 
Signed-off-by: yaacov <kobi.zamir@gmail.com>
@mnecas
Chore: Bump tekton
04f6273 
Signed-off-by: Martin Necas <mnecas@redhat.com>
@mnecas
Chore: Bump tekton
5af5fb4 
Signed-off-by: Martin Necas <mnecas@redhat.com>
@red-hat-konflux @mnecas
chore(deps): update virt-v2v-dev-preview to d49cd03
98922d4 
Image created from 'https://github.com/kubev2v/forklift?rev=5af5fb43da71d874d884089728aae365507057b1'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @mnecas
chore(deps): update forklift-api-dev-preview to 4f9e482
94a5918 
Image created from 'https://github.com/kubev2v/forklift?rev=5af5fb43da71d874d884089728aae365507057b1'

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 4, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2360:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1780:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 8, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start
  2. GO-2025-4155
    • Module: stdlib
    • Found in: v1.24.10
    • Fixed in: v1.24.11
    • Example Traces:
      1. pkg/lib/inventory/web/client.go:286:20: web.Watch calls web.Watch$1, which eventually calls tls.VerifyHostname
      2. pkg/lib/util/util.go:72:33: util.GetTlsCertificate calls util.dialTLSWithTimeout, which eventually calls tls.processCertsFromClient
  3. GO-2025-4175
    • Module: stdlib
    • Found in: v1.24.10
    • Fixed in: v1.24.11
    • Example Traces:
      1. pkg/lib/util/util.go:72:33: util.GetTlsCertificate calls util.dialTLSWithTimeout, which eventually calls tls.processCertsFromClient

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 9, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

Arun Kurni and others added 2 commits December 10, 2025 11:29
bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 10, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start
  2. GO-2025-4155
    • Module: stdlib
    • Found in: v1.24.10
    • Fixed in: v1.24.11
    • Example Traces:
      1. pkg/lib/util/util.go:72:33: util.GetTlsCertificate calls util.dialTLSWithTimeout, which eventually calls tls.processCertsFromClient
      2. pkg/lib/inventory/web/client.go:286:20: web.Watch calls web.Watch$1, which eventually calls tls.VerifyHostname
  3. GO-2025-4175
    • Module: stdlib
    • Found in: v1.24.10
    • Fixed in: v1.24.11
    • Example Traces:
      1. pkg/lib/util/util.go:72:33: util.GetTlsCertificate calls util.dialTLSWithTimeout, which eventually calls tls.processCertsFromClient

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 10, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 10, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start
  2. GO-2025-4155
    • Module: stdlib
    • Found in: v1.24.10
    • Fixed in: v1.24.11
    • Example Traces:
      1. pkg/lib/inventory/web/client.go:286:20: web.Watch calls web.Watch$1, which eventually calls tls.VerifyHostname
      2. pkg/lib/util/util.go:72:33: util.GetTlsCertificate calls util.dialTLSWithTimeout, which eventually calls tls.processCertsFromClient
  3. GO-2025-4175
    • Module: stdlib
    • Found in: v1.24.10
    • Fixed in: v1.24.11
    • Example Traces:
      1. pkg/lib/util/util.go:72:33: util.GetTlsCertificate calls util.dialTLSWithTimeout, which eventually calls tls.processCertsFromClient

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 10, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

shphadnis and others added 2 commits December 12, 2025 16:40
@shphadnis
Update virtio win package
59eb196
@tiwarisumit3
Merge pull request #30 from spectrocloud/PEM-9380
f887e2e 
PEM-9350: Windows 25 server VM shows "inaccessible boot device" error after migration
bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 12, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Dec 12, 2025
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 9, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 9, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 28, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 28, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

shphadnis and others added 2 commits January 29, 2026 08:28
@shphadnis
Enable NVMe disk support for vSphere VM migration
786de09 
Remove NVMe disk validation policies that were blocking migration of
VMs with NVMe disks, and add NVMe to the supported disk bus types
in the builder.

Changes:
- Delete nvme_disk.rego and nvme_disk test.rego validation policies
- Add container.NVME to sortedDisksAsLibvirt() and sortedDisksAsVmware()
  bus lists to properly include NVMe disks during migration

Source NVMe disks are converted to VirtIO (default) or SATA
(compatibility mode) on the target.

Based on upstream: MTV-2444
@tiwarisumit3
Merge pull request #34 from spectrocloud/PEM-9675-2
eccad44 
PEM-9675: Pull upstream changes to spectrocloud/forklift and validate the changes
bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 29, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2024-2955
    • Module: github.com/gin-contrib/cors
    • Found in: v1.3.1
    • Fixed in: v1.6.0
    • Example Traces:
      1. pkg/lib/inventory/web/web.go:45:21: web.Start calls cors.New, which eventually calls web.Start

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 29, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion uint64 -> int64, Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/filebacked/file.go:330:12
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:531:8
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:128:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:126:13
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:2359:15
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:880:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/vsphere/builder.go:879:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:354:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ova/builder.go:353:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:378:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:377:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/builder.go:376:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:115:23
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encoder.go:77:34
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/gob/encode.go:371:25
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/vm_name_handler.go:112:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/kubevirt.go:1779:10
  3. G402: TLS MinVersion too low., Severity: HIGH
      1. File: /home/runner/work/bulwark/bulwark/target-repo/tests/suit/utils/http.go:27:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:82:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:192:18
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/forklift-api/webhooks/mutating-webhook/mutators/secret-mutator.go:95:62
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:199-201:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:307-309:32
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:75:22
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ocp/builder.go:570-572:17
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/base/controller.go:146-148:16
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/client/openstack/client.go:180:48
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib-volume-populator/populator-machinery/controller.go:1071:52
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/validation/policy/client.go:204:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/web/base/client.go:313:24
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/ovirt/client.go:66:53
      1. File: /home/runner/work/bulwark/bulwark/target-repo/cmd/vsphere-xcopy-volume-populator/internal/vantara/vantara-api.go:122:53
    • ... (truncated), run gosec locally to capture all failure for the rule G402
  4. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:99:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:667:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:12:10
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:1231:9
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:264:14
  5. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/util/util.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/table.go:5:2
  6. G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/provider/container/vsphere/utils.go:4:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/validation.go:5:2
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/controller/plan/adapter/ovirt/client.go:4:2
  7. G602: slice index out of range, Severity: LOW
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:223:7
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/lib/inventory/model/field.go:221:7

Please review these findings and fix the issues before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes

@tiwarisumit3 tiwarisumit3 Awaiting requested review from tiwarisumit3

@shubhamrajvanshi shubhamrajvanshi Awaiting requested review from shubhamrajvanshi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.