Upgrade go 1.19 -> 1.21 / resolve vulns

- Go 1.19 is no longer maintained - support ended on Sept 6 2023 It's last release was go 1.19.13 and has since become subject to a number of security vulnerabilities. - Updating to go 1.21 from go 1.19 resolves core go 1.19 vulns present: ✗ HIGH CVE-2023-45287 https://scout.docker.com/v/CVE-2023-45287?s=golang&n=stdlib&t=golang&vr=%3C1.20.0 Affected range : <1.20.0 Fixed version : 1.20.0 ✗ HIGH CVE-2023-45283 https://scout.docker.com/v/CVE-2023-45283?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11 ✗ HIGH CVE-2023-39325 https://scout.docker.com/v/CVE-2023-39325?s=golang&n=stdlib&t=golang&vr=%3C1.20.10 Affected range : <1.20.10 Fixed version : 1.20.10 ✗ MEDIUM CVE-2023-29406 https://scout.docker.com/v/CVE-2023-29406?s=golang&n=stdlib&t=golang&vr=%3C1.19.11 Affected range : <1.19.11 Fixed version : 1.19.11 ✗ MEDIUM CVE-2023-39319 https://scout.docker.com/v/CVE-2023-39319?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8 ✗ MEDIUM CVE-2023-39318 https://scout.docker.com/v/CVE-2023-39318?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8 ✗ MEDIUM CVE-2023-45284 https://scout.docker.com/v/CVE-2023-45284?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11 ✗ MEDIUM CVE-2023-39326 https://scout.docker.com/v/CVE-2023-39326?s=golang&n=stdlib&t=golang&vr=%3C1.20.12 Affected range : <1.20.12 Fixed version : 1.20.12 ✗ MEDIUM CVE-2023-29409 https://scout.docker.com/v/CVE-2023-29409?s=golang&n=stdlib&t=golang&vr=%3C1.19.12 Affected range : <1.19.12 Fixed version : 1.19.12 ✗ UNSPECIFIED CVE-2024-24785 https://scout.docker.com/v/CVE-2024-24785?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2024-24784 https://scout.docker.com/v/CVE-2024-24784?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2024-24783 https://scout.docker.com/v/CVE-2024-24783?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45290 https://scout.docker.com/v/CVE-2023-45290?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45289 https://scout.docker.com/v/CVE-2023-45289?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45288 https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3C1.21.9 Affected range : <1.21.9 Fixed version : 1.21.9 - Also upgrades the docker package to 26.0.2 which removes the issue described in docker/cli#4437 and resolves vulnerabilities: ✗ HIGH CVE-2023-28840 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28840?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L ✗ MEDIUM CVE-2024-24557 [Insufficient Verification of Data Authenticity] https://scout.docker.com/v/CVE-2024-24557?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C24.0.9 Affected range : <24.0.9 Fixed version : 24.0.9 CVSS Score : 6.9 CVSS Vector : CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L ✗ MEDIUM CVE-2023-28842 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28842?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N ✗ MEDIUM CVE-2023-28841 [Missing Encryption of Sensitive Data] https://scout.docker.com/v/CVE-2023-28841?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N ✗ MEDIUM CVE-2024-29018 [Incorrect Resource Transfer Between Spheres] https://scout.docker.com/v/CVE-2024-29018?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C23.0.11 Affected range : <23.0.11 Fixed version : 23.0.11 CVSS Score : 5.9 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ✗ MEDIUM GHSA-jq35-85cj-fj4p https://scout.docker.com/v/GHSA-jq35-85cj-fj4p?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : 24.0.7 ✗ UNSPECIFIED GMS-2023-3981 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-3981?s=gitlab&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : v24.0.7 Signed-off-by: ddl-ebrown <[email protected]>
flyteorg · Apr 22, 2024 · 55bf779 · 55bf779
1 parent 288215b
commit 55bf779
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 11 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -20,21 +20,21 @@ jobs:
     name: Lint
     uses: flyteorg/flytetools/.github/workflows/lint.yml@master
     with:
-      go-version: 1.19
+      go-version: 1.21
 
   tests:
     name: Unit Tests
     uses: flyteorg/flytetools/.github/workflows/tests.yml@master
     secrets:
       FLYTE_BOT_PAT: ${{ secrets.FLYTE_BOT_PAT }}
     with:
-      go-version: 1.19
+      go-version: 1.21
 
   generate:
     name: Check Go Gennerate
     uses: flyteorg/flytetools/.github/workflows/go_generate.yml@master
     with:
-      go-version: 1.19
+      go-version: 1.21
 
   dry_run_goreleaser:
     name: Dry Run Goreleaser
@@ -52,7 +52,7 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }}
       - uses: actions/setup-go@v3
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - name: Run GoReleaser dry run
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -75,7 +75,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Build Flytectl binary
         run: make compile
       - name: Create a sandbox cluster
@@ -111,7 +111,7 @@ jobs:
           lfs: true
       - uses: actions/setup-go@v1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - uses: actions/setup-python@v1
         with:
           python-version: 3.8
@@ -157,9 +157,7 @@ jobs:
     needs: [ bump_version ] # Only to ensure it can successfully build
     uses: flyteorg/flytetools/.github/workflows/goreleaser.yml@master
     with:
-      # https://github.com/docker/cli/issues/4437 describes an issue that affects the latest
-      # version of go 1.19 and 1.20, so pinning to latest known good version for now.
-      go-version: "1.19.10"
+      go-version: "1.21"
     secrets:
       FLYTE_BOT_PAT: ${{ secrets.FLYTE_BOT_PAT }}
 
diff --git a/go.mod b/go.mod
@@ -1,13 +1,13 @@
 module github.com/flyteorg/flytectl
 
-go 1.19
+go 1.21
 
 require (
 	github.com/apoorvam/goterminal v0.0.0-20180523175556-614d345c47e5
 	github.com/avast/retry-go v3.0.0+incompatible
 	github.com/awalterschulze/gographviz v2.0.3+incompatible
 	github.com/disiqueira/gotree v1.0.0
-	github.com/docker/docker v20.10.7+incompatible
+	github.com/docker/docker v26.0.2+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/enescakir/emoji v1.0.0
 	github.com/flyteorg/flyte/flyteidl v1.9.12

diff --git a/go.sum b/go.sum
@@ -313,6 +313,8 @@ github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvv
 github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v20.10.7+incompatible h1:Z6O9Nhsjv+ayUEeI1IojKbYcsGdgYSNqxe1s2MYzUhQ=
 github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE=
+github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
@@ -1429,6 +1431,7 @@ k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAG
 k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
+k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=