From 55bf7793e3a0551b2349e5c886276057b2ca92b6 Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Mon, 22 Apr 2024 11:53:24 -0700 Subject: [PATCH] Upgrade go 1.19 -> 1.21 / resolve vulns MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Go 1.19 is no longer maintained - support ended on Sept 6 2023 It's last release was go 1.19.13 and has since become subject to a number of security vulnerabilities. - Updating to go 1.21 from go 1.19 resolves core go 1.19 vulns present: ✗ HIGH CVE-2023-45287 https://scout.docker.com/v/CVE-2023-45287?s=golang&n=stdlib&t=golang&vr=%3C1.20.0 Affected range : <1.20.0 Fixed version : 1.20.0 ✗ HIGH CVE-2023-45283 https://scout.docker.com/v/CVE-2023-45283?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11 ✗ HIGH CVE-2023-39325 https://scout.docker.com/v/CVE-2023-39325?s=golang&n=stdlib&t=golang&vr=%3C1.20.10 Affected range : <1.20.10 Fixed version : 1.20.10 ✗ MEDIUM CVE-2023-29406 https://scout.docker.com/v/CVE-2023-29406?s=golang&n=stdlib&t=golang&vr=%3C1.19.11 Affected range : <1.19.11 Fixed version : 1.19.11 ✗ MEDIUM CVE-2023-39319 https://scout.docker.com/v/CVE-2023-39319?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8 ✗ MEDIUM CVE-2023-39318 https://scout.docker.com/v/CVE-2023-39318?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8 ✗ MEDIUM CVE-2023-45284 https://scout.docker.com/v/CVE-2023-45284?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11 ✗ MEDIUM CVE-2023-39326 https://scout.docker.com/v/CVE-2023-39326?s=golang&n=stdlib&t=golang&vr=%3C1.20.12 Affected range : <1.20.12 Fixed version : 1.20.12 ✗ MEDIUM CVE-2023-29409 https://scout.docker.com/v/CVE-2023-29409?s=golang&n=stdlib&t=golang&vr=%3C1.19.12 Affected range : <1.19.12 Fixed version : 1.19.12 ✗ UNSPECIFIED CVE-2024-24785 https://scout.docker.com/v/CVE-2024-24785?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2024-24784 https://scout.docker.com/v/CVE-2024-24784?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2024-24783 https://scout.docker.com/v/CVE-2024-24783?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45290 https://scout.docker.com/v/CVE-2023-45290?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45289 https://scout.docker.com/v/CVE-2023-45289?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45288 https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3C1.21.9 Affected range : <1.21.9 Fixed version : 1.21.9 - Also upgrades the docker package to 26.0.2 which removes the issue described in https://github.com/docker/cli/issues/4437 and resolves vulnerabilities: ✗ HIGH CVE-2023-28840 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28840?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L ✗ MEDIUM CVE-2024-24557 [Insufficient Verification of Data Authenticity] https://scout.docker.com/v/CVE-2024-24557?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C24.0.9 Affected range : <24.0.9 Fixed version : 24.0.9 CVSS Score : 6.9 CVSS Vector : CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L ✗ MEDIUM CVE-2023-28842 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28842?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N ✗ MEDIUM CVE-2023-28841 [Missing Encryption of Sensitive Data] https://scout.docker.com/v/CVE-2023-28841?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N ✗ MEDIUM CVE-2024-29018 [Incorrect Resource Transfer Between Spheres] https://scout.docker.com/v/CVE-2024-29018?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C23.0.11 Affected range : <23.0.11 Fixed version : 23.0.11 CVSS Score : 5.9 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ✗ MEDIUM GHSA-jq35-85cj-fj4p https://scout.docker.com/v/GHSA-jq35-85cj-fj4p?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : 24.0.7 ✗ UNSPECIFIED GMS-2023-3981 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-3981?s=gitlab&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : v24.0.7 Signed-off-by: ddl-ebrown --- .github/workflows/checks.yml | 16 +++++++--------- go.mod | 4 ++-- go.sum | 3 +++ 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 211a7aab..7ff09c11 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -20,7 +20,7 @@ jobs: name: Lint uses: flyteorg/flytetools/.github/workflows/lint.yml@master with: - go-version: 1.19 + go-version: 1.21 tests: name: Unit Tests @@ -28,13 +28,13 @@ jobs: secrets: FLYTE_BOT_PAT: ${{ secrets.FLYTE_BOT_PAT }} with: - go-version: 1.19 + go-version: 1.21 generate: name: Check Go Gennerate uses: flyteorg/flytetools/.github/workflows/go_generate.yml@master with: - go-version: 1.19 + go-version: 1.21 dry_run_goreleaser: name: Dry Run Goreleaser @@ -52,7 +52,7 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }} - uses: actions/setup-go@v3 with: - go-version: '1.19' + go-version: '1.21' - name: Run GoReleaser dry run uses: goreleaser/goreleaser-action@v2 with: @@ -75,7 +75,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: 1.21 - name: Build Flytectl binary run: make compile - name: Create a sandbox cluster @@ -111,7 +111,7 @@ jobs: lfs: true - uses: actions/setup-go@v1 with: - go-version: '1.19' + go-version: '1.21' - uses: actions/setup-python@v1 with: python-version: 3.8 @@ -157,9 +157,7 @@ jobs: needs: [ bump_version ] # Only to ensure it can successfully build uses: flyteorg/flytetools/.github/workflows/goreleaser.yml@master with: - # https://github.com/docker/cli/issues/4437 describes an issue that affects the latest - # version of go 1.19 and 1.20, so pinning to latest known good version for now. - go-version: "1.19.10" + go-version: "1.21" secrets: FLYTE_BOT_PAT: ${{ secrets.FLYTE_BOT_PAT }} diff --git a/go.mod b/go.mod index 700445c9..3ce6fb45 100644 --- a/go.mod +++ b/go.mod @@ -1,13 +1,13 @@ module github.com/flyteorg/flytectl -go 1.19 +go 1.21 require ( github.com/apoorvam/goterminal v0.0.0-20180523175556-614d345c47e5 github.com/avast/retry-go v3.0.0+incompatible github.com/awalterschulze/gographviz v2.0.3+incompatible github.com/disiqueira/gotree v1.0.0 - github.com/docker/docker v20.10.7+incompatible + github.com/docker/docker v26.0.2+incompatible github.com/docker/go-connections v0.4.0 github.com/enescakir/emoji v1.0.0 github.com/flyteorg/flyte/flyteidl v1.9.12 diff --git a/go.sum b/go.sum index 88b64583..f975d6c4 100644 --- a/go.sum +++ b/go.sum @@ -313,6 +313,8 @@ github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvv github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.7+incompatible h1:Z6O9Nhsjv+ayUEeI1IojKbYcsGdgYSNqxe1s2MYzUhQ= github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE= +github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= @@ -1429,6 +1431,7 @@ k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAG k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=