This repository has been archived by the owner on May 31, 2024. It is now read-only.

Upgrade go 1.19 -> 1.21 / resolve vulns #472

Closed

ddl-ebrown wants to merge 1 commit into flyteorg:master from ddl-ebrown:update-go

Commits on Apr 22, 2024

Upgrade go 1.19 -> 1.21 / resolve vulns

 - Go 1.19 is no longer maintained - support ended on Sept 6 2023
   It's last release was go 1.19.13 and has since become subject to a
   number of security vulnerabilities.

 - Updating to go 1.21 from go 1.19 resolves core go 1.19 vulns present:

    ✗ HIGH CVE-2023-45287
      https://scout.docker.com/v/CVE-2023-45287?s=golang&n=stdlib&t=golang&vr=%3C1.20.0
      Affected range : <1.20.0
      Fixed version  : 1.20.0

    ✗ HIGH CVE-2023-45283
      https://scout.docker.com/v/CVE-2023-45283?s=golang&n=stdlib&t=golang&vr=%3C1.20.11
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    ✗ HIGH CVE-2023-39325
      https://scout.docker.com/v/CVE-2023-39325?s=golang&n=stdlib&t=golang&vr=%3C1.20.10
      Affected range : <1.20.10
      Fixed version  : 1.20.10

    ✗ MEDIUM CVE-2023-29406
      https://scout.docker.com/v/CVE-2023-29406?s=golang&n=stdlib&t=golang&vr=%3C1.19.11
      Affected range : <1.19.11
      Fixed version  : 1.19.11

    ✗ MEDIUM CVE-2023-39319
      https://scout.docker.com/v/CVE-2023-39319?s=golang&n=stdlib&t=golang&vr=%3C1.20.8
      Affected range : <1.20.8
      Fixed version  : 1.20.8

    ✗ MEDIUM CVE-2023-39318
      https://scout.docker.com/v/CVE-2023-39318?s=golang&n=stdlib&t=golang&vr=%3C1.20.8
      Affected range : <1.20.8
      Fixed version  : 1.20.8

    ✗ MEDIUM CVE-2023-45284
      https://scout.docker.com/v/CVE-2023-45284?s=golang&n=stdlib&t=golang&vr=%3C1.20.11
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    ✗ MEDIUM CVE-2023-39326
      https://scout.docker.com/v/CVE-2023-39326?s=golang&n=stdlib&t=golang&vr=%3C1.20.12
      Affected range : <1.20.12
      Fixed version  : 1.20.12

    ✗ MEDIUM CVE-2023-29409
      https://scout.docker.com/v/CVE-2023-29409?s=golang&n=stdlib&t=golang&vr=%3C1.19.12
      Affected range : <1.19.12
      Fixed version  : 1.19.12

    ✗ UNSPECIFIED CVE-2024-24785
      https://scout.docker.com/v/CVE-2024-24785?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2024-24784
      https://scout.docker.com/v/CVE-2024-24784?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2024-24783
      https://scout.docker.com/v/CVE-2024-24783?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2023-45290
      https://scout.docker.com/v/CVE-2023-45290?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2023-45289
      https://scout.docker.com/v/CVE-2023-45289?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2023-45288
      https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3C1.21.9
      Affected range : <1.21.9
      Fixed version  : 1.21.9

 - Also upgrades the docker package to 26.0.2 which removes the issue
   described in docker/cli#4437 and resolves
   vulnerabilities:

    ✗ HIGH CVE-2023-28840 [Unprotected Alternate Channel]
      https://scout.docker.com/v/CVE-2023-28840?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24
      Affected range : >=1.12.0
                     : <20.10.24
      Fixed version  : 20.10.24
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L

    ✗ MEDIUM CVE-2024-24557 [Insufficient Verification of Data Authenticity]
      https://scout.docker.com/v/CVE-2024-24557?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C24.0.9
      Affected range : <24.0.9
      Fixed version  : 24.0.9
      CVSS Score     : 6.9
      CVSS Vector    : CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

    ✗ MEDIUM CVE-2023-28842 [Unprotected Alternate Channel]
      https://scout.docker.com/v/CVE-2023-28842?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24
      Affected range : >=1.12.0
                     : <20.10.24
      Fixed version  : 20.10.24
      CVSS Score     : 6.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

    ✗ MEDIUM CVE-2023-28841 [Missing Encryption of Sensitive Data]
      https://scout.docker.com/v/CVE-2023-28841?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24
      Affected range : >=1.12.0
                     : <20.10.24
      Fixed version  : 20.10.24
      CVSS Score     : 6.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

    ✗ MEDIUM CVE-2024-29018 [Incorrect Resource Transfer Between Spheres]
      https://scout.docker.com/v/CVE-2024-29018?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C23.0.11
      Affected range : <23.0.11
      Fixed version  : 23.0.11
      CVSS Score     : 5.9
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    ✗ MEDIUM GHSA-jq35-85cj-fj4p
      https://scout.docker.com/v/GHSA-jq35-85cj-fj4p?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27
      Affected range : <20.10.27
      Fixed version  : 24.0.7

    ✗ UNSPECIFIED GMS-2023-3981 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/GMS-2023-3981?s=gitlab&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27
      Affected range : <20.10.27
      Fixed version  : v24.0.7

 - Run go mod tidy to pick up other related dependency bumps

Signed-off-by: ddl-ebrown <[email protected]>

ddl-ebrown committed Apr 22, 2024