Upgrade go 1.19 -> 1.21 / resolve vulns

- Go 1.19 is no longer maintained - support ended on Sept 6 2023 It's last release was go 1.19.13 and has since become subject to a number of security vulnerabilities. - Updating to go 1.21 from go 1.19 resolves core go 1.19 vulns present: ✗ HIGH CVE-2023-45287 https://scout.docker.com/v/CVE-2023-45287?s=golang&n=stdlib&t=golang&vr=%3C1.20.0 Affected range : <1.20.0 Fixed version : 1.20.0 ✗ HIGH CVE-2023-45283 https://scout.docker.com/v/CVE-2023-45283?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11 ✗ HIGH CVE-2023-39325 https://scout.docker.com/v/CVE-2023-39325?s=golang&n=stdlib&t=golang&vr=%3C1.20.10 Affected range : <1.20.10 Fixed version : 1.20.10 ✗ MEDIUM CVE-2023-29406 https://scout.docker.com/v/CVE-2023-29406?s=golang&n=stdlib&t=golang&vr=%3C1.19.11 Affected range : <1.19.11 Fixed version : 1.19.11 ✗ MEDIUM CVE-2023-39319 https://scout.docker.com/v/CVE-2023-39319?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8 ✗ MEDIUM CVE-2023-39318 https://scout.docker.com/v/CVE-2023-39318?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8 ✗ MEDIUM CVE-2023-45284 https://scout.docker.com/v/CVE-2023-45284?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11 ✗ MEDIUM CVE-2023-39326 https://scout.docker.com/v/CVE-2023-39326?s=golang&n=stdlib&t=golang&vr=%3C1.20.12 Affected range : <1.20.12 Fixed version : 1.20.12 ✗ MEDIUM CVE-2023-29409 https://scout.docker.com/v/CVE-2023-29409?s=golang&n=stdlib&t=golang&vr=%3C1.19.12 Affected range : <1.19.12 Fixed version : 1.19.12 ✗ UNSPECIFIED CVE-2024-24785 https://scout.docker.com/v/CVE-2024-24785?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2024-24784 https://scout.docker.com/v/CVE-2024-24784?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2024-24783 https://scout.docker.com/v/CVE-2024-24783?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45290 https://scout.docker.com/v/CVE-2023-45290?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45289 https://scout.docker.com/v/CVE-2023-45289?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8 ✗ UNSPECIFIED CVE-2023-45288 https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3C1.21.9 Affected range : <1.21.9 Fixed version : 1.21.9 - Also upgrades the docker package to 26.0.2 which removes the issue described in docker/cli#4437 and resolves vulnerabilities: ✗ HIGH CVE-2023-28840 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28840?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L ✗ MEDIUM CVE-2024-24557 [Insufficient Verification of Data Authenticity] https://scout.docker.com/v/CVE-2024-24557?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C24.0.9 Affected range : <24.0.9 Fixed version : 24.0.9 CVSS Score : 6.9 CVSS Vector : CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L ✗ MEDIUM CVE-2023-28842 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28842?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N ✗ MEDIUM CVE-2023-28841 [Missing Encryption of Sensitive Data] https://scout.docker.com/v/CVE-2023-28841?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N ✗ MEDIUM CVE-2024-29018 [Incorrect Resource Transfer Between Spheres] https://scout.docker.com/v/CVE-2024-29018?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C23.0.11 Affected range : <23.0.11 Fixed version : 23.0.11 CVSS Score : 5.9 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ✗ MEDIUM GHSA-jq35-85cj-fj4p https://scout.docker.com/v/GHSA-jq35-85cj-fj4p?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : 24.0.7 ✗ UNSPECIFIED GMS-2023-3981 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-3981?s=gitlab&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : v24.0.7 - Run go mod tidy to pick up other related dependency bumps Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
flyteorg · Apr 22, 2024 · 7b30c9d · 7b30c9d
1 parent 288215b
commit 7b30c9d
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 541 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -20,21 +20,21 @@ jobs:
     name: Lint
     uses: flyteorg/flytetools/.github/workflows/lint.yml@master
     with:
-      go-version: 1.19
+      go-version: 1.21
 
   tests:
     name: Unit Tests
     uses: flyteorg/flytetools/.github/workflows/tests.yml@master
     secrets:
       FLYTE_BOT_PAT: ${{ secrets.FLYTE_BOT_PAT }}
     with:
-      go-version: 1.19
+      go-version: 1.21
 
   generate:
     name: Check Go Gennerate
     uses: flyteorg/flytetools/.github/workflows/go_generate.yml@master
     with:
-      go-version: 1.19
+      go-version: 1.21
 
   dry_run_goreleaser:
     name: Dry Run Goreleaser
@@ -52,7 +52,7 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }}
       - uses: actions/setup-go@v3
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - name: Run GoReleaser dry run
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -75,7 +75,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Build Flytectl binary
         run: make compile
       - name: Create a sandbox cluster
@@ -111,7 +111,7 @@ jobs:
           lfs: true
       - uses: actions/setup-go@v1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - uses: actions/setup-python@v1
         with:
           python-version: 3.8
@@ -157,9 +157,7 @@ jobs:
     needs: [ bump_version ] # Only to ensure it can successfully build
     uses: flyteorg/flytetools/.github/workflows/goreleaser.yml@master
     with:
-      # https://github.com/docker/cli/issues/4437 describes an issue that affects the latest
-      # version of go 1.19 and 1.20, so pinning to latest known good version for now.
-      go-version: "1.19.10"
+      go-version: "1.21"
     secrets:
       FLYTE_BOT_PAT: ${{ secrets.FLYTE_BOT_PAT }}
 
diff --git a/go.mod b/go.mod
@@ -1,23 +1,23 @@
 module github.com/flyteorg/flytectl
 
-go 1.19
+go 1.21
 
 require (
 	github.com/apoorvam/goterminal v0.0.0-20180523175556-614d345c47e5
 	github.com/avast/retry-go v3.0.0+incompatible
 	github.com/awalterschulze/gographviz v2.0.3+incompatible
 	github.com/disiqueira/gotree v1.0.0
-	github.com/docker/docker v20.10.7+incompatible
+	github.com/docker/docker v26.0.2+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/enescakir/emoji v1.0.0
 	github.com/flyteorg/flyte/flyteidl v1.9.12
 	github.com/flyteorg/flyte/flytepropeller v1.9.12
 	github.com/flyteorg/flyte/flytestdlib v1.9.12
 	github.com/go-ozzo/ozzo-validation/v4 v4.3.0
-	github.com/golang/protobuf v1.5.3
-	github.com/google/go-cmp v0.5.9
+	github.com/golang/protobuf v1.5.4
+	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github/v42 v42.0.0
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-version v1.3.0
 	github.com/hexops/gotextdiff v1.0.3
 	github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23
@@ -28,16 +28,16 @@ require (
 	github.com/opencontainers/image-spec v1.0.2
 	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0
 	github.com/zalando/go-keyring v0.1.1
-	golang.org/x/oauth2 v0.7.0
-	golang.org/x/text v0.9.0
-	google.golang.org/grpc v1.56.1
-	google.golang.org/protobuf v1.30.0
+	golang.org/x/oauth2 v0.17.0
+	golang.org/x/text v0.14.0
+	google.golang.org/grpc v1.63.0
+	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools v2.2.0+incompatible
 	k8s.io/api v0.24.1
@@ -47,11 +47,11 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.110.0 // indirect
-	cloud.google.com/go/compute v1.19.1 // indirect
+	cloud.google.com/go v0.112.0 // indirect
+	cloud.google.com/go/compute v1.24.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v0.13.0 // indirect
-	cloud.google.com/go/storage v1.28.1 // indirect
+	cloud.google.com/go/iam v1.1.6 // indirect
+	cloud.google.com/go/storage v1.36.0 // indirect
 	github.com/Azure/azure-sdk-for-go v63.4.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v0.23.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v0.9.2 // indirect
@@ -69,23 +69,25 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/containerd/containerd v1.5.10 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/coocood/freecache v1.1.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
 	github.com/danieljoos/wincred v1.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dnaeon/go-vcr v1.2.0 // indirect
-	github.com/docker/distribution v2.8.0+incompatible // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fatih/color v1.13.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/flyteorg/flyte/flyteplugins v0.0.0-00010101000000-000000000000 // indirect
 	github.com/flyteorg/stow v0.3.7 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -97,8 +99,9 @@ require (
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
-	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
@@ -116,6 +119,7 @@ require (
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
@@ -135,22 +139,32 @@ require (
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/viper v1.11.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
+	go.opentelemetry.io/otel v1.25.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 // indirect
+	go.opentelemetry.io/otel/metric v1.25.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.25.0 // indirect
+	go.opentelemetry.io/otel/trace v1.25.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/term v0.7.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/api v0.114.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/api v0.162.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools/v3 v3.0.3 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect