Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Go and Dependencies to Latest Versions for CVE Compliance and Project Maintenance #454

Merged
merged 1 commit into from
Aug 20, 2024

Conversation

abregar
Copy link

@abregar abregar commented Aug 20, 2024

As part of our Strimzi setup, we're contributing the latest updates we use to keep this project secure and up to date. The changes include:

  • Bumped Go version to 1.23.
  • Updated all direct and transitive dependencies to their latest versions.
  • Added gosec and staticcheck integration in the Makefile.
  • Added ./vendor and go.sum to .gitignore since they are fetched externally.
  • Updated the code to accommodate the changes in dependencies and to address issues identified by the security and static analysis tools.

There are still a few issues flagged by the security scan, mainly related to configuring runtime options like insecure TLS. The choice of cipher suites might be debatable, as some are marked as highly vulnerable, but these decisions should be left to the operator.

- all direct and transitive deps to latest ver
- introduce gosec and staticcheck in makefile
- gitignore ./vendor and go.sum as fetched externally
- update code to reflect the updates of version and sec/static scan (partially)
@abregar abregar mentioned this pull request Aug 20, 2024
@danielqsj
Copy link
Owner

LGTM, thanks @abregar

@danielqsj danielqsj merged commit b2aa8bd into danielqsj:master Aug 20, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants