Skip to content
This repository has been archived by the owner on May 31, 2024. It is now read-only.

Upgrade go 1.19 -> 1.21 / resolve vulns #472

Closed
wants to merge 1 commit into from
Closed

Upgrade go 1.19 -> 1.21 / resolve vulns #472

wants to merge 1 commit into from

Conversation

ddl-ebrown
Copy link

Read then delete

  • Make sure to use a concise title for the pull-request.
  • Use #patch, #minor #majora or #none in the pull-request title to bump the corresponding version. Otherwise, the patch version
    will be bumped. More details

TL;DR

Please replace this text with a description of what this PR accomplishes.

Type

  • Bug Fix
  • Feature
  • Plugin

Are all requirements met?

  • Code completed
  • Smoke tested
  • Unit tests added
  • Code documentation added
  • Any pending items have an associated Issue

Complete description

How did you fix the bug, make the feature etc. Link to any design docs etc

Tracking Issue

https://github.com/flyteorg/flyte/issues/

Follow-up issue

NA
OR
https://github.com/flyteorg/flyte/issues/

@ddl-ebrown
Upgrade go 1.19 -> 1.21 / resolve vulns
7b30c9d 
 - Go 1.19 is no longer maintained - support ended on Sept 6 2023
   It's last release was go 1.19.13 and has since become subject to a
   number of security vulnerabilities.

 - Updating to go 1.21 from go 1.19 resolves core go 1.19 vulns present:

    ✗ HIGH CVE-2023-45287
      https://scout.docker.com/v/CVE-2023-45287?s=golang&n=stdlib&t=golang&vr=%3C1.20.0
      Affected range : <1.20.0
      Fixed version  : 1.20.0

    ✗ HIGH CVE-2023-45283
      https://scout.docker.com/v/CVE-2023-45283?s=golang&n=stdlib&t=golang&vr=%3C1.20.11
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    ✗ HIGH CVE-2023-39325
      https://scout.docker.com/v/CVE-2023-39325?s=golang&n=stdlib&t=golang&vr=%3C1.20.10
      Affected range : <1.20.10
      Fixed version  : 1.20.10

    ✗ MEDIUM CVE-2023-29406
      https://scout.docker.com/v/CVE-2023-29406?s=golang&n=stdlib&t=golang&vr=%3C1.19.11
      Affected range : <1.19.11
      Fixed version  : 1.19.11

    ✗ MEDIUM CVE-2023-39319
      https://scout.docker.com/v/CVE-2023-39319?s=golang&n=stdlib&t=golang&vr=%3C1.20.8
      Affected range : <1.20.8
      Fixed version  : 1.20.8

    ✗ MEDIUM CVE-2023-39318
      https://scout.docker.com/v/CVE-2023-39318?s=golang&n=stdlib&t=golang&vr=%3C1.20.8
      Affected range : <1.20.8
      Fixed version  : 1.20.8

    ✗ MEDIUM CVE-2023-45284
      https://scout.docker.com/v/CVE-2023-45284?s=golang&n=stdlib&t=golang&vr=%3C1.20.11
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    ✗ MEDIUM CVE-2023-39326
      https://scout.docker.com/v/CVE-2023-39326?s=golang&n=stdlib&t=golang&vr=%3C1.20.12
      Affected range : <1.20.12
      Fixed version  : 1.20.12

    ✗ MEDIUM CVE-2023-29409
      https://scout.docker.com/v/CVE-2023-29409?s=golang&n=stdlib&t=golang&vr=%3C1.19.12
      Affected range : <1.19.12
      Fixed version  : 1.19.12

    ✗ UNSPECIFIED CVE-2024-24785
      https://scout.docker.com/v/CVE-2024-24785?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2024-24784
      https://scout.docker.com/v/CVE-2024-24784?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2024-24783
      https://scout.docker.com/v/CVE-2024-24783?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2023-45290
      https://scout.docker.com/v/CVE-2023-45290?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2023-45289
      https://scout.docker.com/v/CVE-2023-45289?s=golang&n=stdlib&t=golang&vr=%3C1.21.8
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ UNSPECIFIED CVE-2023-45288
      https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3C1.21.9
      Affected range : <1.21.9
      Fixed version  : 1.21.9

 - Also upgrades the docker package to 26.0.2 which removes the issue
   described in docker/cli#4437 and resolves
   vulnerabilities:

    ✗ HIGH CVE-2023-28840 [Unprotected Alternate Channel]
      https://scout.docker.com/v/CVE-2023-28840?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24
      Affected range : >=1.12.0
                     : <20.10.24
      Fixed version  : 20.10.24
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L

    ✗ MEDIUM CVE-2024-24557 [Insufficient Verification of Data Authenticity]
      https://scout.docker.com/v/CVE-2024-24557?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C24.0.9
      Affected range : <24.0.9
      Fixed version  : 24.0.9
      CVSS Score     : 6.9
      CVSS Vector    : CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

    ✗ MEDIUM CVE-2023-28842 [Unprotected Alternate Channel]
      https://scout.docker.com/v/CVE-2023-28842?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24
      Affected range : >=1.12.0
                     : <20.10.24
      Fixed version  : 20.10.24
      CVSS Score     : 6.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

    ✗ MEDIUM CVE-2023-28841 [Missing Encryption of Sensitive Data]
      https://scout.docker.com/v/CVE-2023-28841?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24
      Affected range : >=1.12.0
                     : <20.10.24
      Fixed version  : 20.10.24
      CVSS Score     : 6.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

    ✗ MEDIUM CVE-2024-29018 [Incorrect Resource Transfer Between Spheres]
      https://scout.docker.com/v/CVE-2024-29018?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C23.0.11
      Affected range : <23.0.11
      Fixed version  : 23.0.11
      CVSS Score     : 5.9
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    ✗ MEDIUM GHSA-jq35-85cj-fj4p
      https://scout.docker.com/v/GHSA-jq35-85cj-fj4p?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27
      Affected range : <20.10.27
      Fixed version  : 24.0.7

    ✗ UNSPECIFIED GMS-2023-3981 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/GMS-2023-3981?s=gitlab&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27
      Affected range : <20.10.27
      Fixed version  : v24.0.7

 - Run go mod tidy to pick up other related dependency bumps

Signed-off-by: ddl-ebrown <[email protected]>
@ddl-ebrown
Copy link
Author

Looks like I need to do a bit more to update boilerplate / regenerate mocks. Will try and sort that out ASAP.

@ddl-ebrown ddl-ebrown mentioned this pull request Apr 30, 2024
Merged
3 tasks
@ddl-ebrown
Copy link
Author

Since all the work landed to move flytectl to the monorepo as part of:

flyteorg/flyte#5301
flyteorg/flyte#5309

And given the extra work I did in flyteorg/flyte#5363 and the automation that's about to land to ship flytectl at flyteorg/flyte#5354, this can be closed out!

@ddl-ebrown ddl-ebrown closed this May 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kumare3 kumare3 Awaiting requested review from kumare3 kumare3 will be requested when the pull request is marked ready for review kumare3 is a code owner

@EngHabu EngHabu Awaiting requested review from EngHabu EngHabu will be requested when the pull request is marked ready for review EngHabu is a code owner

@wild-endeavor wild-endeavor Awaiting requested review from wild-endeavor wild-endeavor will be requested when the pull request is marked ready for review wild-endeavor is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ddl-ebrown