flyteorg
Upgrade go 1.19 -> 1.21 / resolve vulns
-
Go 1.19 is no longer maintained - support ended on Sept 6 2023 It's last release was go 1.19.13 and has since become subject to a number of security vulnerabilities.
-
Updating to go 1.21 from go 1.19 resolves core go 1.19 vulns present:
✗ HIGH CVE-2023-45287 https://scout.docker.com/v/CVE-2023-45287?s=golang&n=stdlib&t=golang&vr=%3C1.20.0 Affected range : <1.20.0 Fixed version : 1.20.0
✗ HIGH CVE-2023-45283 https://scout.docker.com/v/CVE-2023-45283?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11
✗ HIGH CVE-2023-39325 https://scout.docker.com/v/CVE-2023-39325?s=golang&n=stdlib&t=golang&vr=%3C1.20.10 Affected range : <1.20.10 Fixed version : 1.20.10
✗ MEDIUM CVE-2023-29406 https://scout.docker.com/v/CVE-2023-29406?s=golang&n=stdlib&t=golang&vr=%3C1.19.11 Affected range : <1.19.11 Fixed version : 1.19.11
✗ MEDIUM CVE-2023-39319 https://scout.docker.com/v/CVE-2023-39319?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8
✗ MEDIUM CVE-2023-39318 https://scout.docker.com/v/CVE-2023-39318?s=golang&n=stdlib&t=golang&vr=%3C1.20.8 Affected range : <1.20.8 Fixed version : 1.20.8
✗ MEDIUM CVE-2023-45284 https://scout.docker.com/v/CVE-2023-45284?s=golang&n=stdlib&t=golang&vr=%3C1.20.11 Affected range : <1.20.11 Fixed version : 1.20.11
✗ MEDIUM CVE-2023-39326 https://scout.docker.com/v/CVE-2023-39326?s=golang&n=stdlib&t=golang&vr=%3C1.20.12 Affected range : <1.20.12 Fixed version : 1.20.12
✗ MEDIUM CVE-2023-29409 https://scout.docker.com/v/CVE-2023-29409?s=golang&n=stdlib&t=golang&vr=%3C1.19.12 Affected range : <1.19.12 Fixed version : 1.19.12
✗ UNSPECIFIED CVE-2024-24785 https://scout.docker.com/v/CVE-2024-24785?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2024-24784 https://scout.docker.com/v/CVE-2024-24784?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2024-24783 https://scout.docker.com/v/CVE-2024-24783?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45290 https://scout.docker.com/v/CVE-2023-45290?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45289 https://scout.docker.com/v/CVE-2023-45289?s=golang&n=stdlib&t=golang&vr=%3C1.21.8 Affected range : <1.21.8 Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45288 https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3C1.21.9 Affected range : <1.21.9 Fixed version : 1.21.9
-
Also upgrades the docker package to 26.0.2 which removes the issue described in https://github.com/docker/cli/issues/4437 and resolves vulnerabilities:
✗ HIGH CVE-2023-28840 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28840?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
✗ MEDIUM CVE-2024-24557 [Insufficient Verification of Data Authenticity] https://scout.docker.com/v/CVE-2024-24557?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C24.0.9 Affected range : <24.0.9 Fixed version : 24.0.9 CVSS Score : 6.9 CVSS Vector : CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
✗ MEDIUM CVE-2023-28842 [Unprotected Alternate Channel] https://scout.docker.com/v/CVE-2023-28842?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
✗ MEDIUM CVE-2023-28841 [Missing Encryption of Sensitive Data] https://scout.docker.com/v/CVE-2023-28841?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3E%3D1.12.0%2C%3C20.10.24 Affected range : >=1.12.0 : <20.10.24 Fixed version : 20.10.24 CVSS Score : 6.8 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
✗ MEDIUM CVE-2024-29018 [Incorrect Resource Transfer Between Spheres] https://scout.docker.com/v/CVE-2024-29018?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C23.0.11 Affected range : <23.0.11 Fixed version : 23.0.11 CVSS Score : 5.9 CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
✗ MEDIUM GHSA-jq35-85cj-fj4p https://scout.docker.com/v/GHSA-jq35-85cj-fj4p?s=github&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : 24.0.7
✗ UNSPECIFIED GMS-2023-3981 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/GMS-2023-3981?s=gitlab&n=docker&ns=github.com%2Fdocker&t=golang&vr=%3C20.10.27 Affected range : <20.10.27 Fixed version : v24.0.7
Read then delete
- Make sure to use a concise title for the pull-request.
- Use #patch, #minor #majora or #none in the pull-request title to bump the corresponding version. Otherwise, the patch version will be bumped. More details
TL;DR
Please replace this text with a description of what this PR accomplishes.
Type
- [ ] Bug Fix
- [ ] Feature
- [ ] Plugin
Are all requirements met?
- [ ] Code completed
- [ ] Smoke tested
- [ ] Unit tests added
- [ ] Code documentation added
- [ ] Any pending items have an associated Issue
Complete description
How did you fix the bug, make the feature etc. Link to any design docs etc
Tracking Issue
https://github.com/flyteorg/flyte/issues/
Follow-up issue
NA
OR
https://github.com/flyteorg/flyte/issues/
Looks like I need to do a bit more to update boilerplate / regenerate mocks. Will try and sort that out ASAP.
Since all the work landed to move flytectl to the monorepo as part of:
https://github.com/flyteorg/flyte/pull/5301 https://github.com/flyteorg/flyte/pull/5309
And given the extra work I did in https://github.com/flyteorg/flyte/pull/5363 and the automation that's about to land to ship flytectl at https://github.com/flyteorg/flyte/pull/5354, this can be closed out!