From 0a98a00d175aa912275d603eadcf821168cf2208 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 9 May 2023 13:23:43 +0200 Subject: [PATCH 1/7] Ignore SA1019: SplitHostname is deprecated. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 84a85a40484b10a2540c0b68bc8fedda77ac5e2a) Signed-off-by: Sebastiaan van Stijn --- reference/normalize_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/normalize_test.go b/reference/normalize_test.go index a636236eee0..110c8e8b57b 100644 --- a/reference/normalize_test.go +++ b/reference/normalize_test.go @@ -532,7 +532,7 @@ func TestNormalizedSplitHostname(t *testing.T) { t.Fail() } - named, err := ParseNormalizedNamed(testcase.input) + named, err := ParseNormalizedNamed(testcase.input) //nolint:staticcheck // Ignore SA1019: SplitHostname is deprecated. if err != nil { failf("error parsing name: %s", err) } From b800af44090d4b70be7c5a94b15677327df84fcd Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 9 May 2023 13:19:48 +0200 Subject: [PATCH 2/7] ignore SA1019: ac.(*accessController).rootCerts.Subjects has been deprecated We need to look into this; can we remove it, or is there a replacement? Signed-off-by: Sebastiaan van Stijn (cherry picked from commit ebe9d67446a676d4b06f60a9c86e3ede66cc95fd) Signed-off-by: Sebastiaan van Stijn --- registry/auth/token/token_test.go | 2 +- registry/registry.go | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/registry/auth/token/token_test.go b/registry/auth/token/token_test.go index ec80d1bc872..49b836e0a0c 100644 --- a/registry/auth/token/token_test.go +++ b/registry/auth/token/token_test.go @@ -527,7 +527,7 @@ func TestNewAccessControllerPemBlock(t *testing.T) { t.Fatal(err) } - if len(ac.(*accessController).rootCerts.Subjects()) != 2 { + if len(ac.(*accessController).rootCerts.Subjects()) != 2 { //nolint:staticcheck // FIXME(thaJeztah): ignore SA1019: ac.(*accessController).rootCerts.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots. (staticcheck) t.Fatal("accessController has the wrong number of certificates") } } diff --git a/registry/registry.go b/registry/registry.go index dc156f462a7..9486d8bba5d 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -236,11 +236,10 @@ func (registry *Registry) ListenAndServe() error { dcontext.GetLogger(registry.app).Infof("restricting TLS cipher suites to: %s", strings.Join(getCipherSuiteNames(tlsCipherSuites), ",")) tlsConf := &tls.Config{ - ClientAuth: tls.NoClientCert, - NextProtos: nextProtos(config), - MinVersion: tlsMinVersion, - PreferServerCipherSuites: true, - CipherSuites: tlsCipherSuites, + ClientAuth: tls.NoClientCert, + NextProtos: nextProtos(config), + MinVersion: tlsMinVersion, + CipherSuites: tlsCipherSuites, } if config.HTTP.TLS.LetsEncrypt.CacheFile != "" { @@ -282,7 +281,7 @@ func (registry *Registry) ListenAndServe() error { } } - for _, subj := range pool.Subjects() { + for _, subj := range pool.Subjects() { //nolint:staticcheck // FIXME(thaJeztah): ignore SA1019: ac.(*accessController).rootCerts.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots. (staticcheck) dcontext.GetLogger(registry.app).Debugf("CA Subject: %s", string(subj)) } From 444d053e12d64179b6d3c7d610d493b53268f71c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 9 May 2023 12:36:32 +0200 Subject: [PATCH 3/7] update golangci-lint to v1.52 Removing the "structcheck" and "varcheck" linters as they've been deprecated. level=warning msg="[runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused." level=warning msg="[runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused." Signed-off-by: Sebastiaan van Stijn (cherry picked from commit dec03ea3d85d66f7681648c502260ea3cf370143) Signed-off-by: Sebastiaan van Stijn --- .golangci.yml | 10 ++++++++-- script/setup/install-dev-tools | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 36c083b0fc4..61dd0e00eb7 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,7 +1,5 @@ linters: enable: - - structcheck - - varcheck - staticcheck - unconvert - gofmt @@ -14,6 +12,14 @@ linters: disable: - errcheck +linters-settings: + revive: + rules: + # TODO(thaJeztah): temporarily disabled the "unused-parameter" check. + # It produces many warnings, and some of those may need to be looked at. + - name: unused-parameter + disabled: true + run: deadline: 2m skip-dirs: diff --git a/script/setup/install-dev-tools b/script/setup/install-dev-tools index 7737836bb97..460718b3ee1 100755 --- a/script/setup/install-dev-tools +++ b/script/setup/install-dev-tools @@ -1,6 +1,6 @@ #!/usr/bin/env bash -GOLANGCI_LINT_VERSION="v1.50.1" +GOLANGCI_LINT_VERSION="v1.52.0" # # Install developer tools to $GOBIN (or $GOPATH/bin if unset) From 3316b19810e1b84bee372a8f285a59dd506381ef Mon Sep 17 00:00:00 2001 From: Ben Manuel Date: Thu, 29 Jun 2023 15:34:00 -0500 Subject: [PATCH 4/7] Update to golang 1.19.10 This addresses CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, CVE-2023-29405 which were patched in 1.19.10. Signed-off-by: Ben Manuel (cherry picked from commit 36dd5b79ca81c7d945fb701d8eb958c0e212e24c) Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 2 +- Dockerfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 337f1e812af..8ad613d8136 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.19.9 + go-version: 1.19.10 - name: Dependencies run: | diff --git a/Dockerfile b/Dockerfile index 42b87c064cb..b655a06279f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.9 -ARG ALPINE_VERSION=3.16 +ARG GO_VERSION=1.19.10 +ARG ALPINE_VERSION=3.18 ARG XX_VERSION=1.2.1 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx From 29b8ba0b937417c25700d641623ca09bf9b44f04 Mon Sep 17 00:00:00 2001 From: James Hewitt Date: Sun, 27 Aug 2023 10:17:46 +0100 Subject: [PATCH 5/7] Update to go 1.20 Signed-off-by: James Hewitt (cherry picked from commit 0eb8fee87ecac7b7436c936c853f39c8f5eb9fb0) Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ad613d8136..55b30d8c7ed 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.19.10 + go-version: 1.20.7 - name: Dependencies run: | diff --git a/Dockerfile b/Dockerfile index b655a06279f..6affb3ba9a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.10 +ARG GO_VERSION=1.20.7 ARG ALPINE_VERSION=3.18 ARG XX_VERSION=1.2.1 From 31f5cd4865c8053f8c5f62fba2ce13f7493aba1a Mon Sep 17 00:00:00 2001 From: James Hewitt Date: Sun, 27 Aug 2023 11:06:16 +0100 Subject: [PATCH 6/7] Handle rand deprecations in go 1.20 Signed-off-by: James Hewitt (cherry picked from commit 1a3e73cb84fd7ccb4f061f95507357cc63b6eb0e) Signed-off-by: Sebastiaan van Stijn --- registry/api/v2/routes_test.go | 2 -- registry/proxy/proxyblobstore_test.go | 5 +++-- registry/storage/driver/s3-aws/s3_test.go | 2 +- registry/storage/driver/testsuites/testsuites.go | 3 ++- registry/storage/filereader_test.go | 3 ++- script/setup/install-dev-tools | 2 +- testutil/tarfile.go | 3 ++- 7 files changed, 11 insertions(+), 9 deletions(-) diff --git a/registry/api/v2/routes_test.go b/registry/api/v2/routes_test.go index 6c77e28155e..dc23c2e0477 100644 --- a/registry/api/v2/routes_test.go +++ b/registry/api/v2/routes_test.go @@ -9,7 +9,6 @@ import ( "reflect" "strings" "testing" - "time" "github.com/gorilla/mux" ) @@ -218,7 +217,6 @@ func TestRouterWithBadCharacters(t *testing.T) { // with random UTF8 characters not in the 128 bit ASCII range. // These are not valid characters for the router and we expect // 404s on every test. - rand.Seed(time.Now().UTC().UnixNano()) testCases := make([]routeTestCase, 1000) for idx := range testCases { testCases[idx] = routeTestCase{ diff --git a/registry/proxy/proxyblobstore_test.go b/registry/proxy/proxyblobstore_test.go index 6e90dbe57fd..13fea957b61 100644 --- a/registry/proxy/proxyblobstore_test.go +++ b/registry/proxy/proxyblobstore_test.go @@ -21,6 +21,7 @@ import ( ) var sbsMu sync.Mutex +var randSource rand.Rand type statsBlobStore struct { stats map[string]int @@ -195,13 +196,13 @@ func makeTestEnv(t *testing.T, name string) *testEnv { func makeBlob(size int) []byte { blob := make([]byte, size) for i := 0; i < size; i++ { - blob[i] = byte('A' + rand.Int()%48) + blob[i] = byte('A' + randSource.Int()%48) } return blob } func init() { - rand.Seed(42) + randSource = *rand.New(rand.NewSource(42)) } func populate(t *testing.T, te *testEnv, blobCount, size, numUnique int) { diff --git a/registry/storage/driver/s3-aws/s3_test.go b/registry/storage/driver/s3-aws/s3_test.go index be02772e952..20f4a6f0f84 100644 --- a/registry/storage/driver/s3-aws/s3_test.go +++ b/registry/storage/driver/s3-aws/s3_test.go @@ -2,8 +2,8 @@ package s3 import ( "bytes" + "crypto/rand" "io/ioutil" - "math/rand" "os" "strconv" "testing" diff --git a/registry/storage/driver/testsuites/testsuites.go b/registry/storage/driver/testsuites/testsuites.go index 5e37c5f3cfa..496d2b742ec 100644 --- a/registry/storage/driver/testsuites/testsuites.go +++ b/registry/storage/driver/testsuites/testsuites.go @@ -3,6 +3,7 @@ package testsuites import ( "bytes" "context" + crand "crypto/rand" "crypto/sha1" "io" "io/ioutil" @@ -1214,7 +1215,7 @@ func randomFilename(length int64) string { var randomBytes = make([]byte, 128<<20) func init() { - _, _ = rand.Read(randomBytes) // always returns len(randomBytes) and nil error + _, _ = crand.Read(randomBytes) // always returns len(randomBytes) and nil error } func randomContents(length int64) []byte { diff --git a/registry/storage/filereader_test.go b/registry/storage/filereader_test.go index 305366f434d..9145c3d73df 100644 --- a/registry/storage/filereader_test.go +++ b/registry/storage/filereader_test.go @@ -2,6 +2,7 @@ package storage import ( "bytes" + crand "crypto/rand" "io" mrand "math/rand" "testing" @@ -14,7 +15,7 @@ import ( func TestSimpleRead(t *testing.T) { ctx := context.Background() content := make([]byte, 1<<20) - n, err := mrand.Read(content) + n, err := crand.Read(content) if err != nil { t.Fatalf("unexpected error building random data: %v", err) } diff --git a/script/setup/install-dev-tools b/script/setup/install-dev-tools index 460718b3ee1..f0dce872e62 100755 --- a/script/setup/install-dev-tools +++ b/script/setup/install-dev-tools @@ -1,6 +1,6 @@ #!/usr/bin/env bash -GOLANGCI_LINT_VERSION="v1.52.0" +GOLANGCI_LINT_VERSION="v1.54.2" # # Install developer tools to $GOBIN (or $GOPATH/bin if unset) diff --git a/testutil/tarfile.go b/testutil/tarfile.go index 2ebd364a2d0..7120856382e 100644 --- a/testutil/tarfile.go +++ b/testutil/tarfile.go @@ -3,6 +3,7 @@ package testutil import ( "archive/tar" "bytes" + crand "crypto/rand" "fmt" "io" mrand "math/rand" @@ -45,7 +46,7 @@ func CreateRandomTarFile() (rs io.ReadSeeker, dgst digest.Digest, err error) { randomData := make([]byte, fileSize) // Fill up the buffer with some random data. - n, err := mrand.Read(randomData) + n, err := crand.Read(randomData) if n != len(randomData) { return nil, "", fmt.Errorf("short read creating random reader: %v bytes != %v bytes", n, len(randomData)) From 3c6f77884209e50bbe15cd95657c50cbd3a463bf Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 12 Sep 2023 00:07:34 +0200 Subject: [PATCH 7/7] update to go1.20.8 go1.20.8 (released 2023-09-06) includes two security fixes to the html/template package, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/tls, go/types, net/http, and path/filepath packages. See the Go 1.20.8 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8 From the security mailing: [security] Go 1.21.1 and Go 1.20.8 are released Hello gophers, We have just released Go versions 1.21.1 and 1.20.8, minor point releases. These minor releases include 4 security fixes following the security policy: - cmd/go: go.mod toolchain directive allows arbitrary execution The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-39320 and Go issue https://go.dev/issue/62198. - html/template: improper handling of HTML-like comments within script contexts The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "#!" comment tokens, in