Bump Go version from 1.19.3 to 1.20.4+

[azuterios]

Terraform CLI and Provider Versions

###Terraform Version
Terraform version 1.5.0
Null provider 3.2.1

Terraform Configuration

Dear HashiCorp Team,
Some vulnerabilities are visible after the latest scan. Please update the GoLang version to 1.20.4+ And then please release a brand new version of the null provider, as the latest version is from November 2022 and some critical fixes have already been introduced in the code but never released.

Expected Behavior

No vulnerabilities present.

Actual Behavior

CVE-2021-44716 : golang.org/x/net/http2 of terraform-provider-null_v3.2.1_x5, should be updated to version 0.0.0-20211209124913-491a49abca63.
CVE-2022-41717 : go version needs to be updated from 1.19.3 to 1.19.4
CVE-2022-27664 : golang.org/x/net/http/httpguts needs to be updated to 0.0.0-20220906165146-f3363e06e74c
CVE-2022-32149 : golang.org/x/text and golang.org/x/text/language needs to be updated to 0.3.8
CVE-2022-41724| : go version needs to be updated from 1.19.3 to 1.19.4
CVE-2022-41715 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-2880 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-32190 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-2879 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2022-41716 : go version needs to be updated from 1.18.5 to 1.19.2, 1.18.7
CVE-2023-24538 : go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8
CVE-2023-24534 : go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8

These vulnerabilities are coming for the outdated Golang version.

Steps to Reproduce

Scan with Twistlock scanner.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[KevinCiz]

Additional CVE

CVE-2022-27664: go version need to be updated to > 1.19.1
CVE-2022-41723: upgrade net package >= v0.8.0 to fix or Upgrading Go lang to >1.19.6 would address those issues
CVE-2022-41725: go version needs to be updated from 1.18.5 to 1.19.6, 1.20.1
CVE-2023-24536: go version needs to be updated from 1.18.5 to 1.20.3, 1.19.8

[Bjyothi2023]

Hi Team, Please help with releasing newer version with the current code base , Current available version v3.2.1 is very older release version missing with the new changes.
External products which are using this tool are getting affected as their Vulnerability scanners are reporting multiple CVEs and they are not able to move further.
Thanks in advance

[austinvalle]

Hi all 👋🏻 ,

We're working through releases on all of the utility providers and just released v3.2.2 of the null provider with updated dependencies built with Go 1.20 (no functional changes).

It may take an hour or so to update in the registry cache. Thanks!

Also a note, for those using Terraform 1.4 and later. You can utilize the terraform_data built-in managed resource instead of the null_resource as it is intended to support all its use cases without the need for an external provider plugin

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.