Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump to go 1.21.9 and update deps #1523

Merged
merged 3 commits into from
Apr 15, 2024
Merged

chore: bump to go 1.21.9 and update deps #1523

merged 3 commits into from
Apr 15, 2024

Conversation

miparnisari
Copy link
Member

To fix govulncheck: https://github.com/openfga/openfga/actions/runs/8623823188/job/23637723246?pr=1522#step:3:158

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
Error:       #1: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.ConnectionError.Error
Error:       #2: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http2.ErrCode.String
Error:       #3: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
Error:       #4: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http2.FrameType.String
Error:       #5: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.ReadFrame
Error:       #6: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteContinuation
Error:       #7: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteData
Error:       #8: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteGoAway
Error:       #9: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteHeaders
Error:       #10: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WritePing
Error:       #11: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteRSTStream
Error:       #12: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettings
Error:       #13: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettingsAck
Error:       #14: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.Framer.WriteWindowUpdate
Error:       #15: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.GoAwayError.Error
Error:       #16: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http2.Setting.String
Error:       #17: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http2.SettingID.String
Error:       #18: cmd/run/run.go:518:29: run.Run calls grpc.Server.Serve, which eventually calls http2.SettingsFrame.ForeachSetting
Error:       #19: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.StreamError.Error
Error:       #20: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.http2transportResponseBody.Close, which eventually calls http2.chunkWriter.Write
Error:       #21: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.connError.Error
Error:       #22: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.duplicatePseudoHeaderError.Error
Error:       #23: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.gzipReader.Close
Error:       #24: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http2.gzipReader.Read
Error:       #25: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.headerFieldNameError.Error
Error:       #26: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.headerFieldValueError.Error
Error:       #27: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http2.pseudoHeaderError.Error
Error:       #28: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.http2transportResponseBody.Close, which eventually calls http2.stickyErrWriter.Write
Error:       #29: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close
Error:       #30: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http2.transportResponseBody.Read
Error:       #31: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http2.writeData.String

  Standard library
    Found in: net/http@go1.21.8
    Fixed in: net/http@go1.21.9
    Example traces found:
Error:       #1: pkg/middleware/http/handler.go:13:2: http.init calls runtime.init, which calls http.CanonicalHeaderKey
Error:       #2: pkg/testutils/testutils.go:206:33: testutils.EnsureServiceHealthy calls retryablehttp.Get, which eventually calls http.Client.CloseIdleConnections
Error:       #3: internal/authn/oidc/oidc.go:170:32: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.Client.Do
Error:       #4: internal/condition/condition.go:69:18: condition.EvaluableCondition.Compile calls sync.Once.Do, which eventually calls http.Get
Error:       #5: pkg/middleware/http/handler.go:61:18: http.handleForwardResponseTrailer calls http.Header.Add
Error:       #6: pkg/middleware/http/handler.go:72:16: http.CustomHTTPErrorHandler calls http.Header.Del
Error:       #7: pkg/middleware/http/handler.go:46:22: http.requestAcceptsTrailers calls http.Header.Get
Error:       #8: pkg/middleware/http/handler.go:75:16: http.CustomHTTPErrorHandler calls http.Header.Set
Error:       #9: cmd/run/run.go:466:33: run.Run calls http.ListenAndServe
Error:       #10: internal/authn/oidc/oidc.go:165:29: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.NewRequest
Error:       #11: internal/authn/oidc/oidc.go:[153](https://github.com/openfga/openfga/actions/runs/8623823188/job/23637723246?pr=1522#step:3:167):26: oidc.RemoteOidcAuthenticator.GetKeys calls keyfunc.Get, which eventually calls http.NewRequestWithContext
Error:       #12: cmd/run/run.go:549:32: run.ServerContext.Run calls grpc.DialContext, which eventually calls http.ProxyFromEnvironment
Error:       #13: pkg/testfixtures/storage/postgres.go:49:63: storage.postgresTestContainer.RunPostgresTestContainer calls postgres.RunContainer, which eventually calls http.ReadResponse
Error:       #14: pkg/testfixtures/storage/postgres.go:49:63: storage.postgresTestContainer.RunPostgresTestContainer calls postgres.RunContainer, which eventually calls http.Request.UserAgent
Error:       #15: pkg/testfixtures/storage/postgres.go:49:63: storage.postgresTestContainer.RunPostgresTestContainer calls postgres.RunContainer, which eventually calls http.Request.Write
Error:       #16: cmd/run/run.go:549:32: run.ServerContext.Run calls grpc.DialContext, which eventually calls http.Response.Write
Error:       #17: cmd/run/run.go:672:35: run.Run calls http.Server.ListenAndServe
Error:       #18: cmd/run/run.go:591:39: run.Run calls http.Server.ListenAndServeTLS
Error:       #19: cmd/run/run.go:693:32: run.ServerContext.Run calls http.Server.Shutdown
Error:       #20: pkg/testfixtures/storage/mysql.go:64:45: storage.mySQLTestContainer.RunMySQLTestContainer calls testcontainers.DockerContainer.MappedPort, which eventually calls http.Transport.CloseIdleConnections
Error:       #21: pkg/testfixtures/storage/postgres.go:49:63: storage.postgresTestContainer.RunPostgresTestContainer calls postgres.RunContainer, which eventually calls http.Transport.RoundTrip
Error:       #22: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.body.Close
Error:       #23: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.body.Read
Error:       #24: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.bodyEOFSignal.Close
Error:       #25: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.bodyEOFSignal.Read
Error:       #26: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which eventually calls http.bodyLocked.Read
Error:       #27: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls multierr.multiError.Error, which eventually calls http.bufioFlushWriter.Write
Error:       #28: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.cancelTimerBody.Close
Error:       #29: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.cancelTimerBody.Read
Error:       #30: internal/authn/oidc/oidc.go:[174](https://github.com/openfga/openfga/actions/runs/8623823188/job/23637723246?pr=1522#step:3:188):2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.checkConnErrorWriter.Write
Error:       #31: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.chunkWriter.Write
Error:       #32: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which eventually calls http.connReader.Read
Error:       #33: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.expectContinueReader.Close
Error:       #34: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.expectContinueReader.Read
Error:       #35: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.gzipReader.Close
Error:       #36: internal/authn/oidc/oidc.go:[180](https://github.com/openfga/openfga/actions/runs/8623823188/job/23637723246?pr=1522#step:3:194):25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.gzipReader.Read
Error:       #37: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2ConnectionError.Error
Error:       #38: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2ErrCode.String
Error:       #39: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2FrameHeader.String
Error:       #40: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2FrameType.String
Error:       #41: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2FrameWriteRequest.String
Error:       #42: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2GoAwayError.Error
Error:       #43: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2Setting.String
Error:       #44: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2SettingID.String
Error:       #45: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2StreamError.Error
Error:       #46: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.http2chunkWriter.Write
Error:       #47: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2connError.Error
Error:       #48: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2duplicatePseudoHeaderError.Error
Error:       #49: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.http2gzipReader.Close
Error:       #50: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.http2gzipReader.Read
Error:       #51: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2headerFieldNameError.Error
Error:       #52: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2headerFieldValueError.Error
Error:       #53: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.http2pseudoHeaderError.Error
Error:       #54: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.http2requestBody.Close
Error:       #55: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.http2requestBody.Read
Error:       #56: pkg/middleware/http/handler.go:111:22: http.CustomHTTPErrorHandler calls http.http2responseWriter.Write
Error:       #57: pkg/middleware/http/handler.go:110:15: http.CustomHTTPErrorHandler calls http.http2responseWriter.WriteHeader
Error:       #58: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls multierr.multiError.Error, which eventually calls http.http2responseWriter.WriteString
Error:       #59: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.http2stickyErrWriter.Write
Error:       #60: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http.http2transportResponseBody.Close
Error:       #61: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.http2transportResponseBody.Read
Error:       #62: pkg/storage/memory/memory.go:717:29: memory.MemoryBackend.ReadAssertions calls fmt.Sprintf, which eventually calls http.http2writeData.String
Error:       #63: cmd/validatemodels/validate_models.go:113:15: validatemodels.ValidateAllAuthorizationModels calls fmt.Printf, which eventually calls http.loggingConn.Write
Error:       #64: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which eventually calls http.maxBytesReader.Read
Error:       #65: internal/condition/condition.go:69:18: condition.EvaluableCondition.Compile calls sync.Once.Do, which eventually calls http.onceCloseListener.Close
Error:       #66: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.persistConn.Read
Error:       #67: pkg/storage/postgres/postgres.go:140:12: postgres.Postgres.Close calls sql.DB.Close, which eventually calls http.persistConnWriter.ReadFrom
Error:       #68: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.persistConnWriter.Write
Error:       #69: internal/authn/oidc/oidc.go:174:2: oidc.RemoteOidcAuthenticator.GetConfiguration calls http2.transportResponseBody.Close, which eventually calls http.readTrackingBody.Close
Error:       #70: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.readTrackingBody.Read
Error:       #71: internal/authn/oidc/oidc.go:180:25: oidc.RemoteOidcAuthenticator.GetConfiguration calls io.ReadAll, which calls http.readWriteCloserBody.Read
Error:       #72: pkg/storage/postgres/postgres.go:140:12: postgres.Postgres.Close calls sql.DB.Close, which eventually calls http.response.ReadFrom
Error:       #73: pkg/middleware/http/handler.go:111:22: http.CustomHTTPErrorHandler calls http.response.Write
Error:       #74: pkg/middleware/http/handler.go:110:15: http.CustomHTTPErrorHandler calls http.response.WriteHeader
Error:       #75: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls multierr.multiError.Error, which eventually calls http.response.WriteString
Error:       #76: pkg/middleware/http/handler.go:111:22: http.CustomHTTPErrorHandler calls http.timeoutWriter.Write
Error:       #77: pkg/middleware/http/handler.go:110:15: http.CustomHTTPErrorHandler calls http.timeoutWriter.WriteHeader
Error:       #78: pkg/storage/sqlcommon/sqlcommon.go:294:38: sqlcommon.HandleSQLError calls http.transportReadFromServerError.Error

Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.
Error: Process completed with exit code 3.

@miparnisari miparnisari requested a review from a team as a code owner April 10, 2024 00:23
@codecov Codecov
Copy link

codecov bot commented Apr 10, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.02%. Comparing base (2cdbb76) to head (6f98b08).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1523      +/-   ##
==========================================
- Coverage   86.06%   86.02%   -0.03%     
==========================================
  Files          85       85              
  Lines        8038     8038              
==========================================
- Hits         6917     6914       -3     
- Misses        790      793       +3     
  Partials      331      331

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@miparnisari
Copy link
Member Author

miparnisari commented Apr 12, 2024
edited

I sent an email to CNCF Legal asking if we're okay ignoring the license warning.

It's okay to do this for now.

@miparnisari miparnisari merged commit b1511b2 into main Apr 15, 2024
15 checks passed
@miparnisari miparnisari deleted the go.1.21.9 branch April 15, 2024 16:29
@BrewTestBot BrewTestBot mentioned this pull request Apr 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriantam adriantam adriantam approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@miparnisari @adriantam