The vulnerabilities have been fixed by bumping the Go version and by …

…updating the opa. (#1398) Additionally, Resolve govet warning by using constant format string in Errorf calls
aquasecurity · Sep 25, 2024 · 9a0c6e6 · 9a0c6e6
1 parent 18c17f8
commit 9a0c6e6
Show file tree

Hide file tree

Showing 11 changed files with 202 additions and 214 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -26,7 +26,7 @@ on:
  - 'NOTICE'
 
 env:
- GO_VERSION: "1.21.6"
+ GO_VERSION: "1.23.1"
  KIND_VERSION: "v0.17.0"
  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 

diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
@@ -8,7 +8,7 @@ on:
  - cron: "0 0 * * *"
 
 env:
- GO_VERSION: "1.21.6"
+ GO_VERSION: "1.23.1"
 
 # Disable permissions granted to the GITHUB_TOKEN for all the available scopes.
 permissions: {}

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ on:
  tags:
  - "v*"
 env:
- GO_VERSION: "1.21.6"
+ GO_VERSION: "1.23.1"
  KIND_VERSION: "v0.11.1"
  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:

diff --git a/build/scanner-aqua/Dockerfile b/build/scanner-aqua/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.19
 
 RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories
 

diff --git a/build/starboard-operator/Dockerfile b/build/starboard-operator/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.19
 
 RUN apk update && apk upgrade
 

diff --git a/build/starboard-operator/Dockerfile.fips b/build/starboard-operator/Dockerfile.fips
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.19
 
 RUN apk update && apk upgrade
 

diff --git a/build/starboard/Dockerfile b/build/starboard/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.19
 
 RUN adduser -u 10000 -D -g '' starboard starboard
 

diff --git a/go.mod b/go.mod
@@ -1,26 +1,24 @@
 module github.com/aquasecurity/starboard
 
-go 1.21
-
-replace golang.org/x/text => golang.org/x/text v0.3.8
+go 1.23
 
 require (
  github.com/caarlos0/env/v6 v6.10.0
- github.com/davecgh/go-spew v1.1.1
+ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
  github.com/emirpasic/gods v1.18.1
- github.com/go-logr/logr v1.2.3
- github.com/google/go-cmp v0.5.9
+ github.com/go-logr/logr v1.4.2
+ github.com/google/go-cmp v0.6.0
  github.com/google/go-containerregistry v0.11.0
- github.com/google/uuid v1.3.0
+ github.com/google/uuid v1.6.0
  github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75
  github.com/hashicorp/go-version v1.5.0
  github.com/onsi/ginkgo v1.16.5
  github.com/onsi/gomega v1.24.1
- github.com/open-policy-agent/opa v0.46.1
+ github.com/open-policy-agent/opa v0.68.0
  github.com/openshift/api v0.0.0-20221013123533-341d389bd4a7
- github.com/spf13/cobra v1.6.1
+ github.com/spf13/cobra v1.8.1
  github.com/spf13/pflag v1.0.5
- github.com/stretchr/testify v1.8.0
+ github.com/stretchr/testify v1.9.0
  github.com/valyala/quicktemplate v1.7.0
  gopkg.in/yaml.v3 v3.0.1
  k8s.io/api v0.26.10
@@ -30,28 +28,30 @@ require (
  k8s.io/client-go v0.26.10
  k8s.io/code-generator v0.26.10
  k8s.io/klog/v2 v2.90.1
- k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
+ k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
  sigs.k8s.io/controller-runtime v0.14.7
- sigs.k8s.io/yaml v1.3.0
+ sigs.k8s.io/yaml v1.4.0
 )
 
 require (
- github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+ github.com/emicklei/go-restful/v3 v3.10.1 // indirect
  github.com/opencontainers/go-digest v1.0.0 // indirect
- github.com/sergi/go-diff v1.2.0 // indirect
  github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 )
 
 require (
  github.com/OneOfOne/xxhash v1.2.8 // indirect
  github.com/agnivade/levenshtein v1.1.1 // indirect
  github.com/beorn7/perks v1.0.1 // indirect
- github.com/cespare/xxhash/v2 v2.1.2 // indirect
+ github.com/cespare/xxhash/v2 v2.3.0 // indirect
+ github.com/dgraph-io/ristretto v1.0.0 // indirect
+ github.com/dustin/go-humanize v1.0.1 // indirect
  github.com/evanphx/json-patch v5.6.0+incompatible // indirect
  github.com/evanphx/json-patch/v5 v5.6.0 // indirect
- github.com/fsnotify/fsnotify v1.6.0 // indirect
- github.com/ghodss/yaml v1.0.0 // indirect
+ github.com/fsnotify/fsnotify v1.7.0 // indirect
  github.com/go-errors/errors v1.0.1 // indirect
+ github.com/go-ini/ini v1.67.0 // indirect
+ github.com/go-logr/stdr v1.2.2 // indirect
  github.com/go-logr/zapr v1.2.3 // indirect
  github.com/go-openapi/jsonpointer v0.19.5 // indirect
  github.com/go-openapi/jsonreference v0.20.0 // indirect
@@ -60,51 +60,65 @@ require (
  github.com/gobwas/glob v0.2.3 // indirect
  github.com/gogo/protobuf v1.3.2 // indirect
  github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
- github.com/golang/protobuf v1.5.2 // indirect
+ github.com/golang/protobuf v1.5.4 // indirect
  github.com/google/btree v1.0.1 // indirect
+ github.com/google/flatbuffers v24.3.25+incompatible // indirect
  github.com/google/gnostic v0.6.9 // indirect
  github.com/google/gofuzz v1.2.0 // indirect
  github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+ github.com/gorilla/mux v1.8.1 // indirect
  github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
  github.com/imdario/mergo v0.3.13 // indirect
- github.com/inconshreveable/mousetrap v1.0.1 // indirect
+ github.com/inconshreveable/mousetrap v1.1.0 // indirect
  github.com/josharian/intern v1.0.0 // indirect
  github.com/json-iterator/go v1.1.12 // indirect
+ github.com/klauspost/compress v1.17.9 // indirect
  github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
  github.com/mailru/easyjson v0.7.7 // indirect
- github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
  github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
  github.com/modern-go/reflect2 v1.0.2 // indirect
  github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
  github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
  github.com/nxadm/tail v1.4.8 // indirect
  github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
  github.com/pkg/errors v0.9.1 // indirect
- github.com/pmezard/go-difflib v1.0.0 // indirect
- github.com/prometheus/client_golang v1.14.0 // indirect
- github.com/prometheus/client_model v0.3.0 // indirect
- github.com/prometheus/common v0.37.0 // indirect
- github.com/prometheus/procfs v0.8.0 // indirect
+ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+ github.com/prometheus/client_golang v1.20.4 // indirect
+ github.com/prometheus/client_model v0.6.1 // indirect
+ github.com/prometheus/common v0.59.1 // indirect
+ github.com/prometheus/procfs v0.15.1 // indirect
  github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+ github.com/sirupsen/logrus v1.9.3 // indirect
  github.com/valyala/bytebufferpool v1.0.0 // indirect
  github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
  github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
  github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
- github.com/yashtewari/glob-intersection v0.1.0 // indirect
+ github.com/yashtewari/glob-intersection v0.2.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
+ go.opentelemetry.io/otel v1.30.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 // indirect
+ go.opentelemetry.io/otel/metric v1.30.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.30.0 // indirect
+ go.opentelemetry.io/otel/trace v1.30.0 // indirect
  go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
- go.uber.org/atomic v1.9.0 // indirect
- go.uber.org/multierr v1.8.0 // indirect
+ go.uber.org/atomic v1.11.0 // indirect
+ go.uber.org/goleak v1.3.0 // indirect
+ go.uber.org/multierr v1.11.0 // indirect
  go.uber.org/zap v1.24.0 // indirect
- golang.org/x/mod v0.9.0 // indirect
- golang.org/x/net v0.27.0 // indirect
- golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
- golang.org/x/sys v0.22.0 // indirect
- golang.org/x/term v0.22.0 // indirect
- golang.org/x/text v0.16.0 // indirect
- golang.org/x/time v0.3.0 // indirect
- golang.org/x/tools v0.6.0 // indirect
+ golang.org/x/mod v0.21.0 // indirect
+ golang.org/x/net v0.29.0 // indirect
+ golang.org/x/oauth2 v0.22.0 // indirect
+ golang.org/x/sync v0.8.0 // indirect
+ golang.org/x/sys v0.25.0 // indirect
+ golang.org/x/term v0.24.0 // indirect
+ golang.org/x/text v0.18.0 // indirect
+ golang.org/x/time v0.6.0 // indirect
+ golang.org/x/tools v0.25.0 // indirect
  gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
- google.golang.org/appengine v1.6.7 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+ google.golang.org/grpc v1.66.2 // indirect
  google.golang.org/protobuf v1.34.2 // indirect
  gopkg.in/inf.v0 v0.9.1 // indirect
  gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect