Fix: Vulnerability in golang.org/x/net/http2 & github.com/sirupsen/logrus

[mlajkim]

Background

This PR fixes the vulnerabilities described in the following issue: #253

Proof

Click to expand!

11:23:31 Organization:      athenz
11:23:31 Package manager:   gomodules
11:23:31 Target file:       go.mod
11:23:31 Project name:      github.com/open-policy-agent/kube-mgmt
11:23:31 Open source:       no
11:23:31 Local Snyk policy: found
11:23:31 Licenses:          enabled
11:23:31 
11:23:31 ✔ Tested 293 dependencies for known issues, no vulnerable paths found.
11:23:31 
11:23:31 
11:23:33 INFO: snyk test has completed successfully.
11:23:33 INFO - snyk monitor and test: successful.
11:23:33 INFO: Vulnerability severity threshold is set to 7.0.
11:23:33 INFO: Risky Licenses: .
11:23:33 INFO: Strict check of vulnerability: true.
11:23:33 INFO: Strict check of license: false.
11:23:33 
11:23:33 ============
11:23:33 INFO: [1] Project Name: github.com/open-policy-agent/kube-mgmt, Package Manager: gomodules, Target File: go.mod.
11:23:33 INFO: No vulnerabilities (Severity >= 7.0, by fixability: false) and license violations were detected.
11:23:33 INFO: Explore this snapshot at https://app.snyk.io/org/athenz/project/21fbd133-e718-40a3-8866-18ac5f3917c0/history/b1498df1-2ca4-476b-ac1e-b3c1a6336189
11:23:33 
11:23:33 ============
11:23:33 
11:23:33 INFO: **CHECK SUMMARY**
11:23:33 	Total Projects:          1
11:23:33 	Total Vulnerabilities:   0 (0 ignored, Severity >= 7.0, by fixability: false) 
11:23:33 	Total License violation: 0 (0 ignored) 
11:23:33 	Total Illegal ignores:   0
11:23:33 
11:23:33 INFO: All Snyk check PASS!
11:23:33 WARN: NOT considered check failure because license strict check mode is disabled.

What I've done

• ✅ go get github.com/sirupsen/logrus@v1.8.3 && go mod vendor
• ✅ go mod tidy
• ❌ go get golang.org/x/net@v0.23.0 && go get golang.org/x/text@v0.19.0 && go get golang.org/x/term@v0.25.0 && go mod vendor
• ❌ go fmt ./...
• ❌ go mod edit -go=1.18 as: Error: vendor/golang.org/x/net/http2/transport.go:1096:13: tc.NetConn undefined (type *tls.Conn has no field or method NetConn) note: module requires Go 1.18 error: Recipe lint-go failed on line 34 with exit code 2 Error: Process completed with exit code 2.
• ❌ go mod tidy
• ✅ upgrade staticcheck 1.17.7 => 1.23.2 && upgrade go version 1.17.7 => 1.23.2 for GitHub Actions!
  • The pipeline finally has run successfully!

❌ : means the github pipeline failed
✅: means the github pipeline succeeded

[mlajkim]

My logical process & How to set up local test for this project (kube-mgmt):

Click to expand!

Since the pipeline failed, I just run the command locally to test it out:

brew install just
just test
# got
go vet ./...
staticcheck ./...
sh: staticcheck: command not found

Seems like I need staticheck, and I installed it and the local test did work perfectly:

# so I installed staticheck
brew install staticcheck
just test
just test
go vet ./...
staticcheck ./...
helm plugin ls | grep unittest || helm plugin install https://github.com/helm-unittest/helm-unittest.git

_...skipped..._

 PASS  lint image and mgmt.image        test/lint/images.yaml
 PASS  lint serviceaccount      test/lint/sa.yaml

Charts:      1 passed, 1 total
Test Suites: 2 passed, 2 total
Tests:       7 passed, 7 total
Snapshot:    0 passed, 0 total
Time:        20.118ms

go test ./...
?       github.com/open-policy-agent/kube-mgmt/internal/expect  [no test files]
?       github.com/open-policy-agent/kube-mgmt/pkg/configmap    [no test files]
?       github.com/open-policy-agent/kube-mgmt/pkg/types        [no test files]
?       github.com/open-policy-agent/kube-mgmt/pkg/version      [no test files]
ok      github.com/open-policy-agent/kube-mgmt/cmd/kube-mgmt    1.660s
ok      github.com/open-policy-agent/kube-mgmt/pkg/data 2.475s
ok      github.com/open-policy-agent/kube-mgmt/pkg/opa  1.165s
helm unittest -f '../../test/unit/*.yaml' charts/opa-kube-mgmt

### Chart [ opa-kube-mgmt ] charts/opa-kube-mgmt

 PASS  test health probes       test/unit/health.yaml
 PASS  test kube-mgmt container args    test/unit/kube-mgmt_args.yaml
 PASS  test configmap rbac      test/unit/rbac_cm.yaml
 PASS  test replicate rbac      test/unit/rbac_replicate.yaml
 PASS  test serviceaccount annotations  test/unit/sa.yaml

Charts:      1 passed, 1 total
Test Suites: 5 passed, 5 total
Tests:       22 passed, 22 total
Snapshot:    0 passed, 0 total
Time:        75.600667ms

So the local test worked, but the pipeline did not, so I assume there is a problem in pipeline and I notice that one of the pipeline job installs staticcheck, but potentially old version.
So since my local test worked, I checked the local version, and it was 2024.1.1:

$ staticcheck -version
staticcheck 2024.1.1 (0.5.1)

So I did set the version 2024.1.1, but the newer version requires newer Go to run it: 38bb8d5

So I set it up the newer Go lang and the pipeline worked as well.

Available term package version

Click to expand!

term

curl https://proxy.golang.org/golang.org/x/term/@v/list

v0.15.0
v0.7.0
v0.3.8
v0.3.0
v0.3.6
v0.3.4
v0.8.0
v0.6.0
v0.3.7
v0.10.0
v0.5.0
v0.3.5
v0.18.0
v0.12.0
v0.19.0
v0.3.3
v0.9.0
v0.4.0
v0.14.0
v0.3.1
v0.11.0
v0.1.0
v0.13.0
v0.17.0
v0.2.0
v0.16.0
v0.3.2

Available text package version

Click to expand!

Get list of text package

curl https://proxy.golang.org/golang.org/x/text/@v/list

v0.15.0
v0.7.0
v0.3.8
v0.3.0
v0.3.6
v0.3.4
v0.8.0
v0.6.0
v0.3.7
v0.10.0
v0.5.0
v0.3.5
v0.18.0
v0.12.0
v0.19.0
v0.3.3
v0.9.0
v0.4.0
v0.14.0
v0.3.1
v0.11.0
v0.1.0
v0.13.0
v0.17.0
v0.2.0
v0.16.0
v0.3.2

[mlajkim]

@eshepelyuk
Hi, I'm mentioning you because I'm not sure who to ask for a PR review.
As described in the PR, I've created it to address the vulnerabilities mentioned in the issue: #253

[eshepelyuk]

Plz address missing things

• sign DCO
• rebase and squash PR into single commit

[mlajkim]

@eshepelyuk handled!

[eshepelyuk]

@eshepelyuk handled!

no, there is still 8 commits,