Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update go version to 1.18 #1363

Merged
merged 8 commits into from
Sep 4, 2022
Merged

Conversation

jauderho
Copy link
Contributor

While scanning a locally built copy of watchtower using Trivy, the container showed CVE-2022-21698 as being flagged as an issue. Upon investigation, this turns out to be github.com/prometheus/client_golang not being v1.11 or newer.

I also noticed that go.mod is set to 1.12 so bumped that up to the lowest current supported version: 1.18 using go get -u all && go mod tidy

This resulted in the following modules versions being updated:

go: module github.com/golang/protobuf is deprecated: Use the "google.golang.org/protobuf" module instead.
go: upgraded github.com/Microsoft/go-winio v0.4.17 => v0.5.2
go: upgraded github.com/cespare/xxhash/v2 v2.1.1 => v2.1.2
go: upgraded github.com/docker/distribution v2.8.0+incompatible => v2.8.1+incompatible
go: upgraded github.com/docker/docker-credential-helpers v0.6.1 => v0.6.4
go: upgraded github.com/fatih/color v1.10.0 => v1.13.0
go: upgraded github.com/fsnotify/fsnotify v1.4.9 => v1.5.4
go: upgraded github.com/inconshreveable/mousetrap v1.0.0 => v1.0.1
go: upgraded github.com/johntdyer/slackrus v0.0.0-20180518184837-f7aae3243a07 => v0.0.0-20211215141436-33e4a270affb
go: upgraded github.com/kr/pretty v0.2.1 => v0.3.0
go: upgraded github.com/magiconair/properties v1.8.1 => v1.8.6
go: upgraded github.com/mattn/go-colorable v0.1.8 => v0.1.13
go: upgraded github.com/mattn/go-isatty v0.0.12 => v0.0.16
go: upgraded github.com/mitchellh/mapstructure v1.2.2 => v1.5.0
go: upgraded github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 => v0.0.0-20220808134915-39b0c02b01ae
go: upgraded github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c => v1.0.0
go: upgraded github.com/onsi/gomega v1.20.0 => v1.20.1
go: upgraded github.com/pelletier/go-toml v1.8.1 => v1.9.5
go: added github.com/pelletier/go-toml/v2 v2.0.5
go: upgraded github.com/prometheus/client_golang v1.7.1 => v1.13.0
go: upgraded github.com/prometheus/common v0.10.0 => v0.37.0
go: upgraded github.com/prometheus/procfs v0.6.0 => v0.8.0
go: upgraded github.com/robfig/cron v0.0.0-20180505203441-b41be1df6967 => v1.2.0
go: upgraded github.com/spf13/afero v1.2.2 => v1.9.2
go: upgraded github.com/spf13/cast v1.3.1 => v1.5.0
go: upgraded github.com/spf13/viper v1.6.3 => v1.12.0
go: upgraded github.com/subosito/gotenv v1.2.0 => v1.4.1
go: upgraded golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 => v0.0.0-20220826154423-83b083e8dc8b
go: upgraded golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 => v0.0.0-20220825204002-c680a09ffe64
go: upgraded golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e => v0.0.0-20220722155302-e5dcc9cfc0b9
go: upgraded google.golang.org/protobuf v1.28.0 => v1.28.1
go: upgraded gopkg.in/ini.v1 v1.55.0 => v1.67.0

I have built a test image which can be pulled using docker pull jauderho/watchtower:git. My initial testing does not show any issues.

@codecov
Copy link

codecov bot commented Aug 29, 2022

Codecov Report

Merging #1363 (7a110c9) into main (964879d) will not change coverage.
The diff coverage is 33.33%.

@@           Coverage Diff           @@
##             main    #1363   +/-   ##
=======================================
  Coverage   64.71%   64.71%           
=======================================
  Files          23       23           
  Lines        2293     2293           
=======================================
  Hits         1484     1484           
  Misses        712      712           
  Partials       97       97           
Impacted Files Coverage Δ
pkg/container/client.go 31.84% <0.00%> (ø)
pkg/registry/auth/auth.go 43.26% <33.33%> (ø)
pkg/registry/trust.go 47.61% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

using go 1.18, the `go get` command does no longer install golint.
but since it's deprecated anyway, let's replace it with staticcheck
internal/actions/mocks/progress.go:
- ineffective break statement. Did you mean to break out of the outer loop? (SA4011)
- redundant break statement (S1023)

pkg/container/client.go:
- should omit comparison to bool constant, can be simplified to execInspect.Running (S1002)
- error strings should not be capitalized (ST1005)

pkg/container/errors.go:
- var errorNoExposedPorts is unused (U1000)

pkg/registry/auth/auth.go:
- argument err is overwritten before first use (SA4009)
- the argument is already a string, there's no need to use fmt.Sprintf (S1025)

pkg/registry/trust.go:
- error strings should not be capitalized (ST1005)
@piksel piksel requested a review from simskij as a code owner September 4, 2022 11:41
@piksel piksel changed the title Update go.mod to 1.18 as well as address CVE-2022-21698 chore(go): update go.mod to 1.18 Sep 4, 2022
@piksel
Copy link
Member

piksel commented Sep 4, 2022

I am limiting this to only be the update to go v1.18, as it had some cascading consequences and dependabot already has a PR for the prometheus dependency: #1365

@piksel
Copy link
Member

piksel commented Sep 4, 2022

Code coverage is low in lint-fixed areas, not something this PR should address. Force merging.

@piksel piksel changed the title chore(go): update go.mod to 1.18 chore(deps): update go version to 1.18 Sep 4, 2022
@piksel piksel merged commit e04a107 into containrrr:main Sep 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants