chore: build with keda-tools:1.22.5 (kedacore#5971)

* chore: build with keda-tools:1.22.5 to resolve CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791 bump github.com/Azure/azure-sdk-for-go/sdk/azidentity to resolve CVE-2024-35255 Signed-off-by: Paul Yu <paul.d.yu@gmail.com> * chore: use go install instead of go get and replacing deprecated tools Signed-off-by: Paul Yu <paul.d.yu@gmail.com> * chore: vendor dependency cleanup Signed-off-by: Paul Yu <paul.d.yu@gmail.com> * Update missing references to 1.21 Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> --------- Signed-off-by: Paul Yu <paul.d.yu@gmail.com> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
JorTurFer · Jul 30, 2024 · c174395 · c174395
1 parent 6f8959c
commit c174395
Show file tree

Hide file tree

Showing 103 changed files with 9,978 additions and 4,536 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -16,41 +16,32 @@ ARG USERNAME=vscode
 ARG USER_UID=1000
 ARG USER_GID=$USER_UID
 
-ENV GO111MODULE=auto
-
 # Configure apt, install packages and tools
 RUN apt-get update \
     && apt-get -y install --no-install-recommends apt-utils dialog unzip 2>&1 \
     #
     # Verify git, process tools, lsb-release (common in install instructions for CLIs) installed
     && apt-get -y install git iproute2 procps lsb-release \
     #
-    # Install gocode-gomod
-    && go get -x -d github.com/stamblerre/gocode 2>&1 \
-    && go build -o gocode-gomod github.com/stamblerre/gocode \
-    && mv gocode-gomod $GOPATH/bin/ \
-    #
     # Install Go tools
-    && go get -u -v \
-        github.com/mdempsky/gocode \
-        github.com/uudashr/gopkgs/cmd/gopkgs \
-        github.com/ramya-rao-a/go-outline \
-        github.com/acroca/go-symbols \
-        github.com/godoctor/godoctor \
-        golang.org/x/tools/cmd/gorename \
-        github.com/rogpeppe/godef \
-        github.com/zmb3/gogetdoc \
-        github.com/haya14busa/goplay/cmd/goplay \
-        github.com/sqs/goreturns \
-        github.com/josharian/impl \
-        github.com/davidrjenni/reftools/cmd/fillstruct \
-        github.com/fatih/gomodifytags \
-        github.com/cweill/gotests/... \
-        golang.org/x/tools/cmd/goimports \
-        golang.org/x/lint/golint \
-        github.com/alecthomas/gometalinter 2>&1 \
-        github.com/mgechev/revive \
-        github.com/derekparker/delve/cmd/dlv 2>&1 \
+    && go install github.com/uudashr/gopkgs/v2/cmd/gopkgs@latest \
+    && go install github.com/ramya-rao-a/go-outline@latest \
+    && go install github.com/acroca/go-symbols@latest \
+    && go install github.com/godoctor/godoctor@latest \
+    && go install golang.org/x/tools/cmd/gorename@latest \
+    && go install github.com/rogpeppe/godef@latest \
+    && go install github.com/zmb3/gogetdoc@latest \
+    && go install github.com/haya14busa/goplay/cmd/goplay@latest \
+    && go install github.com/sqs/goreturns@latest \
+    && go install github.com/josharian/impl@latest \
+    && go install github.com/davidrjenni/reftools/cmd/fillstruct@latest \
+    && go install github.com/fatih/gomodifytags@latest \
+    && go install github.com/cweill/gotests/...@latest \
+    && go install golang.org/x/tools/cmd/goimports@latest \
+    && go install golang.org/x/lint/golint@latest \
+    && go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest \
+    && go install github.com/mgechev/revive@latest \
+    && go install github.com/go-delve/delve/cmd/dlv@latest \
     && go install honnef.co/go/tools/cmd/staticcheck@latest \
     && go install golang.org/x/tools/gopls@latest \
     # Protocol Buffer Compiler
@@ -61,8 +52,6 @@ RUN apt-get update \
     && mv $HOME/.local/bin/protoc /usr/local/bin/protoc \
     && mv $HOME/.local/include/ /usr/local/bin/include/ \
     && protoc --version \
-    # Install golangci-lint
-    && curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.55.2 \
     #
     # Create a non-root user to use if preferred - see https://aka.ms/vscode-remote/containers/non-root-user.
     && groupadd --gid $USER_GID $USERNAME \
@@ -91,9 +80,6 @@ RUN apt-get update \
     && apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
 
-# Enable go modules
-ENV GO111MODULE=on
-
 ENV OPERATOR_RELEASE_VERSION=v1.26.0
 RUN ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) \
     && OS=$(uname | awk '{print tolower($0)}') \

diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - run: go version
       - name: Get branch name
         id: branch-name

diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml
@@ -41,7 +41,7 @@ jobs:
           key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
 
       - name: Go modules sync
-        run: go mod tidy -compat=1.21
+        run: go mod tidy -compat=1.22
 
       - name: Test
         run: make test

diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -50,7 +50,7 @@ jobs:
           key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
 
       - name: Go modules sync
-        run: go mod tidy -compat=1.21
+        run: go mod tidy -compat=1.22
 
       - name: Verify generated Clientset is up to date
         run: make clientset-verify
@@ -75,7 +75,7 @@ jobs:
     runs-on: ${{ matrix.runner }}
     container: ghcr.io/kedacore/keda-tools:1.21.12
     strategy:
-       matrix:
+      matrix:
         include:
         - runner: ARM64
           name: arm64
@@ -106,7 +106,7 @@ jobs:
     runs-on: ${{ matrix.runner }}
     container: ghcr.io/kedacore/keda-tools:1.21.12
     strategy:
-       matrix:
+      matrix:
         include:
         - runner: ARM64
           name: arm64
@@ -139,7 +139,7 @@ jobs:
           python-version: 3.x
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Get golangci
         run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.55.2
       - uses: pre-commit/action@v3.0.0

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -41,7 +41,7 @@ jobs:
           key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
 
       - name: Go modules sync
-        run: go mod tidy -compat=1.21
+        run: go mod tidy -compat=1.22
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3

diff --git a/.github/workflows/template-smoke-tests.yml b/.github/workflows/template-smoke-tests.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: Install prerequisites
         run: |

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -52,6 +52,14 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 
 ## Unreleased
 
+- **General**: Fix CVE-2024-24790, CVE-2024-24789, and CVE-2024-24791 in stdlib.
+- **General**: Fix CVE-2024-35255 in github.com/Azure/azure-sdk-for-go/sdk/azidentity
+- **General**: Fix CVE-2024-6104 in github.com/hashicorp/go-retryablehttp
+
+### Breaking Changes
+
+- **Authentication:** AAD-Pod-Identity and AWS-KIAM auths have been removed ([#5035](https://github.com/kedacore/keda/issues/5035)|[#5085](https://github.com/kedacore/keda/issues/5085))
+
 ### New
 
 - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))

diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/Azure/azure-kusto-go v0.15.2
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus v1.7.0
 	github.com/Azure/azure-storage-blob-go v0.15.0
 	github.com/Azure/azure-storage-queue-go v0.0.0-20230927153703-648530c9aaf2
@@ -97,12 +97,12 @@ require (
 	google.golang.org/grpc v1.63.2
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0
 	google.golang.org/protobuf v1.33.0
-	k8s.io/api v0.29.2
-	k8s.io/apimachinery v0.29.2
-	k8s.io/apiserver v0.29.2
+	k8s.io/api v0.29.4
+	k8s.io/apimachinery v0.29.4
+	k8s.io/apiserver v0.29.4
 	k8s.io/client-go v1.5.2
-	k8s.io/code-generator v0.29.2
-	k8s.io/component-base v0.29.2
+	k8s.io/code-generator v0.29.4
+	k8s.io/component-base v0.29.4
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
 	k8s.io/metrics v0.28.9
@@ -115,6 +115,14 @@ require (
 	sigs.k8s.io/kustomize/kustomize/v5 v5.4.1
 )
 
+require (
+	filippo.io/edwards25519 v1.1.0 // indirect
+	nhooyr.io/websocket v1.8.11 // indirect
+)
+
+// Remove this when they merge the PR and cut a release https://github.com/open-policy-agent/cert-controller/pull/202
+replace github.com/open-policy-agent/cert-controller => github.com/jorturfer/cert-controller v0.0.0-20240427003941-363ba56751d7
+
 replace (
 	// pin k8s.io to v0.28.9
 	github.com/google/cel-go => github.com/google/cel-go v0.16.1
@@ -164,9 +172,8 @@ require (
 	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
 	cloud.google.com/go/iam v1.1.7 // indirect
 	code.cloudfoundry.org/clock v1.1.0 // indirect
-	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventgrid v0.4.0
 	github.com/Azure/go-amqp v1.0.5 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -342,13 +349,13 @@ require (
 	go.uber.org/automaxprocs v1.5.3
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.22.0
-	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
+	golang.org/x/crypto v0.24.0
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
 	golang.org/x/term v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.20.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
@@ -361,9 +368,9 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apiextensions-apiserver v0.29.2 // indirect
+	k8s.io/apiextensions-apiserver v0.29.4 // indirect
 	k8s.io/gengo v0.0.0-20240129211411-f967bbeff4b4 // indirect
-	k8s.io/kms v0.29.2 // indirect
+	k8s.io/kms v0.29.4 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.17.1 // indirect