Pull in new versions from makego

.golangci.yml

@@ -287,3 +287,58 @@ issues:
       # trip this off.
       path: private/pkg/oauth2/device.go
       text: "G101:"
+    # G115 checks for integer overflow from integer conversions. There are known false
+    # positives from the check (https://github.com/securego/gosec/issues/1212) that are
+    # actively being worked on. Each exemption below is a false positive or for a safe operation,
+    # such as parsing indices from descriptors and/or images.
+    - linters:
+        - gosec
+      # Loop index conversion to uint64.
+      path: private/buf/bufgen/features.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # Converting result from utf8.RuneCountInString to uint64.
+      path: private/bufpkg/bufcheck/bufcheckserver/internal/buflintvalidate/field.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # PluginReference revision is validated with a bounds check at construction time.
+      path: private/bufpkg/bufremoteplugin/bufremoteplugin.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # A bounds check has been added for int32 -> uint32 conversion this is being flagged
+      # as a false positive.
+      path: private/buf/bufcurl/reflection_resolver.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # bufprotosource converts indices to int32 to form the source path. Since it is parsing
+      # from the fileDescriptor set, the operation should be safe.
+      path: private/bufpkg/bufprotosource/paths.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # bufimageutil is handling images and converting loop indices to int32. Since it is
+      # parsing from an Image, the operation should be safe.
+      path: private/bufpkg/bufimage/bufimageutil/bufimageutil.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # Bounds checks have been added with assertion statements to ensure safe int -> int32
+      # conversions, this is a false positive.
+      path: private/bufpkg/bufprotosource/option_extension_descriptor_test.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # This converts results from strconv.ParseInt with the bit size set to 32 to int32,
+      # so it should be a safe conversion, this is a false positive.
+      path: private/buf/bufprotopluginexec/version.go
+      text: "G115:"
+    - linters:
+        - gosec
+      # This checks the cel constraints from an Image, and converts loop indices to int32
+      # to set the source path for the location, this operation should be safe.
+      path: private/bufpkg/bufcheck/bufcheckserver/internal/buflintvalidate/cel.go
+      text: "G115:"

go.mod

@@ -7,11 +7,11 @@ toolchain go1.23.1
 require (
 	buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240920201003-06b7587d0fdf.2
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2
-	buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1
+	buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240821192916-45ba72cdd479.1
 	buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2
 	buf.build/go/bufplugin v0.3.0
 	buf.build/go/protoyaml v0.2.0
-	connectrpc.com/connect v1.16.2
+	connectrpc.com/connect v1.17.0
 	connectrpc.com/otelconnect v0.7.1
 	github.com/bufbuild/protocompile v0.14.1
 	github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a
@@ -47,7 +47,7 @@ require (
 	golang.org/x/sync v0.8.0
 	golang.org/x/term v0.24.0
 	golang.org/x/tools v0.25.0
-	google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689
+	google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96
 	gopkg.in/yaml.v3 v3.0.1
 	pluginrpc.com/pluginrpc v0.3.0
 )

go.sum

@@ -2,8 +2,8 @@ buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240920201003-06
 buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240920201003-06b7587d0fdf.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 h1:hl0FrmGlNpQZIGvU1/jDz0lsPDd0BhCE0QDRwPfLZcA=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw=
-buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 h1:QaJ6UkpvlGo4dBXR41vLRfPiKungbg7brjmbBC/k6Ig=
-buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1/go.mod h1:oQsMFNU3YzxxjRS6O68UkcF/A+pXdXqQNcUfQEBTWcw=
+buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240821192916-45ba72cdd479.1 h1:XFW5E+4pdF3SY0MRtnID+Ycv2QdH4OKVtoLCLsQoXac=
+buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240821192916-45ba72cdd479.1/go.mod h1:uYzs3OHgVkINg9WZ/ISnGzOUaKfQ9Q70n6dascgz5lo=
 buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 h1:C3CTZTucEUm7i0O2tAM8GSlg23GnQYcljX1b1Jcpsro=
 buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo=
 buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M=
@@ -13,8 +13,8 @@ buf.build/go/bufplugin v0.3.0/go.mod h1:Znx3zF4ThDWGN1eGFMsbVT9LkMcVV4MKeAC9hiGd
 buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8=
 buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE=
-connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc=
+connectrpc.com/connect v1.17.0 h1:W0ZqMhtVzn9Zhn2yATuUokDLO5N+gIuBWMOnsQrfmZk=
+connectrpc.com/connect v1.17.0/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
 connectrpc.com/otelconnect v0.7.1 h1:scO5pOb0i4yUE66CnNrHeK1x51yq0bE0ehPg6WvzXJY=
 connectrpc.com/otelconnect v0.7.1/go.mod h1:dh3bFgHBTb2bkqGCeVVOtHJreSns7uu9wwL2Tbz17ms=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
@@ -375,8 +375,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 h1:hNwajDgT0MlsxZzlUajZVmUYFpts8/CYe4BSNx503ZE=
-google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 h1:gqpvySYmKe3qf25lfA3WIEMTXBU+lfISbNkPH2BA844=
+google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

make/go/dep_buf.mk

@@ -7,8 +7,8 @@ $(call _assert_var,CACHE_VERSIONS)
 $(call _assert_var,CACHE_BIN)
 
 # Settable
-# https://github.com/bufbuild/buf/releases 20240521 checked 20240524
-BUF_VERSION ?= v1.32.1
+# https://github.com/bufbuild/buf/releases 20240911 checked 20240916
+BUF_VERSION ?= v1.41.0
 # Settable
 #
 # If set, this path will be installed every time someone depends on $(BUF)

make/go/dep_golangci_lint.mk

@@ -10,10 +10,11 @@ $(call _assert_var,CACHE_BIN)
 # We want to ensure we rebuild golangci-lint every time we require a new Go minor version.
 # Otherwise, the cached version may not support the latest language features.
 GOLANGCI_LINT_GO_VERSION := $(shell go mod edit -json | jq -r .Go | cut -d'.' -f1-2)
+
 # Settable
-# https://github.com/golangci/golangci-lint/releases 20240813 checked 20240815
+# https://github.com/golangci/golangci-lint/releases 20240909 checked 20240916
 # Contrast golangci-lint configuration with the one in https://github.com/connectrpc/connect-go/blob/main/.golangci.yml when upgrading
-GOLANGCI_LINT_VERSION ?= v1.60.1
+GOLANGCI_LINT_VERSION ?= v1.61.0
 
 GOLANGCI_LINT := $(CACHE_VERSIONS)/golangci-lint/$(GOLANGCI_LINT_VERSION)-go$(GOLANGCI_LINT_GO_VERSION)
 $(GOLANGCI_LINT):

make/go/dep_protoc_gen_connect_go.mk

@@ -7,8 +7,8 @@ $(call _assert_var,CACHE_VERSIONS)
 $(call _assert_var,CACHE_BIN)
 
 # Settable
-# https://github.com/connectrpc/connect-go 20240513 checked 20240524
-CONNECT_VERSION ?= v1.16.2
+# https://github.com/connectrpc/connect-go 20240920 checked 20240920
+CONNECT_VERSION ?= v1.17.0
 
 GO_GET_PKGS := $(GO_GET_PKGS) \
 	connectrpc.com/connect@$(CONNECT_VERSION)

make/go/dep_protoc_gen_go.mk

@@ -7,9 +7,8 @@ $(call _assert_var,CACHE_VERSIONS)
 $(call _assert_var,CACHE_BIN)
 
 # Settable
-# https://github.com/protocolbuffers/protobuf-go/releases 20240611 checked 20240612
-# TODO: Change back to released version once bug is fixed
-PROTOC_GEN_GO_VERSION ?= 94ecbc26168965a670a0f7cf86f658131c790a9c
+# https://github.com/protocolbuffers/protobuf-go/releases 20240906 checked 20240916
+PROTOC_GEN_GO_VERSION ?= v1.34.3-0.20240906163944-03df6c145d96
 
 GO_GET_PKGS := $(GO_GET_PKGS) \
 	google.golang.org/protobuf/proto@$(PROTOC_GEN_GO_VERSION)

private/buf/bufcurl/reflection_resolver.go

@@ -164,6 +164,11 @@ func (r *reflectionResolver) ListServices() ([]protoreflect.FullName, error) {
 	}
 	switch response := resp.MessageResponse.(type) {
 	case *reflectionv1.ServerReflectionResponse_ErrorResponse:
+		// This should never happen, however we do a bounds check to ensure we are doing a safe
+		// conversion from int32 (ErrorResponse.ErrorCode) to uint32 (connect.Code).
+		if response.ErrorResponse.ErrorCode < 0 {
+			return nil, fmt.Errorf("server replied with unsupported error code: %v", response.ErrorResponse.ErrorCode)
+		}
 		return nil, connect.NewWireError(connect.Code(response.ErrorResponse.ErrorCode), errors.New(response.ErrorResponse.ErrorMessage))
 	case *reflectionv1.ServerReflectionResponse_ListServicesResponse:
 		serviceNames := make([]protoreflect.FullName, len(response.ListServicesResponse.Service))
@@ -338,6 +343,11 @@ func (r *reflectionResolver) fileByNameLocked(name string) ([]*descriptorpb.File
 func descriptorsInResponse(resp *reflectionv1.ServerReflectionResponse) ([]*descriptorpb.FileDescriptorProto, error) {
 	switch response := resp.MessageResponse.(type) {
 	case *reflectionv1.ServerReflectionResponse_ErrorResponse:
+		// This should never happen, however we do a bounds check to ensure we are doing a safe
+		// conversion from int32 (ErrorResponse.ErrorCode) to uint32 (connect.Code).
+		if response.ErrorResponse.ErrorCode < 0 {
+			return nil, fmt.Errorf("server replied with unsupported error code: %v", response.ErrorResponse.ErrorCode)
+		}
 		return nil, connect.NewWireError(connect.Code(response.ErrorResponse.ErrorCode), errors.New(response.ErrorResponse.ErrorMessage))
 	case *reflectionv1.ServerReflectionResponse_FileDescriptorResponse:
 		files := make([]*descriptorpb.FileDescriptorProto, len(response.FileDescriptorResponse.FileDescriptorProto))

private/bufpkg/bufimage/bufimage.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"io/fs"
+	"math"
 	"slices"
 	"sort"
 	"strings"
@@ -703,6 +704,11 @@ func reparseImageProto(protoImage *imagev1.Image, resolver protoencoding.Resolve
 						}
 					}
 					if !isPublic {
+						// This should never happen, however we do a bounds check to ensure that we are
+						// doing a safe conversion for the index.
+						if i > math.MaxInt32 || i < math.MinInt32 {
+							return fmt.Errorf("unused dependency index out-of-bounds for int32 conversion: %v", i)
+						}
 						bufExt.UnusedDependency = append(bufExt.UnusedDependency, int32(i))
 					}
 				}

private/bufpkg/bufimage/build_image.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math"
 	"strings"
 
 	"github.com/bufbuild/buf/private/bufpkg/bufanalysis"
@@ -306,6 +307,11 @@ func getImageFilesRec(
 		dependency := fileDescriptor.Imports().Get(i).FileDescriptor
 		if unusedDependencyFilenames != nil {
 			if _, ok := unusedDependencyFilenames[dependency.Path()]; ok {
+				// This should never happen, however we do a bounds check to ensure that we are
+				// doing a safe conversion for the index.
+				if i > math.MaxInt32 || i < math.MinInt32 {
+					return nil, fmt.Errorf("unused dependency index out-of-bounds for int32 conversion: %v", i)
+				}
 				unusedDependencyIndexes = append(
 					unusedDependencyIndexes,
 					int32(i),

private/bufpkg/bufprotosource/option_extension_descriptor_test.go

@@ -15,6 +15,7 @@
 package bufprotosource
 
 import (
+	"math"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -121,10 +122,19 @@ func TestOptionExtensionLocation(t *testing.T) {
 func checkLocation(t *testing.T, loc Location, sourceCodeInfoLoc *descriptorpb.SourceCodeInfo_Location) {
 	t.Helper()
 	assert.Equal(t, sourceCodeInfoLoc.GetLeadingComments(), loc.LeadingComments())
+	// Bounds assertions for int -> int32 conversion
+	assert.Less(t, loc.StartLine(), math.MaxInt32)
+	assert.Greater(t, loc.StartLine(), math.MinInt32)
+	assert.Less(t, loc.StartColumn(), math.MaxInt32)
+	assert.Greater(t, loc.StartLine(), math.MinInt32)
 	span := []int32{int32(loc.StartLine() - 1), int32(loc.StartColumn() - 1)}
 	if loc.EndLine() != loc.StartLine() {
+		assert.Less(t, loc.EndLine(), math.MaxInt32)
+		assert.Greater(t, loc.EndLine(), math.MinInt32)
 		span = append(span, int32(loc.EndLine()-1))
 	}
+	assert.Less(t, loc.EndColumn(), math.MaxInt32)
+	assert.Greater(t, loc.EndColumn(), math.MinInt32)
 	span = append(span, int32(loc.EndColumn()-1))
 	assert.Equal(t, sourceCodeInfoLoc.Span, span)
 }