Skip to content

chore(security): Update go version to 1.22.8 #1110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
willdollman merged 3 commits into from
Oct 10, 2024
Merged

chore(security): Update go version to 1.22.8 #1110

willdollman merged 3 commits into from
Oct 10, 2024

Conversation

@willdollman
Copy link
Contributor

@willdollman willdollman commented Oct 2, 2024
edited
Loading

Update to latest 1.22 version of Go

Can we cut a new release of src-cli for the release today as this fixes a CVE.

Test plan

  • CI
  • Build src-cli locally and run govulncheck
  • Build docker image locally - this fails, but also fails on main. Is this expected to work? See comment below for output.

@willdollman willdollman self-assigned this Oct 2, 2024
@willdollman willdollman requested a review from a team October 2, 2024 11:24
@willdollman
Copy link
Contributor Author

willdollman commented Oct 2, 2024

Looks like git isn't available in the golang docker image used to build the container. It's also broken on main - do we expect the docker image to build?

> docker build --platform linux/amd64 -t src-cli ./
[+] Building 35.3s (11/12)                                                                                                                                                                  docker:orbstack
 => [internal] load build definition from Dockerfile                                                                                                                                                   0.0s
 => => transferring dockerfile: 842B                                                                                                                                                                   0.0s
 => WARN: FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 7)                                                                                                                         0.0s
 => [internal] load metadata for docker.io/library/golang:1.22.3-alpine@sha256:4707c052e5bd90c1c6ae16d1825e3ea5076ec1b06de30e34596b1e6f6b9916cf                                                        0.9s
 => [internal] load metadata for docker.io/sourcegraph/alpine:3.12@sha256:ce099fbcd3cf70b338fc4cb2a4e1fa9ae847de21afdb0a849a393b87d94fb174                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                                      0.1s
 => => transferring context: 334B                                                                                                                                                                      0.0s
 => [internal] load build context                                                                                                                                                                      0.0s
 => => transferring context: 31.72kB                                                                                                                                                                   0.0s
 => [builder 1/4] FROM docker.io/library/golang:1.22.3-alpine@sha256:4707c052e5bd90c1c6ae16d1825e3ea5076ec1b06de30e34596b1e6f6b9916cf                                                                 11.6s
 => => resolve docker.io/library/golang:1.22.3-alpine@sha256:4707c052e5bd90c1c6ae16d1825e3ea5076ec1b06de30e34596b1e6f6b9916cf                                                                          0.0s
 => => sha256:32a2f51ff3dde07bfa1ce35b5597b2d97295e64a461d98e696feda7b25a6dc5f 69.35MB / 69.35MB                                                                                                       8.5s
 => => sha256:4707c052e5bd90c1c6ae16d1825e3ea5076ec1b06de30e34596b1e6f6b9916cf 1.92kB / 1.92kB                                                                                                         0.0s
 => => sha256:a60a31a97fdb2c7eac5f46e5ab4cdd6e79fb96e960b520f9574a34fa163fa785 2.09kB / 2.09kB                                                                                                         0.0s
 => => sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99 3.62MB / 3.62MB                                                                                                         0.8s
 => => sha256:8bfb7f89ddd560368de98a53e7fbc004ef3d4bb2ea7e6efbb80992a6f907eed1 292.43kB / 292.43kB                                                                                                     0.3s
 => => sha256:935834aa092a42930b12249d2899dcc59baac0616accbcd97e672ba7b26c469a 126B / 126B                                                                                                             0.8s
 => => extracting sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99                                                                                                              0.0s
 => => sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32B / 32B                                                                                                               1.0s
 => => extracting sha256:8bfb7f89ddd560368de98a53e7fbc004ef3d4bb2ea7e6efbb80992a6f907eed1                                                                                                              0.0s
 => => extracting sha256:32a2f51ff3dde07bfa1ce35b5597b2d97295e64a461d98e696feda7b25a6dc5f                                                                                                              2.8s
 => => extracting sha256:935834aa092a42930b12249d2899dcc59baac0616accbcd97e672ba7b26c469a                                                                                                              0.0s
 => => extracting sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1                                                                                                              0.0s
 => [stage-1 1/3] FROM docker.io/sourcegraph/alpine:3.12@sha256:ce099fbcd3cf70b338fc4cb2a4e1fa9ae847de21afdb0a849a393b87d94fb174                                                                       0.0s
 => CACHED [stage-1 2/3] RUN apk add --no-cache git                                                                                                                                                    0.0s
 => [builder 2/4] COPY . /src                                                                                                                                                                          2.3s
 => [builder 3/4] WORKDIR /src                                                                                                                                                                         0.0s
 => ERROR [builder 4/4] RUN go build ./cmd/src                                                                                                                                                        20.3s
------                                                                                                                                                                                                      
 > [builder 4/4] RUN go build ./cmd/src:                                                                                                                                                                    
0.213 go: downloading github.com/google/go-cmp v0.6.0                                                                                                                                                       
0.213 go: downloading github.com/dustin/go-humanize v1.0.1    

[...]

14.92 go: downloading github.com/mailru/easyjson v0.7.7
15.01 go: downloading github.com/josharian/intern v1.0.0
18.71 /go/pkg/mod/github.com/sourcegraph/scip@v0.3.1-0.20230627154934-45df7f6d33fc/bindings/go/scip/convert.go:19:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 /go/pkg/mod/github.com/sourcegraph/scip@v0.3.1-0.20230627154934-45df7f6d33fc/bindings/go/scip/convert.go:20:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 /go/pkg/mod/github.com/sourcegraph/scip@v0.3.1-0.20230627154934-45df7f6d33fc/bindings/go/scip/convert.go:21:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 /go/pkg/mod/github.com/sourcegraph/scip@v0.3.1-0.20230627154934-45df7f6d33fc/bindings/go/scip/convert.go:22:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 cmd/src/code_intel_upload.go:18:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 cmd/src/batch_common.go:23:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 cmd/src/batch_common.go:24:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 cmd/src/code_intel_upload_flags.go:15:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 cmd/src/code_intel_upload.go:19:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 cmd/src/batch_common.go:21:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 internal/batches/features.go:4:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 internal/batches/executor/coordinator.go:9:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 internal/batches/executor/coordinator.go:10:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 internal/batches/executor/run_steps.go:17:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 internal/batches/executor/run_steps.go:26:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
18.71 internal/servegit/serve.go:19:2: git init --bare in /go/pkg/mod/cache/vcs/1791346fb05b02940886169dc1f2712c426dfbfdfeec0151bbb9fde71fd48a95: exec: "git": executable file not found in $PATH
------

 1 warning found (use docker --debug to expand):
 - FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 7)
Dockerfile:11
--------------------
   9 |     COPY . /src
  10 |     WORKDIR /src
  11 | >>> RUN go build ./cmd/src
  12 |     
  13 |     # This stage should be kept in sync with Dockerfile.release.
--------------------
ERROR: failed to solve: process "/bin/sh -c go build ./cmd/src" did not complete successfully: exit code: 1

@willdollman willdollman changed the title security: Update go version to 1.22.8 chore(security): Update go version to 1.22.8 Oct 2, 2024
@Chickensoupwithrice
Copy link
Contributor

Chickensoupwithrice commented Oct 9, 2024

CI looks like it's been fixed now :)
Once you merge these changes I'll cut another release to patch up the CVE.

@willdollman
Copy link
Contributor Author

willdollman commented Oct 10, 2024

Thanks @Chickensoupwithrice! I also have a new feature PR that would be good to include if we're cutting a new release - I'll let you know once it's merged.

@willdollman willdollman merged commit 099c8c0 into main Oct 10, 2024
@willdollman willdollman deleted the dora-will/fix-CVE-2024-34156 branch October 10, 2024 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bahrmichael bahrmichael bahrmichael approved these changes

Assignees

@willdollman willdollman

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@willdollman @Chickensoupwithrice @bahrmichael @burmudar