chore: update Go version to 1.22.12 for security fixes #211
Conversation
chore: update go.mod and go.sum with latest dependencies fix: fix versions fix: fix to correct version fix: updated x/term version fix: updated crypto fix: new version fix: new version fix: new version
|
During building of Chisel and using the Chisel version, Docker Hub alerted me for security issues with Go. Therefore, I have created this PR to include the newest minor version of Go for this release (1.22.12) and also walked through the packages to see which ones could be upgraded. |
|
letFunny
left a comment
letFunny
left a comment
There was a problem hiding this comment.
Thanks for looking into this! I see that the benchmark says there is a 5% slowdown which is weird. I ran it locally and it seems the slowdown is artificial, probably because of the instability of Github Actions, so let's get this merged!
letFunny
left a comment
letFunny
left a comment
There was a problem hiding this comment.
On second thought, @nilsdebruin can you give more details about how this was flagged and where? I am curious to know if we can solve this without pinning the minor version and only updating the dependencies.
|
@letFunny Yes of course! I added the releases to one of my containers and uploaded them to Dockerhub. This runs docker scout automatically and it found several CVE's there. When I updated to 1.22.12, I only had one critical CVE. I now made a version with go 1.24.1 as well and than there are no CVE's left. If needed we can have a quick chat / call! |
|
For context, the team and me were looking into this today. This happens because trivy has different reporting capabilities with its different options. We are using Again, because the binaries we published were created with an older version of the compiler they also have these vulnerabilities. In reality, we are not affected by any of these CVEs but we agree it's better to solve it than to have false positives. As to what version of Go to use we prefer to pin the patch version to |
|
For context, this is how you get to the CVEs by using an old compiler version: The output is: |
|
@letFunny I already signed the CLA, strange! I tried again and got this: |
|
Let's wait on #210 and see if it's because of the version of the action |
|
@nilsdebruin Can you merge against main to get the latest version of the CI actions? |
|
@nilsdebruin I mean updating your branch locally by pulling the latest changes from main so, depending on your setup, you need to click "Sync" in your fork in Github and then: There is a myriad of ways of doing it, this is only one of them. |
@letFunny sorry for misunderstanding, will follow your steps! |
|
@letFunny should be good to go now! |
niemeyer
left a comment
niemeyer
left a comment
There was a problem hiding this comment.
Thanks for the updates!
TopLevelControl was disabled accidentally on canonical#211. The old Starlark API had it enabled by default and the new one does not.
TopLevelControl was disabled accidentally on #211. The old Starlark API had it enabled by default and the new one does not.
3 participants
chore: update go.mod and go.sum with latest dependencies available to go 1.22.12