From a5e16a02d8723805a6076ac1404a73c1df6c5070 Mon Sep 17 00:00:00 2001 From: LaunchDarklyReleaseBot <86431345+LaunchDarklyReleaseBot@users.noreply.github.com> Date: Mon, 6 Mar 2023 19:02:36 -0500 Subject: [PATCH] prepare 6.7.18 release (#225) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * redo the security patch by updating go.mod for all builds; drop Go 1.16 * update Redis/DDB integrations to remove misleading error logging * chore: drop go 1.17, 1.18 tests; add go 1.20 [v6] (#367) * chore: drop go 1.17,1.18 tests; add go 1.20 * fix: Fix CVE-2022-41723 by overriding golang.org/x/net to v0.7.0 --------- Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good Co-authored-by: Casey Waldren --- .circleci/config.yml | 47 ++++++++++------------------ .golangci.yml | 2 -- .ldrelease/config.yml | 2 +- Dockerfile | 2 +- Makefile | 2 +- go.mod | 6 ++-- go.sum | 14 ++++----- internal/core/bigsegments/sync.go | 2 +- internal/core/sharedtest/listener.go | 2 +- scripts/verify-release-versions.sh | 2 +- 10 files changed, 32 insertions(+), 49 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 6ae2fd7b..42c0321a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,7 +9,12 @@ parameters: # override it in any parameterized builds, but just as a convenient shareable constant go-release-version: type: string - default: "1.19.4" + default: "1.20.1" + + # In addition to the most recent version of Go, we also support the previous version. + go-previous-version: + type: string + default: "1.19.6" # We use a remote Docker host in some CI jobs that need to run Docker containers. # As of 2022-04-15, the default Docker daemon version was 17.09.0-ce, which started @@ -31,23 +36,15 @@ workflows: workflow: jobs: - go-test: - name: Go latest - # This build has a deliberately unpinned version so that if a new Go major version - # is released before we have updated the build, we can detect any problems early - docker-image: circleci/golang:latest - - go-test: - name: Go 1.19 - docker-image: cimg/go:1.19 + name: Go <> + docker-image: cimg/go:<> run-lint: true test-coverage: true - go-test: - name: Go 1.18 - docker-image: cimg/go:1.18 - - go-test: - name: Go 1.17 - docker-image: cimg/go:1.17 + name: Go <> + docker-image: cimg/go:<> - benchmarks: - docker-image: cimg/go:1.19 + docker-image: cimg/go:<> - integration-test - docker-images-test @@ -89,13 +86,11 @@ workflows: only: v6 jobs: - package-build-test: - name: package build - Go latest - docker-image: circleci/golang:latest - use-go-install: true + name: package build - Go <> + docker-image: cimg/go:<> - package-build-test: - name: package build - Go 1.17 - docker-image: cimg/go:1.17 - use-go-install: true + name: package build - Go <> + docker-image: cimg/go:<> daily-security-scan: triggers: @@ -233,22 +228,12 @@ jobs: parameters: docker-image: type: string - use-go-install: - type: boolean - docker: - image: <> steps: - run: go version - - when: - condition: <> - steps: - - run: go install github.com/launchdarkly/ld-relay/v6@latest - - unless: - condition: <> - steps: - - run: GO111MODULE=on go get github.com/launchdarkly/ld-relay/v6@latest + - run: go install github.com/launchdarkly/ld-relay/v6@latest - run: name: verify that executable was built command: ls -l $GOPATH/bin/ld-relay diff --git a/.golangci.yml b/.golangci.yml index 633bcd59..6509d3dc 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -7,7 +7,6 @@ run: linters: enable: - bodyclose - - deadcode - depguard - dupl - errcheck @@ -36,7 +35,6 @@ linters: - unconvert - unparam - unused - - varcheck - whitespace fast: false diff --git a/.ldrelease/config.yml b/.ldrelease/config.yml index 45657238..63fb4b48 100644 --- a/.ldrelease/config.yml +++ b/.ldrelease/config.yml @@ -38,7 +38,7 @@ repo: jobs: - docker: - image: cimg/go:1.19.4 # See "Runtime platform versions" in CONTRIBUTING.md + image: cimg/go:1.20.1 # See "Runtime platform versions" in CONTRIBUTING.md copyGitHistory: true template: name: go diff --git a/Dockerfile b/Dockerfile index 8f4149d9..7e8d72fb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This is a standalone Dockerfile that does not depend on goreleaser building the binary # It is NOT the version that is pushed to dockerhub -FROM golang:1.19.4-alpine3.16 as builder +FROM golang:1.20.1-alpine3.16 as builder # See "Runtime platform versions" in CONTRIBUTING.md RUN apk --no-cache add \ diff --git a/Makefile b/Makefile index 4b16cc75..07a53432 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ -GOLANGCI_LINT_VERSION=v1.48.0 +GOLANGCI_LINT_VERSION=v1.51.2 LINTER=./bin/golangci-lint LINTER_VERSION_FILE=./bin/.golangci-lint-version-$(GOLANGCI_LINT_VERSION) diff --git a/go.mod b/go.mod index 33bb2ffa..91ecdb95 100644 --- a/go.mod +++ b/go.mod @@ -97,10 +97,10 @@ require ( go.opentelemetry.io/otel/metric v0.19.0 // indirect go.opentelemetry.io/otel/trace v0.19.0 // indirect golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect - golang.org/x/net v0.4.0 // indirect; override to address CVE-2022-41717 + golang.org/x/net v0.7.0 // indirect; override to address CVE-2022-41723 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect - golang.org/x/sys v0.3.0 // indirect - golang.org/x/text v0.5.0 // indirect + golang.org/x/sys v0.5.0 // indirect + golang.org/x/text v0.7.0 // indirect google.golang.org/api v0.37.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506 // indirect diff --git a/go.sum b/go.sum index 4450f0e8..42520d5d 100644 --- a/go.sum +++ b/go.sum @@ -552,8 +552,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -637,11 +637,11 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= -golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -651,8 +651,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/internal/core/bigsegments/sync.go b/internal/core/bigsegments/sync.go index 29108e2e..f1aa2aea 100644 --- a/internal/core/bigsegments/sync.go +++ b/internal/core/bigsegments/sync.go @@ -323,7 +323,7 @@ func (s *defaultBigSegmentSynchronizer) poll() (bool, segmentChangesSummary, err if err != nil { return false, segmentChangesSummary{}, err } - defer response.Body.Close() //nolint:errcheck + defer response.Body.Close() //nolint:errcheck,gosec if response.StatusCode != 200 { return false, segmentChangesSummary{}, &httpStatusError{response.StatusCode} diff --git a/internal/core/sharedtest/listener.go b/internal/core/sharedtest/listener.go index b67efe62..716b36ca 100644 --- a/internal/core/sharedtest/listener.go +++ b/internal/core/sharedtest/listener.go @@ -13,7 +13,7 @@ import ( // and the port number, and then closes the listener. func WithListenerForAnyPort(t *testing.T, fn func(net.Listener, int)) { l, port := startListenerForAnyAvailablePort(t) - defer l.Close() //nolint:errcheck + defer l.Close() //nolint:errcheck,gosec fn(l, port) } diff --git a/scripts/verify-release-versions.sh b/scripts/verify-release-versions.sh index 36e1e331..4800be2e 100755 --- a/scripts/verify-release-versions.sh +++ b/scripts/verify-release-versions.sh @@ -21,7 +21,7 @@ function fail_for_file() { exit 1 } -LDRELEASE_GO_VERSION=$(sed <${ldrelease_config_file} -n 's#.*image: *cimg/go:\([1-9.]*\).*#\1#p') +LDRELEASE_GO_VERSION=$(sed <${ldrelease_config_file} -n 's#.*image: *cimg/go:\([0-9.]*\).*#\1#p') if [ -z "${LDRELEASE_GO_VERSION}" ]; then fail_for_file Go ${ldrelease_config_file} fi