chore: go vuln (#1283)

## Description bumping the go version cause apparently there was a vulnerability (cherry picked from commit abc5163) # Conflicts: # .github/workflows/check-generated.yml # .github/workflows/coverage.yml # .github/workflows/e2e-manual.yml # .github/workflows/e2e-nightly-34x.yml # .github/workflows/e2e.yml # .github/workflows/fuzz-nightly.yml # .github/workflows/govulncheck.yml # .github/workflows/pre-release.yml # .github/workflows/release-version.yml # .github/workflows/release.yml # .github/workflows/tests.yml # DOCKER/Dockerfile # README.md # go.mod # go.sum # scripts/proto-gen.sh # test/docker/Dockerfile # test/e2e/docker/Dockerfile
celestiaorg · Apr 4, 2024 · c0afcc7 · c0afcc7
1 parent 0f2855c
commit c0afcc7
Show file tree

Hide file tree

Showing 18 changed files with 139 additions and 0 deletions.
diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml
@@ -43,7 +43,11 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: "1.22.2"
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -12,7 +12,11 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: "1.22"
+=======
+          go-version: "1.22.2"
+>>>>>>> abc516304 (chore: go vuln (#1283))
       - name: Create a file with all the pkgs
         run: go list ./... > pkgs.txt
       - name: Split pkgs into 4 files
@@ -48,8 +52,13 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: "1.22"
       - uses: actions/checkout@v4
+=======
+          go-version: "1.22.2"
+      - uses: actions/checkout@v3
+>>>>>>> abc516304 (chore: go vuln (#1283))
       - uses: technote-space/get-diff-action@v6
         with:
           PATTERNS: |
@@ -70,8 +79,13 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: "1.22"
       - uses: actions/checkout@v4
+=======
+          go-version: "1.22.2"
+      - uses: actions/checkout@v3
+>>>>>>> abc516304 (chore: go vuln (#1283))
       - uses: technote-space/get-diff-action@v6
         with:
           PATTERNS: |

diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml
@@ -16,7 +16,11 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: '1.22.2'
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       - uses: actions/checkout@v4
 

diff --git a/.github/workflows/e2e-nightly-34x.yml b/.github/workflows/e2e-nightly-34x.yml
@@ -23,7 +23,11 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: '1.22.2'
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -14,8 +14,13 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
       - uses: actions/checkout@v4
+=======
+          go-version: '1.22.2'
+      - uses: actions/checkout@v3
+>>>>>>> abc516304 (chore: go vuln (#1283))
       - uses: technote-space/get-diff-action@v6
         with:
           PATTERNS: |

diff --git a/.github/workflows/fuzz-nightly.yml b/.github/workflows/fuzz-nightly.yml
@@ -11,7 +11,11 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: '1.22.2'
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       - uses: actions/checkout@v4
 

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -10,6 +10,7 @@ on:
     branches:
       - v[0-9]+.[0-9]+.x-celestia
 
+<<<<<<< HEAD
 # TODO: re-enable after figuring out what needs to get fixed or if this is
 # handled upstream in main
 # jobs:
@@ -30,3 +31,23 @@ on:
 #       - name: govulncheck
 #         run: make vulncheck
 #         if: "env.GIT_DIFF != ''"
+=======
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.22.2"
+      - uses: actions/checkout@v3
+      - uses: technote-space/get-diff-action@v6
+        with:
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            Makefile
+      - name: govulncheck
+        run: make vulncheck
+        if: "env.GIT_DIFF != ''"
+>>>>>>> abc516304 (chore: go vuln (#1283))
diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -18,7 +18,11 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: '1.22.2'
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       # Similar check to ./release-version.yml, but enforces this when pushing
       # tags. The ./release-version.yml check can be bypassed and is mainly

diff --git a/.github/workflows/release-version.yml b/.github/workflows/release-version.yml
@@ -15,7 +15,11 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: '1.22.2'
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       - name: Check version
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,11 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: '1.22'
+=======
+          go-version: '1.22.2'
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
       - name: Generate release notes
         run: |

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -25,8 +25,13 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
+<<<<<<< HEAD
           go-version: "1.22"
       - uses: actions/checkout@v4
+=======
+          go-version: "1.22.2"
+      - uses: actions/checkout@v3
+>>>>>>> abc516304 (chore: go vuln (#1283))
       - uses: technote-space/get-diff-action@v6
         with:
           PATTERNS: |
@@ -121,7 +126,11 @@ jobs:
   #   steps:
   #     - uses: actions/setup-go@v3
   #       with:
+<<<<<<< HEAD
   #         go-version: "1.22"
+=======
+  #         go-version: "1.22.2"
+>>>>>>> abc516304 (chore: go vuln (#1283))
   #     - uses: actions/checkout@v3
   #     - uses: technote-space/get-diff-action@v6
   #       with:

diff --git a/DOCKER/Dockerfile b/DOCKER/Dockerfile
@@ -1,6 +1,10 @@
 # Use a build arg to ensure that both stages use the same,
 # hopefully current, go version.
+<<<<<<< HEAD
 ARG GOLANG_BASE_IMAGE=golang:1.22-alpine
+=======
+ARG GOLANG_BASE_IMAGE=golang:1.22.2-alpine
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
 # stage 1 Generate CometBFT Binary
 FROM --platform=$BUILDPLATFORM $GOLANG_BASE_IMAGE as builder

diff --git a/README.md b/README.md
@@ -50,7 +50,11 @@ This repo intends on preserving the minimal possible diff with [cometbft/cometbf
 - **specific to Celestia**: consider if [celestia-app](https://github.com/celestiaorg/celestia-app) is a better target
 - **not specific to Celestia**: consider making the contribution upstream in CometBFT
 
+<<<<<<< HEAD
 1. [Install Go](https://go.dev/doc/install) 1.22+
+=======
+1. [Install Go](https://go.dev/doc/install) 1.22.2+
+>>>>>>> abc516304 (chore: go vuln (#1283))
 2. Fork this repo
 3. Clone your fork
 4. Find an issue to work on (see [good first issues](https://github.com/celestiaorg/celestia-core/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22))

diff --git a/go.mod b/go.mod
@@ -1,6 +1,10 @@
 module github.com/tendermint/tendermint
 
+<<<<<<< HEAD
 go 1.22
+=======
+go 1.22.2
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
 require (
 	github.com/BurntSushi/toml v1.2.1
@@ -48,10 +52,17 @@ require (
 	github.com/vektra/mockery/v2 v2.23.1
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.18.0
+<<<<<<< HEAD
 	go.opentelemetry.io/otel/sdk v1.24.0
 	golang.org/x/crypto v0.17.0
 	golang.org/x/net v0.19.0
 	gonum.org/v1/gonum v0.12.0
+=======
+	go.opentelemetry.io/otel/sdk v1.21.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/net v0.23.0
+	gonum.org/v1/gonum v0.8.2
+>>>>>>> abc516304 (chore: go vuln (#1283))
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
 )
@@ -283,8 +294,13 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20230224173230-c95f2b4c22f2 // indirect
 	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
+<<<<<<< HEAD
 	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/term v0.15.0 // indirect
+=======
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+>>>>>>> abc516304 (chore: go vuln (#1283))
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.7.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect

diff --git a/go.sum b/go.sum
@@ -1008,11 +1008,20 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+<<<<<<< HEAD
 golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+=======
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+>>>>>>> abc516304 (chore: go vuln (#1283))
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1110,9 +1119,15 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+<<<<<<< HEAD
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+=======
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+>>>>>>> abc516304 (chore: go vuln (#1283))
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1227,8 +1242,13 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+<<<<<<< HEAD
 golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+=======
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+>>>>>>> abc516304 (chore: go vuln (#1283))
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1238,8 +1258,14 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+<<<<<<< HEAD
 golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+=======
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+>>>>>>> abc516304 (chore: go vuln (#1283))
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/scripts/proto-gen.sh b/scripts/proto-gen.sh
@@ -10,7 +10,11 @@ cd "$(git rev-parse --show-toplevel)"
 
 # Run inside Docker to install the correct versions of the required tools
 # without polluting the local system.
+<<<<<<< HEAD
 docker run --rm -i -v "$PWD":/w --workdir=/w golang:1.22-alpine sh <<"EOF"
+=======
+docker run --rm -i -v "$PWD":/w --workdir=/w golang:1.22.2-alpine sh <<"EOF"
+>>>>>>> abc516304 (chore: go vuln (#1283))
 apk add git make
 
 go install github.com/bufbuild/buf/cmd/buf

diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile
@@ -1,4 +1,8 @@
+<<<<<<< HEAD
 FROM golang:1.22
+=======
+FROM golang:1.22.2
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
 # Grab deps (jq, hexdump, xxd, killall)
 RUN apt-get update && \

diff --git a/test/e2e/docker/Dockerfile b/test/e2e/docker/Dockerfile
@@ -1,7 +1,11 @@
 # We need to build in a Linux environment to support C libraries, e.g. RocksDB.
 # We use Debian instead of Alpine, so that we can use binary database packages
 # instead of spending time compiling them.
+<<<<<<< HEAD
 FROM golang:1.22-bullseye
+=======
+FROM golang:1.22.2-bullseye
+>>>>>>> abc516304 (chore: go vuln (#1283))
 
 RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null
 RUN apt-get -qq install -y libleveldb-dev librocksdb-dev >/dev/null