deps(go): 3.11.x updates to satisfy vuln scanners (#2081)

* deps(go): Updates to satisfy vuln scanners Signed-off-by: Dave Henderson <dhenderson@gmail.com> * chore: fix flaky IP lookup test Signed-off-by: Dave Henderson <dhenderson@gmail.com> * chore: Fixing broken integration test Signed-off-by: Dave Henderson <dhenderson@gmail.com> * ci: update image scan to stop failing when pushing sarif Signed-off-by: Dave Henderson <dhenderson@gmail.com> --------- Signed-off-by: Dave Henderson <dhenderson@gmail.com>
hairyhenderson · May 30, 2024 · f525a6e · f525a6e
1 parent c133ad0
commit f525a6e
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 41 deletions.
diff --git a/.github/workflows/image-scan.yml b/.github/workflows/image-scan.yml
@@ -14,7 +14,7 @@ jobs:
       DOCKER_BUILDKIT: 1
       DOCKER_CLI_EXPERIMENTAL: enabled
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Quick build (linux/alpine only)
       run: |
         docker build --target gomplate-alpine -t gomplate .
@@ -33,12 +33,17 @@ jobs:
         image-ref: gomplate
         format: sarif
         output: trivy-results.sarif
-        exit-code: 1
+        # exit-code: 1
         ignore-unfixed: true
         vuln-type: os,library
-        severity: CRITICAL,HIGH
+        # The SARIF format ignores severity and uploads all vulnerabilities for
+        # later triage. The table-format step above is used to fail the build if
+        # there are any critical or high vulnerabilities.
+        # See https://github.com/aquasecurity/trivy-action/issues/95
+        # severity: 'CRITICAL,HIGH'
+        trivyignores: .trivyignore
     - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: 'trivy-results.sarif'
       if: always() && github.repository == 'hairyhenderson/gomplate'
diff --git a/.trivyignore b/.trivyignore
@@ -1,4 +0,0 @@
-# Ignoring CVE-2022-0778 as it's mostly covered by Alpine 3.15.1, except for
-# libretls, which isn't used at all. Should be able to remove this when 3.15.2
-# is out.
-CVE-2022-0778

diff --git a/go.mod b/go.mod
@@ -2,6 +2,8 @@ module github.com/hairyhenderson/gomplate/v3
 
 go 1.21
 
+toolchain go1.22.3
+
 require (
 	github.com/Masterminds/goutils v1.1.1
 	github.com/Shopify/ejson v1.3.3
@@ -27,12 +29,12 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/ugorji/go/codec v1.2.7
 	github.com/zealic/xignore v0.3.3
-	go.etcd.io/bbolt v1.3.6
+	go.etcd.io/bbolt v1.3.10
 	gocloud.dev v0.25.1-0.20220408200107-09b10f7359f7
-	golang.org/x/crypto v0.18.0
-	golang.org/x/sys v0.16.0
-	golang.org/x/term v0.16.0
-	golang.org/x/text v0.14.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/sys v0.20.0
+	golang.org/x/term v0.20.0
+	golang.org/x/text v0.15.0
 	gotest.tools/v3 v3.5.1
 	inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a
 	k8s.io/client-go v0.24.1
@@ -133,9 +135,9 @@ require (
 	go4.org/intern v0.0.0-20230205224052-192e9f60865c // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
@@ -145,7 +147,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
 	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/go.sum b/go.sum
diff --git a/internal/tests/integration/datasources_blob_test.go b/internal/tests/integration/datasources_blob_test.go
@@ -45,12 +45,14 @@ func setupDatasourcesBlobTest(t *testing.T) *httptest.Server {
 
 func TestDatasources_Blob_S3Datasource(t *testing.T) {
 	o, e, err := cmd(t,
-		"-c", "data=s3://ryft-public-sample-data/integration_test_dataset.json?region=us-east-1&type=application/array+json",
-		"-i", "{{ $d := index .data 0 }}{{ $d.firstName }} {{ $d.lastName }}").
+		"-c", "data=s3://noaa-bathymetry-pds/csv/2022/03/02/20220302_056e577c7cd8323fdd8a04d3812cf78e_pointData.csv?region=us-east-1&type=text/csv",
+		"-i", `{{ index (index .data 0) 6 }}: {{ index (index .data 1) 6 }}
+{{ index (index .data 0) 5 }}: {{ index (index .data 1) 5 }}`).
 		withEnv("AWS_ANON", "true").
 		withEnv("AWS_TIMEOUT", "5000").
 		run()
-	assertSuccess(t, o, e, err, "Petra Mcintyre")
+	assertSuccess(t, o, e, err, `PLATFORM_NAME: Ramform Hyperion
+TIME: 2022-03-01T22:00:04.000Z`)
 
 	srv := setupDatasourcesBlobTest(t)
 
@@ -79,12 +81,16 @@ func TestDatasources_Blob_S3Datasource(t *testing.T) {
 }
 
 func TestDatasources_Blob_S3Directory(t *testing.T) {
-	o, e, err := cmd(t, "-c", "data=s3://ryft-public-sample-data/?region=us-east-1",
+	// This recently replaced ryft-public-sample-data after access was disabled.
+	// This bucket came from https://registry.opendata.aws, and is public. The
+	// content isn't important, just that it's something we can read and parse
+	// on a _real_ S3 bucket.
+	o, e, err := cmd(t, "-c", "data=s3://noaa-bathymetry-pds/csv/2022/03/02/?region=us-east-1",
 		"-i", "{{ index .data 0 }}").
 		withEnv("AWS_ANON", "true").
 		withEnv("AWS_TIMEOUT", "15000").
 		run()
-	assertSuccess(t, o, e, err, "AWS-x86-AMI-queries.json")
+	assertSuccess(t, o, e, err, "20220302_056e577c7cd8323fdd8a04d3812cf78e_pointData.csv")
 
 	srv := setupDatasourcesBlobTest(t)
 

diff --git a/internal/tests/integration/integration_test.go b/internal/tests/integration/integration_test.go
@@ -18,6 +18,7 @@ import (
 	gcmd "github.com/hairyhenderson/gomplate/v3/internal/cmd"
 	vaultapi "github.com/hashicorp/vault/api"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"gotest.tools/v3/icmd"
 )
 
@@ -54,7 +55,7 @@ func inOutContains(t *testing.T, i, o string) {
 func assertSuccess(t *testing.T, o, e string, err error, expected string) {
 	t.Helper()
 
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, "", e)
 	assert.Equal(t, expected, o)
 }

diff --git a/net/net_test.go b/net/net_test.go
@@ -15,12 +15,12 @@ func must(r interface{}, err error) interface{} {
 
 func TestLookupIP(t *testing.T) {
 	assert.Equal(t, "127.0.0.1", must(LookupIP("localhost")))
-	assert.Equal(t, "93.184.216.34", must(LookupIP("example.com")))
+	assert.Equal(t, "198.41.0.4", must(LookupIP("a.root-servers.net")))
 }
 
 func TestLookupIPs(t *testing.T) {
 	assert.Equal(t, []string{"127.0.0.1"}, must(LookupIPs("localhost")))
-	assert.Equal(t, []string{"93.184.216.34"}, must(LookupIPs("example.com")))
+	assert.ElementsMatch(t, []string{"1.1.1.1", "1.0.0.1"}, must(LookupIPs("one.one.one.one")))
 }
 
 func TestLookupTXT(t *testing.T) {