2022-03-17 05:37:08 -04:00
|
|
|
# syntax=docker/dockerfile:1
|
2021-07-22 08:48:09 -04:00
|
|
|
|
update to go1.20.8
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/tls, go/types, net/http, and path/filepath packages. See the
Go 1.20.8 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8
From the security mailing:
[security] Go 1.21.1 and Go 1.20.8 are released
Hello gophers,
We have just released Go versions 1.21.1 and 1.20.8, minor point releases.
These minor releases include 4 security fixes following the security policy:
- cmd/go: go.mod toolchain directive allows arbitrary execution
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.
- html/template: improper handling of HTML-like comments within script contexts
The html/template package did not properly handle HMTL-like "<!--" and "-->"
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.
- html/template: improper handling of special tags within script contexts
The html/template package did not apply the proper rules for handling occurrences
of "<script", "<!--", and "</script" within JS literals in <script> contexts.
This may cause the template parser to improperly consider script contexts to be
terminated early, causing actions to be improperly escaped. This could be
leveraged to perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.
- crypto/tls: panic when processing post-handshake message on QUIC connections
Processing an incomplete post-handshake message for a QUIC connection caused a panic.
Thanks to Marten Seemann for reporting this issue.
This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-11 09:49:14 -04:00
|
|
|
ARG GO_VERSION=1.20.8
|
2023-06-14 07:30:40 -04:00
|
|
|
ARG ALPINE_VERSION=3.17
|
2019-07-18 05:13:45 -04:00
|
|
|
|
2023-07-18 18:24:18 -04:00
|
|
|
ARG BUILDX_VERSION=0.11.2
|
2022-02-03 04:37:55 -05:00
|
|
|
FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
|
|
|
|
|
2022-12-04 08:01:30 -05:00
|
|
|
FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
|
2020-08-28 07:12:07 -04:00
|
|
|
ENV CGO_ENABLED=0
|
|
|
|
|
Use gofumpt if available, and enable gofumpt linter
gofumpt provides a supserset of gofmt / go fmt, but not every developer may have
it installed, so for situations where it's not available, fall back to gofmt.
As our code has been formatted with gofumpt already, in most cases contributions
will follow those formatting rules, but in some cases there may be a difference,
which would already be flagged by manual code review, but let's also enable the
gofumpt linter.
With this change, `make fmt` will use gofumpt is available; gofumpt has been
added to the dev-container, so `make -f docker.Makefile fmt` will always use it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-30 07:10:53 -04:00
|
|
|
FROM golang AS gofumpt
|
|
|
|
ARG GOFUMPT_VERSION=v0.4.0
|
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
--mount=type=tmpfs,target=/go/src/ \
|
|
|
|
GO111MODULE=on go install "mvdan.cc/gofumpt@${GOFUMPT_VERSION}" \
|
|
|
|
&& gofumpt --version
|
|
|
|
|
2020-08-28 07:12:07 -04:00
|
|
|
FROM golang AS gotestsum
|
2023-06-14 14:57:02 -04:00
|
|
|
ARG GOTESTSUM_VERSION=v1.10.0
|
2020-08-28 07:20:11 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
--mount=type=tmpfs,target=/go/src/ \
|
2021-07-15 09:15:38 -04:00
|
|
|
GO111MODULE=on go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
|
2020-08-28 07:12:07 -04:00
|
|
|
|
2021-10-11 10:54:09 -04:00
|
|
|
FROM golang AS goversioninfo
|
|
|
|
ARG GOVERSIONINFO_VERSION=v1.3.0
|
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
--mount=type=tmpfs,target=/go/src/ \
|
|
|
|
GO111MODULE=on go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@${GOVERSIONINFO_VERSION}
|
|
|
|
|
2020-08-28 07:12:07 -04:00
|
|
|
FROM golang AS dev
|
|
|
|
RUN apk add --no-cache \
|
|
|
|
bash \
|
|
|
|
build-base \
|
|
|
|
ca-certificates \
|
|
|
|
coreutils \
|
|
|
|
curl \
|
2022-04-06 12:54:32 -04:00
|
|
|
git \
|
|
|
|
jq \
|
|
|
|
nano
|
2020-08-28 07:12:07 -04:00
|
|
|
|
2022-04-06 12:54:32 -04:00
|
|
|
RUN echo -e "\nYou are now in a development container. Run '\e\033[1mmake help\e\033[0m' to learn about\navailable make targets.\n" > /etc/motd \
|
|
|
|
&& echo -e "cat /etc/motd\nPS1=\"\e[0;32m\u@docker-cli-dev\\$ \e[0m\"" >> /root/.bashrc
|
2020-08-28 07:19:09 -04:00
|
|
|
CMD bash
|
2020-08-28 07:12:07 -04:00
|
|
|
ENV DISABLE_WARN_OUTSIDE_CONTAINER=1
|
|
|
|
ENV PATH=$PATH:/go/src/github.com/docker/cli/build
|
|
|
|
|
2023-08-24 19:56:35 -04:00
|
|
|
COPY --link --from=buildx /buildx /usr/libexec/docker/cli-plugins/docker-buildx
|
|
|
|
COPY --link --from=gofumpt /go/bin/* /go/bin/
|
|
|
|
COPY --link --from=gotestsum /go/bin/* /go/bin/
|
|
|
|
COPY --link --from=goversioninfo /go/bin/* /go/bin/
|
2020-08-28 07:12:07 -04:00
|
|
|
|
2017-04-18 19:12:24 -04:00
|
|
|
WORKDIR /go/src/github.com/docker/cli
|
2021-07-15 09:15:38 -04:00
|
|
|
ENV GO111MODULE=auto
|
2023-08-24 19:56:35 -04:00
|
|
|
COPY --link . .
|