2022-03-17 05:37:08 -04:00
|
|
|
# syntax=docker/dockerfile:1
|
2021-12-16 15:15:53 -05:00
|
|
|
|
Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:
We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:
- net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
- net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove `../` path components appended to a
relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
URL `https://go.dev/../go`, despite the JoinPath documentation stating that
`../` path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Release notes:
go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 16:19:38 -04:00
|
|
|
ARG GO_VERSION=1.19.1
|
2021-12-16 15:15:53 -05:00
|
|
|
ARG MODOUTDATED_VERSION=v0.8.0
|
|
|
|
|
|
|
|
|
|
FROM golang:${GO_VERSION}-alpine AS base
|
|
|
|
|
RUN apk add --no-cache bash git rsync
|
|
|
|
|
WORKDIR /src
|
|
|
|
|
|
|
|
|
|
FROM base AS vendored
|
2022-01-28 05:40:33 -05:00
|
|
|
ENV GOPROXY=direct
|
2021-12-16 15:15:53 -05:00
|
|
|
RUN --mount=target=/context \
|
|
|
|
|
--mount=target=.,type=tmpfs \
|
|
|
|
|
--mount=target=/go/pkg/mod,type=cache <<EOT
|
|
|
|
|
set -e
|
|
|
|
|
rsync -a /context/. .
|
|
|
|
|
./scripts/vendor update
|
|
|
|
|
mkdir /out
|
|
|
|
|
cp -r vendor.mod vendor.sum vendor /out
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
FROM scratch AS update
|
|
|
|
|
COPY --from=vendored /out /out
|
|
|
|
|
|
|
|
|
|
FROM vendored AS validate
|
|
|
|
|
RUN --mount=target=/context \
|
|
|
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
|
|
|
set -e
|
|
|
|
|
rsync -a /context/. .
|
|
|
|
|
git add -A
|
|
|
|
|
rm -rf vendor
|
|
|
|
|
cp -rf /out/* .
|
|
|
|
|
./scripts/vendor validate
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
FROM psampaz/go-mod-outdated:${MODOUTDATED_VERSION} AS go-mod-outdated
|
|
|
|
|
FROM base AS outdated
|
|
|
|
|
RUN --mount=target=.,rw \
|
|
|
|
|
--mount=target=/go/pkg/mod,type=cache \
|
|
|
|
|
--mount=from=go-mod-outdated,source=/home/go-mod-outdated,target=/usr/bin/go-mod-outdated \
|
|
|
|
|
./scripts/vendor outdated
|
