Commit Graph

8691 Commits

Author SHA1 Message Date
Cory Snider 6ce1dd5384 gha: pin codecov uploader to v0.7.3
Codecov uploader v0.8.0 for macOS is built for arm64, which fails to run
on (Intel) macos-12 runners with "unknown error -86" (-EBADARCH).

Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-04 16:54:12 -04:00
Sebastiaan van Stijn 3768d28545 scripts/build/plugins: don't override CGO_ENABLED set by .variables
The `.variables` sets `CGO_ENABLED=1` on arm; b0c41b78d8/scripts/build/.variables (L57-L68)
And if enabled, it sets `-buildmode=pie`; b0c41b78d8/scripts/build/.variables (L79-L88)

But that looks to be conflicting with the hardcoded `CGO_ENABLED=0` in
this script, which causes the build to fail on go1.22;

    > [build-plugins 1/1] RUN --mount=ro --mount=type=cache,target=/root/.cache     xx-go --wrap &&     TARGET=/out ./scripts/build/plugins e2e/cli-plugins/plugins/*:
    0.127 Building static docker-helloworld
    0.127 + CGO_ENABLED=0
    0.127 + GO111MODULE=auto
    0.127 + go build -o /out/plugins-linux-arm/docker-helloworld -tags ' osusergo' -ldflags ' -X "github.com/docker/cli/cli/version.GitCommit=5c123b1" -X "github.com/docker/cli/cli/version.BuildTime=2024-09-02T13:52:17Z" -X "github.com/docker/cli/cli/version.Version=pr-5387" -extldflags -static' -buildmode=pie github.com/docker/cli/cli-plugins/examples/helloworld
    0.135 -buildmode=pie requires external (cgo) linking, but cgo is not enabled

This patch sets the CGO_ENABLED variable before sourcing `.variables`,
so that other variables which are conditionally set are handled correctly.

Before this PR:

    #18 [build-plugins 1/1] RUN --mount=ro --mount=type=cache,target=/root/.cache     xx-go --wrap &&     TARGET=/out ./scripts/build/plugins e2e/cli-plugins/plugins/*
    #18 0.123 Building static docker-helloworld
    #18 0.124 + CGO_ENABLED=0
    #18 0.124 + GO111MODULE=auto
    #18 0.124 + go build -o /out/plugins-linux-arm/docker-helloworld -tags ' osusergo' -ldflags ' -X "github.com/docker/cli/cli/version.GitCommit=c8c402e" -X "github.com/docker/cli/cli/version.BuildTime=2024-09-03T08:28:25Z" -X "github.com/docker/cli/cli/version.Version=pr-5381" -extldflags -static' -buildmode=pie github.com/docker/cli/cli-plugins/examples/helloworld
    ....

With this PR:

    #18 [build-plugins 1/1] RUN --mount=ro --mount=type=cache,target=/root/.cache     xx-go --wrap &&     TARGET=/out ./scripts/build/plugins e2e/cli-plugins/plugins/*
    #18 0.110 Building static docker-helloworld
    #18 0.110 + GO111MODULE=auto
    #18 0.110 + go build -o /out/plugins-linux-arm/docker-helloworld -tags '' -ldflags ' -X "github.com/docker/cli/cli/version.GitCommit=050d9d6" -X "github.com/docker/cli/cli/version.BuildTime=2024-09-03T09:19:05Z" -X "github.com/docker/cli/cli/version.Version=pr-5387"' github.com/docker/cli/cli-plugins/examples/helloworld
    ....

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9e29967960)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-04 16:38:34 -04:00
Sebastiaan van Stijn eb94fd0d81 update to go1.22.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d7d56599ca)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-04 16:23:41 -04:00
Cory Snider 2d468ad289 Linting: disable troublesome lint rules
Unused named function parameters and shadowed variables are trivial code
quality issues which are not worth addressing on a long-term maintenance
branch without much activity aside from backports.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-04 16:23:38 -04:00
Cory Snider 069e27c180 linting: format the codebase with gofumpt
...to appease the linter.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-04 16:23:34 -04:00
Sebastiaan van Stijn 72d8f66a68 update golangci-lint to v1.59.1
full diff: https://github.com/golangci/golangci-lint/compare/v1.59.0...v1.59.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b5d1b4de1a)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 1dba0fa8ec update golangci-lint to .v1.59.0
full diff: https://github.com/golangci/golangci-lint/compare/v1.55.2...v1.59.0

Updated config to address warnings:

    WARN [config_reader] The configuration option `run.skip-files` is deprecated, please use `issues.exclude-files`.
    WARN [config_reader] The configuration option `linters.govet.check-shadowing` is deprecated. Please enable `shadow` instead, if you are not using `enable-all`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 43b97e8880)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 5e5ccaa829 cli/command/image/build: fix nosec comment
Looks like it's broken, so use a blanket "nolint:gosec" instead;

    cli/command/image/build/context.go:238:17: G107: Potential HTTP request made with variable url (gosec)
        if resp, err = http.Get(url); err != nil {
                        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit df474d5176)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn ac722bb368 linting: fmt.Sprintf can be replaced with string concatenation (perfsprint)
cli/registry/client/endpoint.go:128:34: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
                                        ^
    cli/command/telemetry_docker.go:88:14: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            endpoint = fmt.Sprintf("unix://%s", path.Join(u.Host, u.Path))
                       ^
    cli/command/cli_test.go:195:47: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        opts := &flags.ClientOptions{Hosts: []string{fmt.Sprintf("unix://%s", socket)}}
                                                     ^

    cli/command/registry_test.go:59:24: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                inputServerAddress: fmt.Sprintf("https://%s", testAuthConfigs[1].ServerAddress),
                                    ^
    cli/command/container/opts_test.go:338:35: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            if config, _, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
                                            ^
    cli/command/context/options.go:79:24: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                errs = append(errs, fmt.Sprintf("%s: unrecognized config key", k))
                                    ^
    cli/command/image/build.go:461:68: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                    line = dockerfileFromLinePattern.ReplaceAllLiteralString(line, fmt.Sprintf("FROM %s", reference.FamiliarString(trustedRef)))
                                                                                   ^
    cli/command/image/remove_test.go:21:9: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        return fmt.Sprintf("Error: No such image: %s", n.imageID)
               ^
    cli/command/image/build/context.go:229:102: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        progReader := progress.NewProgressReader(response.Body, progressOutput, response.ContentLength, "", fmt.Sprintf("Downloading build context from remote url: %s", remoteURL))
                                                                                                            ^
    cli/command/service/logs.go:215:16: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                taskName += fmt.Sprintf(".%s", task.ID)
                            ^
    cli/command/service/logs.go:217:16: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                taskName += fmt.Sprintf(".%s", stringid.TruncateID(task.ID))
                            ^
    cli/command/service/progress/progress_test.go:877:18: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                ID:           fmt.Sprintf("task%s", nodeID),
                              ^
    cli/command/stack/swarm/remove.go:61:24: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                errs = append(errs, fmt.Sprintf("Failed to remove some resources from stack: %s", namespace))
                                    ^
    cli/command/swarm/ipnet_slice_test.go:32:9: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        arg := fmt.Sprintf("--cidrs=%s", strings.Join(vals, ","))
               ^
    cli/command/swarm/ipnet_slice_test.go:137:30: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            if err := f.Parse([]string{fmt.Sprintf("--cidrs=%s", strings.Join(test.FlagArg, ","))}); err != nil {
                                       ^
    cli/compose/schema/schema.go:105:11: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                return fmt.Sprintf("must be a %s", humanReadableType(expectedType))
                       ^
    cli/manifest/store/store.go:165:9: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        return fmt.Sprintf("No such manifest: %s", n.object)
               ^
    e2e/image/push_test.go:340:4: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", pwd),
                ^
    e2e/image/push_test.go:341:4: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", pwd),
                ^
    e2e/image/push_test.go:342:4: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", pwd),
                ^
    e2e/image/push_test.go:343:4: fmt.Sprintf can be replaced with string concatenation (perfsprint)
                fmt.Sprintf("NOTARY_DELEGATION_PASSPHRASE=%s", pwd),
                ^
    e2e/plugin/trust_test.go:23:16: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        pluginName := fmt.Sprintf("%s/plugin-content-trust", registryPrefix)
                      ^
    e2e/plugin/trust_test.go:53:8: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            Out: fmt.Sprintf("Installed plugin %s", pluginName),
                 ^
    e2e/trust/revoke_test.go:62:57: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        icmd.RunCommand("docker", "tag", fixtures.AlpineImage, fmt.Sprintf("%s:v1", revokeRepo)).Assert(t, icmd.Success)
                                                               ^
    e2e/trust/revoke_test.go:64:49: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            icmd.Command("docker", "-D", "trust", "sign", fmt.Sprintf("%s:v1", revokeRepo)),
                                                          ^
    e2e/trust/revoke_test.go:68:58: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        icmd.RunCommand("docker", "tag", fixtures.BusyboxImage, fmt.Sprintf("%s:v2", revokeRepo)).Assert(t, icmd.Success)
                                                                ^
    e2e/trust/revoke_test.go:70:49: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            icmd.Command("docker", "-D", "trust", "sign", fmt.Sprintf("%s:v2", revokeRepo)),
                                                          ^
    e2e/trust/sign_test.go:36:47: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        assert.Check(t, is.Contains(result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", fixtures.AlpineSha)))
                                                     ^
    e2e/trust/sign_test.go:53:47: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        assert.Check(t, is.Contains(result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", fixtures.BusyboxSha)))
                                                     ^
    e2e/trust/sign_test.go:65:47: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        assert.Check(t, is.Contains(result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", fixtures.AlpineSha)))
                                                     ^
    opts/file.go:21:9: fmt.Sprintf can be replaced with string concatenation (perfsprint)
        return fmt.Sprintf("poorly formatted environment: %s", e.msg)
               ^
    opts/hosts_test.go:26:31: fmt.Sprintf can be replaced with string concatenation (perfsprint)
            "tcp://host:":              fmt.Sprintf("tcp://host:%s", defaultHTTPPort),
                                        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0ba14fde41)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn abf372a871 cli/command: TestGetDefaultAuthConfig: remove unused expectedErr
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7db922cf9f)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 416c061000 linting: fmt.Errorf can be replaced with errors.New (perfsprint)
internal/test/cli.go:175:14: fmt.Errorf can be replaced with errors.New (perfsprint)
        return nil, fmt.Errorf("no notary client available unless defined")
                    ^
    cli/command/cli.go:318:29: fmt.Errorf can be replaced with errors.New (perfsprint)
            return docker.Endpoint{}, fmt.Errorf("no context store initialized")
                                      ^
    cli/command/container/attach.go:161:11: fmt.Errorf can be replaced with errors.New (perfsprint)
                return fmt.Errorf(result.Error.Message)
                       ^
    cli/command/container/opts.go:577:16: fmt.Errorf can be replaced with errors.New (perfsprint)
                return nil, fmt.Errorf("--health-start-period cannot be negative")
                            ^
    cli/command/container/opts.go:580:16: fmt.Errorf can be replaced with errors.New (perfsprint)
                return nil, fmt.Errorf("--health-start-interval cannot be negative")
                            ^
    cli/command/container/stats.go:221:11: fmt.Errorf can be replaced with errors.New (perfsprint)
                return fmt.Errorf("filtering is not supported when specifying a list of containers")
                       ^
    cli/command/container/attach_test.go:82:17: fmt.Errorf can be replaced with errors.New (perfsprint)
            expectedErr = fmt.Errorf("unexpected error")
                          ^
    cli/command/container/create_test.go:234:40: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return container.CreateResponse{}, fmt.Errorf("shouldn't try to pull image")
                                                       ^
    cli/command/container/list_test.go:150:17: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return nil, fmt.Errorf("error listing containers")
                                ^
    cli/command/container/rm_test.go:40:31: fmt.Errorf can be replaced with errors.New (perfsprint)
                            return errdefs.NotFound(fmt.Errorf("Error: no such container: " + container))
                                                    ^
    cli/command/container/run_test.go:138:40: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return container.CreateResponse{}, fmt.Errorf("shouldn't try to pull image")
                                                       ^
    cli/command/image/pull_test.go:115:49: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return io.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image")
                                                                ^
    cli/command/network/connect.go:88:16: fmt.Errorf can be replaced with errors.New (perfsprint)
                return nil, fmt.Errorf("invalid key/value pair format in driver options")
                            ^
    cli/command/plugin/create_test.go:96:11: fmt.Errorf can be replaced with errors.New (perfsprint)
                return fmt.Errorf("Error creating plugin")
                       ^
    cli/command/plugin/disable_test.go:32:12: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return fmt.Errorf("Error disabling plugin")
                           ^
    cli/command/plugin/enable_test.go:32:12: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return fmt.Errorf("failed to enable plugin")
                           ^
    cli/command/plugin/inspect_test.go:55:22: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return nil, nil, fmt.Errorf("error inspecting plugin")
                                     ^
    cli/command/plugin/install_test.go:43:17: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return nil, fmt.Errorf("Error installing plugin")
                                ^
    cli/command/plugin/install_test.go:51:17: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return nil, fmt.Errorf("(image) when fetching")
                                ^
    cli/command/plugin/install_test.go:95:17: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return nil, fmt.Errorf("should not try to install plugin")
                                ^
    cli/command/plugin/list_test.go:35:41: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return types.PluginsListResponse{}, fmt.Errorf("error listing plugins")
                                                        ^
    cli/command/plugin/remove_test.go:27:12: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return fmt.Errorf("Error removing plugin")
                           ^
    cli/command/registry/login_test.go:36:46: fmt.Errorf can be replaced with errors.New (perfsprint)
            return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
                                                       ^
    cli/command/registry/login_test.go:44:46: fmt.Errorf can be replaced with errors.New (perfsprint)
            return registrytypes.AuthenticateOKBody{}, fmt.Errorf(errUnknownUser)
                                                       ^
    cli/command/system/info.go:190:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("errors pretty printing info")
                   ^
    cli/command/system/prune.go:77:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf(`ERROR: The "until" filter is not supported with "--volumes"`)
                   ^
    cli/command/system/version_test.go:19:28: fmt.Errorf can be replaced with errors.New (perfsprint)
                return types.Version{}, fmt.Errorf("no server")
                                        ^
    cli/command/trust/key_load.go:112:22: fmt.Errorf can be replaced with errors.New (perfsprint)
                    return []byte{}, fmt.Errorf("could not decrypt key")
                                     ^
    cli/command/trust/revoke.go:44:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("cannot use a digest reference for IMAGE:TAG")
                   ^
    cli/command/trust/revoke.go:105:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("no signed tags to remove")
                   ^
    cli/command/trust/signer_add.go:56:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("releases is a reserved keyword, please use a different signer name")
                   ^
    cli/command/trust/signer_add.go:60:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("path to a public key must be provided using the `--key` flag")
                   ^
    opts/config.go:71:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("source is required")
                   ^
    opts/mount.go:168:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("type is required")
                   ^
    opts/mount.go:172:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("target is required")
                   ^
    opts/network.go:90:11: fmt.Errorf can be replaced with errors.New (perfsprint)
                return fmt.Errorf("network name/id is not specified")
                       ^
    opts/network.go:129:18: fmt.Errorf can be replaced with errors.New (perfsprint)
            return "", "", fmt.Errorf("invalid key value pair format in driver options")
                           ^
    opts/opts.go:404:13: fmt.Errorf can be replaced with errors.New (perfsprint)
            return 0, fmt.Errorf("value is too precise")
                      ^
    opts/opts.go:412:18: fmt.Errorf can be replaced with errors.New (perfsprint)
            return "", "", fmt.Errorf("empty string specified for links")
                           ^
    opts/parse.go:84:37: fmt.Errorf can be replaced with errors.New (perfsprint)
            return container.RestartPolicy{}, fmt.Errorf("invalid restart policy format: no policy provided before colon")
                                              ^
    opts/parse.go:89:38: fmt.Errorf can be replaced with errors.New (perfsprint)
                return container.RestartPolicy{}, fmt.Errorf("invalid restart policy format: maximum retry count must be an integer")
                                                  ^
    opts/port.go:105:13: fmt.Errorf can be replaced with errors.New (perfsprint)
                        return fmt.Errorf("hostip is not supported")
                               ^
    opts/secret.go:70:10: fmt.Errorf can be replaced with errors.New (perfsprint)
            return fmt.Errorf("source is required")
                   ^
    opts/env_test.go:57:11: fmt.Errorf can be replaced with errors.New (perfsprint)
                err:   fmt.Errorf("invalid environment variable: =a"),
                       ^
    opts/env_test.go:93:11: fmt.Errorf can be replaced with errors.New (perfsprint)
                err:   fmt.Errorf("invalid environment variable: ="),
                       ^
    cli-plugins/manager/error_test.go:16:11: fmt.Errorf can be replaced with errors.New (perfsprint)
        inner := fmt.Errorf("testing")
                 ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit dfec976e84)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 5adf6be6d8 cli/command/network: fix linting issue and pass client instead of cli
Rename variable that shadowed an import, and pass the network API-client
instead of the whole CLI

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e93abde7a0)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 1d72a32b64 update to golangci-lint v1.55.0
release notes:
https://github.com/golangci/golangci-lint/releases/tag/v1.55.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b7b5b31a7e)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn fcad2c6584 image/build: use "nolint" comment to work around gosec regression
Latest gosec linter has a regression in parsing "nosec" comments;
see https://github.com/securego/gosec/issues/1046

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9e1f8d646e)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 3e271deeca cli/command: remove dot-imports and unhandled errors
Please the linters in preparation of updating golangci-lint;

- remove dot-imports
- add some checks for unhandled errors
- replace some fixed-value variables for consts

    cli/command/image/build/context.go:238:17: G107: Potential HTTP request made with variable url (gosec)
        if resp, err = http.Get(url); err != nil {
                       ^
    cli/command/idresolver/idresolver_test.go:7:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/registry_test.go:7:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/cli/command" // Prevents a circular import with "github.com/docker/cli/internal/test"
        ^
    cli/command/task/print_test.go:11:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/swarm/update_test.go:10:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/swarm/unlock_key_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/swarm/join_token_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/node/list_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/node/promote_test.go:8:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/node/demote_test.go:8:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package functions
        ^
    cli/command/node/ps_test.go:11:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/node/update_test.go:8:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/node/inspect_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package functions
        ^
    cli/command/secret/ls_test.go:11:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/secret/inspect_test.go:11:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/volume/inspect_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/volume/list_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/config/inspect_test.go:11:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/config/ls_test.go:11:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/network/list_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders"
        ^
    cli/command/container/list_test.go:10:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/service/list_test.go:12:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders"
        ^
    cli/command/service/client_test.go:6:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/stack/list_test.go:8:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/stack/services_test.go:9:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^
    cli/command/stack/ps_test.go:10:2: dot-imports: should not use dot imports (revive)
        . "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 594aeb390a)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 867baaff66 swarm: TestSwarmUpdate: remove non-existing "--quiet" flag
The `docker swarm update` copmmand does not have a `--quiet` flag, but this
test was trying to set it.

    docker swarm update --help

    Usage:  docker swarm update [OPTIONS]

    Update the swarm

    Options:
          --autolock                        Change manager autolocking setting (true|false)
          --cert-expiry duration            Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
          --dispatcher-heartbeat duration   Dispatcher heartbeat period (ns|us|ms|s|m|h) (default 5s)
          --external-ca external-ca         Specifications of one or more certificate signing endpoints
          --max-snapshots uint              Number of additional Raft snapshots to retain
          --snapshot-interval uint          Number of log entries between Raft snapshots (default 10000)
          --task-history-limit int          Task history retention limit (default 5)

The test didn't catch this issue, because errors when setting the flag were
not handled, so also adding error-handling;

    === Failed
    === FAIL: cli/command/swarm TestSwarmUpdate (0.00s)
        update_test.go:177: assertion failed: error is not nil: no such flag -quiet

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b08e34b9f9)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Paweł Gronowski cfc99a548f update to go1.21.13
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.13+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.12...go1.21.13

go1.21.13 (released 2024-08-06) includes fixes to the go command, the
covdata command, and the bytes package. See the [Go 1.21.13 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.13+label%3ACherryPickApproved)
on our issue tracker for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 434d8b75e8)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 58e6338654 cli/registry: client.iterateEndpoints: remove check for APIVersion1
registryService.LookupPullEndpoints uses lookupV2Endpoints
https://github.com/moby/moby/blob/v24.0.5/registry/service.go#L137-L142

which, as the name indicates, only returns V2 endpoints;
https://github.com/moby/moby/blob/v24.0.5/registry/service_v2.go#L10-L80

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 22b4bab90f)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn f18b630f22 cli/registry: fix client.pullManifestList not de-referencing manifest
Kudos to gosec;

    cli/registry/client/fetcher.go:205:57: G601: Implicit memory aliasing in for loop. (gosec)
            imageManifest.Descriptor.Platform = types.OCIPlatform(&manifestDescriptor.Platform)
                                                                  ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5250f1bab5)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-03 19:35:23 -04:00
Paweł Gronowski 8239b55d3e update to go1.21.12
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.11...go1.21.12

These minor releases include 1 security fixes following the security policy:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Thanks to Geoff Franks for reporting this issue.

This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.12

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.12
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit d73d7d4ed3)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 8f7c53974d update to go1.21.11
go1.21.11 (released 2024-06-04) includes security fixes to the archive/zip
and net/netip packages, as well as bug fixes to the compiler, the go command,
the runtime, and the os package. See the Go 1.21.11 milestone on our issue
tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.11+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.10...go1.21.11

From the security announcement;

We have just released Go versions 1.22.4 and 1.21.11, minor point releases.
These minor releases include 2 security fixes following the security policy:

- archive/zip: mishandling of corrupt central directory record

  The archive/zip package's handling of certain types of invalid zip files
  differed from the behavior of most zip implementations. This misalignment
  could be exploited to create an zip file with contents that vary depending
  on the implementation reading the file. The archive/zip package now rejects
  files containing these errors.

  Thanks to Yufan You for reporting this issue.

  This is CVE-2024-24789 and Go issue https://go.dev/issue/66869.

- net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

  The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected
  for IPv4-mapped IPv6 addresses, returning false for addresses which would
  return true in their traditional IPv4 forms.

  Thanks to Enze Wang of Alioth and Jianjun Chen of Zhongguancun Lab
  for reporting this issue.

  This is CVE-2024-24790 and Go issue https://go.dev/issue/67680.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 630e1d3e95)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 1da2df7800 Dockerfile: update ALPINE_VERSION to 3.20
Update to the current version of Alpine, which is also the default for
the golang:alpine image

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e70f68595d)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Paweł Gronowski 6131eb9dbc update to go1.21.10
These minor releases include 2 security fixes following the security policy:

- cmd/go: arbitrary code execution during build on darwin
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to
usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-24787 and Go issue https://go.dev/issue/67119.

- net: malformed DNS message can cause infinite loop
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to
our attention.
This is CVE-2024-24788 and Go issue https://go.dev/issue/66754.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.3

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.10
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit eb99994c75)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Paweł Gronowski 7dd9a687f1 update to go1.21.9
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the Go 1.21.9 milestone on our issue tracker for
details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.9
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 0a5bd6c75b)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Paweł Gronowski 7ff18d219f update to go1.21.8
go1.21.8 (released 2024-03-05) includes 5 security fixes:

- crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783, https://go.dev/issue/65390)
- net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290, https://go.dev/issue/65383)
- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289, https://go.dev/issue/65065)
- html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785, https://go.dev/issue/65697)
- net/mail: comments in display names are incorrectly handled (CVE-2024-24784, https://go.dev/issue/65083)

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.8

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.6...go1.21.8

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 3b77477943)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 77a921c5c8 update golangci-lint to v1.54.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit db6209abdd)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 7a9b855cca update to go1.21.7
go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package. See the Go 1.21.7 milestone on our
issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.6...go1.21.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 20b9d489e0)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-09-03 19:35:23 -04:00
Sebastiaan van Stijn 0f15753db9
Merge pull request #5283 from austinvazquez/fix-codeql-2.16-in-23.0
[23.0 backport] Fix codeql 2.16 in 23.0
2024-07-24 01:07:55 +02:00
Sebastiaan van Stijn fd1f5bfad0
ci: set DISABLE_WARN_OUTSIDE_CONTAINER=1 for CodeQL action
CodeQL autobuild uses the makefile, but outside of a container, so let's
set this variable to prevent it having to wait 10 seconds;

    Use "make dev" to start an interactive development container,
    use "make -f docker.Makefile " to execute this target
    in a container, or set DISABLE_WARN_OUTSIDE_CONTAINER=1 to
    disable this warning.

    Press Ctrl+C now to abort, or wait for the script to continue..

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b120b96ac7)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-23 23:01:36 +00:00
Sebastiaan van Stijn 631220fddb
ci: fix CodeQL 2.16.4 autobuild
CodeQL 2.16.4's auto-build added support for multi-module repositories,
and is trying to be smart by searching for modules in every directory,
including vendor directories. If no module is found, it's creating one
which is ... not what we want, so let's give it a "go.mod".

Here's from a run in CI;

    /opt/hostedtoolcache/CodeQL/2.16.4/x64/codeql/codeql version --format=json
    {
      "productName" : "CodeQL",
      "vendor" : "GitHub",
      "version" : "2.16.4",
      "sha" : "9727ba3cd3d5a26f8b9347bf3c3eb4f565ac077b",
      "branches" : [
        "codeql-cli-2.16.4"
      ],
      "copyright" : "Copyright (C) 2019-2024 GitHub, Inc.",
      "unpackedLocation" : "/opt/hostedtoolcache/CodeQL/2.16.4/x64/codeql",
      "configFileLocation" : "/home/runner/.config/codeql/config",
      "configFileFound" : false,
      "features" : {
        "analysisSummaryV2Option" : true,
        "buildModeOption" : true,
        "bundleSupportsIncludeDiagnostics" : true,
        "featuresInVersionResult" : true,
        "indirectTracingSupportsStaticBinaries" : false,
        "informsAboutUnsupportedPathFilters" : true,
        "supportsPython312" : true,
        "mrvaPackCreate" : true,
        "threatModelOption" : true,
        "traceCommandUseBuildMode" : true,
        "v2ramSizing" : true,
        "mrvaPackCreateMultipleQueries" : true,
        "setsCodeqlRunnerEnvVar" : true
      }
    }

With 2.16.4, first it is unable to correlate files with the project, considering
them "stray" files;

    Attempting to automatically build go code
    /opt/hostedtoolcache/CodeQL/2.16.4/x64/codeql/go/tools/autobuild.sh
    2024/03/16 15:54:34 Autobuilder was built with go1.22.0, environment has go1.21.8
    2024/03/16 15:54:34 LGTM_SRC is /home/runner/work/cli/cli
    2024/03/16 15:54:34 Found no go.work files in the workspace; looking for go.mod files...
    2024/03/16 15:54:34 Found stray Go source file in cli/cobra.go.
    2024/03/16 15:54:34 Found stray Go source file in cli/cobra_test.go.
    2024/03/16 15:54:34 Found stray Go source file in cli/command/builder/client_test.go.
    2024/03/16 15:54:34 Found stray Go source file in cli/command/builder/cmd.go.
    ...

It then tries to build the binary, but in go modules mode, which fails (it also
seems to be doing this for each and every directory);

    Use "make dev" to start an interactive development container,
    use "make -f docker.Makefile " to execute this target
    in a container, or set DISABLE_WARN_OUTSIDE_CONTAINER=1 to
    disable this warning.

    Press Ctrl+C now to abort, or wait for the script to continue..

    ./scripts/build/binary
    Building static docker-linux-amd64
    + go build -o build/docker-linux-amd64 -tags  osusergo pkcs11 -ldflags  -X "github.com/docker/cli/cli/version.GitCommit=38c3ff6" -X "github.com/docker/cli/cli/version.BuildTime=2024-03-16T17:20:38Z" -X "github.com/docker/cli/cli/version.Version=38c3ff6.m" -extldflags -static -buildmode=pie github.com/docker/cli/cmd/docker
    cannot find package "github.com/docker/cli/cmd/docker" in any of:
        /opt/hostedtoolcache/go/1.21.8/x64/src/github.com/docker/cli/cmd/docker (from $GOROOT)
        /home/runner/go/src/github.com/docker/cli/cmd/docker (from $GOPATH)
    make: *** [Makefile:62: binary] Error 1
    2024/03/16 17:20:38 Running /usr/bin/make [make] failed, continuing anyway: exit status 2
    2024/03/16 17:20:38 Build failed, continuing to install dependencies.
    2024/03/16 17:20:38 The code in vendor/gotest.tools/v3/skip seems to be missing a go.mod file. Attempting to initialize one...
    2024/03/16 17:20:38 Import path is 'github.com/docker/cli'

If also seems to be doing this for ... every package?

    cat 0_codeql.log | grep 'you are not in a container' | wc -l
    497

After which it starts to create modules out of every directory;

    The code in internal/test/network seems to be missing a go.mod file. Attempting to initialize one...
    The code in internal/test/notary seems to be missing a go.mod file. Attempting to initialize one...
    The code in internal/test/output seems to be missing a go.mod file. Attempting to initialize one...
    The code in opts seems to be missing a go.mod file. Attempting to initialize one...
    The code in service seems to be missing a go.mod file. Attempting to initialize one...
    The code in service/logs seems to be missing a go.mod file. Attempting to initialize one...
    The code in templates seems to be missing a go.mod file. Attempting to initialize one...
    The code in vendor seems to be missing a go.mod file. Attempting to initialize one...
    The code in vendor/dario.cat seems to be missing a go.mod file. Attempting to initialize one...
    The code in vendor/dario.cat/mergo seems to be missing a go.mod file. Attempting to initialize one...
    ...
    Skipping dependency package regexp.
    Skipping dependency package github.com/opencontainers/go-digest.
    Skipping dependency package github.com/distribution/reference.
    Extracting /home/runner/work/cli/cli/cli/command/go.mod
    Done extracting /home/runner/work/cli/cli/cli/command/go.mod (1ms)
    Extracting /home/runner/work/cli/cli/cli/command/go.mod
    Done extracting /home/runner/work/cli/cli/cli/command/go.mod (0ms)
    Extracting /home/runner/work/cli/cli/cli/command/go.mod
    Done extracting /home/runner/work/cli/cli/cli/command/go.mod (0ms)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 24186d8008)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-23 23:01:32 +00:00
Sebastiaan van Stijn e1ba8df80f
Merge pull request #5288 from austinvazquez/backport-macos-11-deprecations-to-23.0
[23.0 backport] gha: update to use macos-12 runners
2024-07-24 00:59:43 +02:00
Sebastiaan van Stijn fcfe5f32af
gha: update to use macos-12 runners
It's the minimum version supported by Docker Desktop

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f722e07c62)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-23 22:49:31 +00:00
Sebastiaan van Stijn e7f68af778
Merge pull request #5107 from laurazard/update-actions-23.0
[23.0 backport] gha: update to actions/upload-artifact@v4
2024-06-03 16:48:35 +02:00
Sebastiaan van Stijn 5c94bb0209
gha: update to actions/upload-artifact@v4
v3 is using Node.js 16 which are being deprecated:

    Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/upload-artifact@v3. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

ci: incl. platform pair in artifact name

This fixes an the issue w/ `upload-artifact@v4`.
See: https://github.blog/2024-02-12-get-started-with-v4-of-github-actions-artifacts/#compatibility

Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b9cd722595)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-03 16:43:59 +02:00
Sebastiaan van Stijn 672b1497b9
Merge pull request #4825 from thaJeztah/23.0_update_golang_1.20.13
[23.0] update to go1.20.13
2024-01-25 11:40:41 +01:00
Sebastiaan van Stijn 5aa844d97b
update to go1.20.13
go1.20.13 (released 2024-01-09) includes fixes to the runtime and the crypto/tls
package. See the Go 1.20.13 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.13+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.12...go1.20.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 17:27:32 +01:00
Sebastiaan van Stijn 71c12cf295
Dockerfile: update ALPINE_VERSION to 3.18
This also moves `musl-dev` to the alpine-base stage, due to changes in
Alpine 3.18 causing gotestsum build to fail because stdlib.h was missing;

    #17 5.065 # runtime/cgo
    #17 5.065 In file included from _cgo_export.c:3:
    #17 5.065 /usr/include/fortify/stdlib.h:23:15: fatal error: stdlib.h: No such file or directory
    #17 5.065    23 | #include_next <stdlib.h>
    #17 5.065       |               ^~~~~~~~~~

alpine 3.17:

    / # find / | grep stdlib.h
    /usr/include/c++/12.2.1/tr1/stdlib.h
    /usr/include/c++/12.2.1/stdlib.h

alpine 3.18

    / # find / | grep stdlib.h
    /usr/lib/llvm16/lib/clang/16/include/__clang_hip_stdlib.h
    /usr/include/fortify/stdlib.h
    /usr/include/c++/12.2.1/tr1/stdlib.h
    /usr/include/c++/12.2.1/stdlib.h

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6a74a63ee2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 17:27:32 +01:00
Sebastiaan van Stijn 9d193ea872
Dockerfile: build gotestsum and goversioninfo without cgo
It's not needed to build these binaries. The Dockerfile.dev image already
has CGO_ENABLED=0 as default in the golang image, so does not need updates.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f07e7e1eed)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 17:27:32 +01:00
Sebastiaan van Stijn 4f35b26d40
e2e: update to use compose v2, and don't depend on distro-packages
We were depending on alpine's package repository to install compose,
but for debian we used compose's GitHub releases. Depending on distro
packages means that we don't know when updates will happen, and versions
may diverge because of that; for example, alpine 3.18 updated to compose
v2;

On alpine 3.17:

    make -f docker.Makefile build-e2e-image
    docker run --rm docker-cli-e2e docker-compose --version
    docker-compose version 1.29.2, build unknown

On alpine 3.18:

    make -f docker.Makefile build-e2e-image
    docker run --rm docker-cli-e2e docker-compose --version
    Docker Compose version v2.17.3

This caused our e2e script to fail, as it made assumptions about the name
format created by compose, which changed from underscores to hyphens in v2;

    Container cliendtoendsuite-engine-1  Running
    Error: No such object: cliendtoendsuite_engine_1

This patch:

- updates the Dockerfile to install compose from the compose-bin image
- adjusts the e2e script for the new naming scheme format
- removes the version field from the compose-files used in e2e, as they
  are no longer used by compose.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9e424af5da)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 17:27:25 +01:00
Sebastiaan van Stijn eefb7634f9
Dockerfile: use COPY --link where possible
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit af05a68828)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 17:27:21 +01:00
Sebastiaan van Stijn 4d6486dd68
Merge pull request #4823 from thaJeztah/23.0_backport_4653-fix-credential-helper
[23.0 backport] Fix setting ServerAddress property in NativeStore
2024-01-24 16:52:38 +01:00
Eric Bode ddaded1b1c
Fix setting ServerAddress property in NativeStore
This will return the ServerAddress property when using the NativeStore.
This happens when you use docker credential helpers, not the credential
store.

The reason this fix is needed is because it needs to be propagated
properly down towards `moby/moby` project in the following logic:

```golang
func authorizationCredsFromAuthConfig(authConfig registrytypes.AuthConfig) docker.AuthorizerOpt {
	cfgHost := registry.ConvertToHostname(authConfig.ServerAddress)
	if cfgHost == "" || cfgHost == registry.IndexHostname {
		cfgHost = registry.DefaultRegistryHost
	}

	return docker.WithAuthCreds(func(host string) (string, string, error) {
		if cfgHost != host {
			logrus.WithFields(logrus.Fields{
				"host":    host,
				"cfgHost": cfgHost,
			}).Warn("Host doesn't match")
			return "", "", nil
		}
		if authConfig.IdentityToken != "" {
			return "", authConfig.IdentityToken, nil
		}
		return authConfig.Username, authConfig.Password, nil
	})
}
```
This logic resides in the following file :
`daemon/containerd/resolver.go` .

In the case when using the containerd storage feature when setting the
`cfgHost` variable from the `authConfig.ServerAddress` it will always be
empty. Since it will never be returned from the NativeStore currently.
Therefore Docker Hub images will work fine, but anything else will fail
since the `cfgHost` will always be the `registry.DefaultRegistryHost`.

Signed-off-by: Eric Bode <eric.bode@foundries.io>
(cherry picked from commit b24e7f85a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 15:45:23 +01:00
Sebastiaan van Stijn 1f3e30e1d2
Merge pull request #4696 from thaJeztah/23.0_update_golang_1.20.12
[23.0] update to go1.20.12
2023-12-07 18:01:42 +01:00
Sebastiaan van Stijn 3edca7e89d
update to go1.20.12
go1.20.12 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler and the go command. See the Go 1.20.12 milestone on our issue
tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.11...go1.20.12

from the security mailing:

[security] Go 1.21.5 and Go 1.20.12 are released

Hello gophers,

We have just released Go versions 1.21.5 and 1.20.12, minor point releases.

These minor releases include 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver
  reading from a request or response body to read many more bytes from
  the network than are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a
  handler fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata.
  A sender can exploit this by inserting a large metadata segment with
  each byte transferred. The chunk reader now produces an error if the
  ratio of real body to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable
  via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
  is not set for said module. This only affects users who are not using
  the module proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.

  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
  volume name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
  other effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-06 01:43:07 +01:00
Sebastiaan van Stijn e505b13caf
update to go1.20.11
go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker and the net/http package. See the
Go 1.20.11 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.11+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.10...go1.20.11

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-06 01:42:38 +01:00
Sebastiaan van Stijn 9c25cb58dc
Merge pull request #4595 from thaJeztah/23.0_backport_update_md2man
[23.0 backport] update go-md2man to v2.0.3
2023-10-13 17:27:35 +02:00
Sebastiaan van Stijn 26f825f5de
Merge pull request #4598 from thaJeztah/23.0_update_go1.20.10
[23.0] update to go1.20.10
2023-10-12 10:45:35 +02:00
Sebastiaan van Stijn e0ba392319
update to go1.20.10
go1.20.10 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.20.10 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.9...go1.20.10

From the security mailing:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:07:35 +02:00
Sebastiaan van Stijn 15258b687e
update to go1.20.9
go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package,
as well as bug fixes to the go command and the linker. See the Go 1.20.9
milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.9+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.8...go1.20.9

From the security mailing:

[security] Go 1.21.2 and Go 1.20.9 are released

Hello gophers,

We have just released Go versions 1.21.2 and 1.20.9, minor point releases.

These minor releases include 1 security fixes following the security policy:

- cmd/go: line directives allows arbitrary execution during build

  "//line" directives can be used to bypass the restrictions on "//go:cgo_"
  directives, allowing blocked linker and compiler flags to be passed during
  compliation. This can result in unexpected execution of arbitrary code when
  running "go build". The line directive requires the absolute path of the file in
  which the directive lives, which makes exploting this issue significantly more
  complex.

  This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:07:25 +02:00
Sebastiaan van Stijn 000d6dd870
update go-md2man to v2.0.3
full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.1...v2.0.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3f1195e4ec)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 19:24:49 +02:00