Commit Graph

158 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 3a17d8a909
Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-08 10:40:08 +02:00
Sebastiaan van Stijn 07ac2d8dc4
update to golang 1.19
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-08 10:40:06 +02:00
Sebastiaan van Stijn 1061f74496
Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.18.6 (released 2022-09-06) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the pprof command, the
runtime, and the crypto/tls, encoding/xml, and net packages. See the Go 1.18.6
milestone on the issue tracker for details;

https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:11:15 +02:00
Sebastiaan van Stijn 0dd2c18082
golangci-lint: update to v1.49.0 for compatibilty with go1.19
Remove the "deadcode", "structcheck", and "varcheck" linters, as they are
deprecated:

    WARN [runner] The linter 'deadcode' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [linters context] structcheck is disabled because of generics. You can track the evolution of the generics support by following the golangci/golangci-lint#2649.

And ignore gosec G113, which only affects gp < 1.16.14. and go < 1.17.7

    opts/opts.go:398:13: G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772) (gosec)
        cpu, ok := new(big.Rat).SetString(value)
                   ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-03 21:25:47 +02:00
Sebastiaan van Stijn ad2bff2c0a
Dockerfile: update buildx to v0.9.0
release notes: https://github.com/docker/buildx/releases/tag/v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 01:06:06 +02:00
Sebastiaan van Stijn 6191b662b3
Update golang to 1.18.5
Update Go runtime to 1.18.5 to address CVE-2022-32189.

Full diff: https://github.com/golang/go/compare/go1.18.4...go1.18.5

--------------------------------------------------------

From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is
too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-03 20:17:18 +02:00
Sebastiaan van Stijn 046e7e61f5
update golang to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 10:52:34 +02:00
CrazyMax 0f6a0eb2d4
bake: use no-cache-filter for outdated stage
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-05 16:25:05 +02:00
Sebastiaan van Stijn aa720f154a
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:22:18 +02:00
Sebastiaan van Stijn f5d16893dd
update golang to 1.18.2
go1.18.2 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509,
go/types, net/http/httptest, reflect, and sync/atomic packages. See the Go 1.18.2
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.2+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.18.1...go1.18.2

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:20:44 +02:00
Sebastiaan van Stijn 9060ad6437
Merge pull request #3539 from thaJeztah/easier_make
Improvements to makefile and development container
2022-04-30 11:07:02 +02:00
Sebastiaan van Stijn c3fe1b962f
update golang to 1.18.1
go1.18.1 (released 2022-04-12) includes security fixes to the crypto/elliptic,
crypto/x509, and encoding/pem packages, as well as bug fixes to the compiler,
linker, runtime, the go command, vet, and the bytes, crypto/x509, and go/types
packages. See the Go 1.18.1 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.1+label%3ACherryPickApproved

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-27536 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-19 09:58:44 +02:00
Sebastiaan van Stijn 90b60b5d88
Dockerfile.dev: set prompt, add nano and jq, and set MOTD
This makes some minor improvments to the dev container:

- add `nano` as an alternative to `vi` to help beginning contributors, or people
  that don't remember how to quit `vi` ;-)
- add `jq` as it's often handy to have available to debug JSON output.
- set a custom prompt to make it clearer that the user is in a container
- add a short MOTD that shows that the user is in a container, and a pointer
  to 'make help' (we can add more help/instructions to this MOTD in future).

Before this patch:

    make -f docker.Makefile dev
    ...
    bash-5.1#

With this patch:

    make -f docker.Makefile dev
    ...

    You are now in a development container. Run 'make help' to learn about
    available make targets.

    root@docker-cli-dev$

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-06 18:54:32 +02:00
Sebastiaan van Stijn 028d5c39ba
Dockerfile: update buildx to v0.8.2
release notes: https://github.com/docker/buildx/releases/tag/v0.8.2

Notable changes:

- Update Compose spec used by buildx bake to v1.2.1 to fix parsing ports definition
- Fix possible crash on handling progress streams from BuildKit v0.10
- Fix parsing groups in buildx bake when already loaded by a parent group

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 10:34:49 +02:00
Sebastiaan van Stijn a3c4a42d4e
Dockerfile: update buildx to v0.8.1
This only affects the version used in the dev container, but
I noticed it was an older version of buildx.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-29 15:37:35 +02:00
Sebastiaan van Stijn 635c55d52f
update go to 1.18.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-28 17:23:09 +02:00
Sebastiaan van Stijn 3ffe6a3375
lint: update golangci-lint to v1.45.2
Also removed deprecated linters:

The linter 'interfacer' is deprecated (since v1.38.0) due to: The repository of the linter has been archived by the owner.
The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner.  Replaced by revive.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-28 10:37:27 +02:00
Tonis Tiigi 6119e4ba90
update go to 1.17.8
Removes the platform based switch between different versions.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-26 17:00:56 +01:00
Sebastiaan van Stijn 994d6b7fc2
Dockerfile: use syntax=docker/dockerfile:1
Now that HEREDOC is included in the stable Dockerfile syntax, we can
use the latest stable syntax for all Dockerfiles.

The recommendation for the stable syntax is to use `:1` (which is
equivalent to "latest" stable syntax.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-17 10:40:17 +01:00
CrazyMax bea6c0d242
validate authors target
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-02-25 17:03:25 +01:00
CrazyMax 6fef143dbc
Set buildx as default builder
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-02-03 10:38:05 +01:00
Sebastiaan van Stijn 0d5b24b019
Dockerfile.vendor: use GOPROXY=direct
While the module proxy can speed up vendoring, it may cause issues when
(temporarily) vendoring from a fork, because the proxy may not have the
module yet on first try, which causes vendoring to fail:

    vendor.mod:95:2: replace github.com/thaJeztah/compose-on-kubernetes:
    version "0b59cf047b3b0199048fe13fdcd21b0cb46549f2" invalid:
    Get "0b59cf047b.info": read tcp 172.17.0.2:60290->172.217.168.209:443: read: connection reset by peer

Using `GOPROXY=direct` to fetch sources directly from upstream (GitHub) instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-28 11:40:33 +01:00
CrazyMax 663f01b9cc
use uuid to invalidate cache
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-01-13 13:47:43 +01:00
CrazyMax 7e560ae76f
vendor with go mod
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-12-16 21:16:01 +01:00
Sebastiaan van Stijn dedd4b79ca
Update Go to 1.16.11
go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and the
net/http, net/http/httptest, and time packages. See the Go 1.16.11 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.11+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-12-06 10:57:30 +01:00
CrazyMax 62ea2bf1aa
GitHub Actions e2e tests
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-11-17 17:18:25 +01:00
Sebastiaan van Stijn e285f15009
Update Go to 1.16.10
go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the
misc/wasm directory, and to the net/http package. See the Go 1.16.10 milestone
for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.10+label%3ACherryPickApproved

From the announcement e-mail:

[security] Go 1.17.3 and Go 1.16.10 are released

We have just released Go versions 1.17.3 and 1.16.10, minor point releases.
These minor releases include two security fixes following the security policy:

- archive/zip: don't panic on (*Reader).Open
  Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made
  to panic by an attacker providing either a crafted ZIP archive containing
  completely invalid names or an empty filename argument.
  Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code
  Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue
  golang.org/issue/48085.
- debug/macho: invalid dynamic symbol table command can cause panic
  Malformed binaries parsed using Open or OpenFat can cause a panic when calling
  ImportedSymbols, due to an out-of-bounds slice operation.
  Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this
  issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 11:12:54 +01:00
Silvin Lubecki e57b5f78de
Merge pull request #3330 from thaJeztah/bump_go_1.16.9
Update Go to 1.16.9
2021-10-15 16:46:00 +02:00
CrazyMax 75284bd1d1
Use goversioninfo to create Windows Version Info
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-10-11 16:54:22 +02:00
Sebastiaan van Stijn bf310f863b
Update Go to 1.16.9
go1.16.9 (released 2021-10-07) includes a security fix to the linker and misc/wasm
directory, as well as bug fixes to the runtime and to the text/template package.
See the Go 1.16.9 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.9+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-08 15:18:20 +02:00
Silvin Lubecki e978593bd8
Merge pull request #3234 from crazy-max/gha-build
GitHub Actions cross
2021-10-01 10:08:41 +02:00
CrazyMax d9f4352c26
GitHub Actions cross
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-09-26 18:01:55 +02:00
Sebastiaan van Stijn 01fa5d925a
Update Go to 1.16.8
This includes additional fixes for CVE-2021-39293.

go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip package,
as well as bug fixes to the archive/zip, go/internal/gccgoimporter, html/template,
net/http, and runtime/pprof packages. See the Go 1.16.8 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.8+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-15 13:26:11 +02:00
Sebastiaan van Stijn 818564af51
cli/compose: use go1.16 native embed functionality for schemas
This allows us to drop the `//go:generate` and use of the github.com/mjibson/esc
utility.

worth noting that Go's native "embed" does not compress files. We could compress
these files as part of a build / validate step (which would add some complexity
when updating these files) if this is a concern, but not sure if the additional
complexity is warranted.

Comparing before/after sizes (see below);

    macOS: 54125840 - 54005264 = 120576 (+120.58 kB)
    Linux: 52393231 - 52277701 = 115530 (+115.53 kB)

Before:

    ls -l build/
    total 208736
    lrwxr-xr-x  1 sebastiaan  staff        19 Aug 15 09:36 docker@ -> docker-linux-amd64
    -rwxr-xr-x  1 sebastiaan  staff  54005264 Aug 15 09:35 docker-darwin-amd64*
    -rwxr-xr-x  1 sebastiaan  staff  52277701 Aug 15 09:36 docker-linux-amd64*

After:

    ls -l build/
    total 208960
    lrwxr-xr-x  1 sebastiaan  staff        18 Aug 15 09:32 docker@ -> docker-linux-amd64
    -rwxr-xr-x  1 sebastiaan  staff  54125840 Aug 15 09:31 docker-darwin-amd64*
    -rwxr-xr-x  1 sebastiaan  staff  52393231 Aug 15 09:32 docker-linux-amd64*

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-15 10:04:13 +02:00
Sebastiaan van Stijn 3112b382a3
Update Go to 1.16.7
go1.16.7 (released 2021-08-05) includes a security fix to the net/http/httputil
package, as well as bug fixes to the compiler, the linker, the runtime, the go
command, and the net/http package. See the Go 1.16.7 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.7+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-07 18:20:39 +02:00
CrazyMax 698c155478
GitHub Actions for lint
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-08-05 08:44:21 +02:00
Sebastiaan van Stijn a477a727fc
Update to go1.16.6
Keeping the dockerfiles/Dockerfile.cross image at 1.13, as we don't
have more current versions of that image. However, I don't think it's
still used, so we should remove it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 11:52:02 +02:00
Sebastiaan van Stijn 60fe322434
e2e: update gotestsum to v1.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-28 19:44:11 +02:00
Sebastiaan van Stijn 91c7569a7a
Merge pull request #3140 from thaJeztah/update_e2e_compose
e2e: update docker-compose to 1.29.2
2021-07-26 15:33:48 +02:00
Sebastiaan van Stijn 48dbf6f3cf
Update Dockerfiles to latest syntax, remove "experimental"
The experimental image is deprecated (now "labs"), and the features we use
are now included in the regular (stable) syntax.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-22 14:48:09 +02:00
Sebastiaan van Stijn 524e3b215d
e2e: update docker-compose to 1.29.2
Newer versions have COMPOSE_DOCKER_CLI_BUILD enabled by default,
so removing that env-var.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-16 11:37:41 +02:00
Sebastiaan van Stijn 8328ee1965
Bump vndr v0.1.2
full diff: https://github.com/LK4D4/vndr/compare/v0.1.1...v0.1.2

- cleanVCS: prevent panic
- Consider '.syso' as a Go file for vendoring

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-16 01:32:00 +02:00
Sebastiaan van Stijn 01cd748eb6
Dockerfile: use experimental syntax and buildkit cache-mounts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:30:18 +02:00
Sebastiaan van Stijn ab72cc923c
Dockerfile: use bash as default command, remove DOCKER_CLI_SHELL
Bash is installed already, so we might as well use it as a default.

This also removes the DOCKER_CLI_SHELL variable, which  was added
in  b039db985a to allow using bash
instead of (a)sh. Now that Bash is the default, there should be
no need to override, and we can keep things simple.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:27:12 +02:00
Sebastiaan van Stijn 7c66213f82
Dockerfile: build gotestsum from source
Building form source is slower, but will support other architectures, such as arm64

Before:

     => [gotestsum 1/2] ADD https://github.com/gotestyourself/gotestsum/releases/download/v0.4.0/gotestsum_0.4.0_linux_amd64.tar.gz gotestsum.tar.gz  2.3s
     => [gotestsum 2/2] RUN tar -xf gotestsum.tar.gz gotestsum -C /go/bin                                                                             1.8s

After:

    => [gotestsum 1/1] RUN go get gotest.tools/gotestsum@v0.4.0                                                                                       13.0s

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:27:06 +02:00
Sebastiaan van Stijn 01d6d2e7a7
Dockerfile: refactor to use multi-stage build
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:25:22 +02:00
Sebastiaan van Stijn 0b8f46b061
Dockerfile: fix dynbinary inside dev container
Running `make dynbinary` inside the dev-container failed because
gcc was not installed. Adding the `build-base` metapackage, which
has gcc, make, g++ and other packages that are needed.

Before this change:

    $ make -f docker.Makefile shell
    $$ make dynbinary
    ./scripts/build/dynbinary
    Building dynamically linked build/docker-linux-amd64
    # github.com/docker/cli/cmd/docker
    /usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exec: "gcc": executable file not found in $PATH
    make: *** [Makefile:63: dynbinary] Error 2

With this patch applied

    $ make -f docker.Makefile shell
    $$ make dynbinary
    ./scripts/build/dynbinary
    Building dynamically linked build/docker-linux-amd64
    $$ echo $?
    0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-28 16:25:15 +02:00
Sebastiaan van Stijn 43bc718895
Dockerfiles: update shellcheck v0.7.1
full diff: https://github.com/koalaman/shellcheck/compare/v0.7.0...v0.7.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 15:46:07 +02:00
Sebastiaan van Stijn 2315975272
Bump Golang 1.13.15
full diff: https://github.com/golang/go/compare/go1.13.14...go1.13.15

go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.13.15 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.15+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-10 17:24:48 +02:00
Sebastiaan van Stijn cdfafe03e3
Bump Golang 1.13.14
full diff: https://github.com/golang/go/compare/go1.13.13...go1.13.14

go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the
database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.14+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-07-17 15:44:54 +02:00