From 3fd567a124f7c36993db5e6fbcaac0c621a27dc9 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Mon, 2 Oct 2023 15:07:57 +0000 Subject: [PATCH 1/6] Update gopkg.in/yaml.v3 to address CVE-2022-28948 This change address the yaml.v3 advisory reported for v0.5.1 https://deps.dev/go/github.com%2Fhashicorp%2Fpacker-plugin-sdk/v0.5.1 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4c27f27ff..5ffbbe4a7 100644 --- a/go.mod +++ b/go.mod @@ -77,7 +77,7 @@ require ( golang.org/x/tools v0.6.0 google.golang.org/api v0.101.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect - gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) require ( diff --git a/go.sum b/go.sum index 81cc03dc8..f608b2642 100644 --- a/go.sum +++ b/go.sum @@ -634,8 +634,8 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 264dcebbb54dbf5f5f6b9471e95dee792cff39bc Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Mon, 2 Oct 2023 15:13:55 +0000 Subject: [PATCH 2/6] Bump github.com/dylanmei/winrmtest to address CVE-2021-3538 The latest available release of github.com/dylanmei/winrmtest removes its dependency on github.com/satori/go.uuid, which was affected by CVE-2021-3539 https://deps.dev/advisory/osv/GO-2020-0018 --- go.mod | 5 ++--- go.sum | 12 ++++++------ 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 5ffbbe4a7..b165c8cb4 100644 --- a/go.mod +++ b/go.mod @@ -10,12 +10,11 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/agext/levenshtein v1.2.3 github.com/antchfx/xpath v1.1.11 // indirect - github.com/antchfx/xquery v0.0.0-20180515051857-ad5b8c7a47b0 // indirect github.com/armon/go-metrics v0.3.9 // indirect github.com/aws/aws-sdk-go v1.44.114 github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/dylanmei/iso8601 v0.1.0 // indirect - github.com/dylanmei/winrmtest v0.0.0-20170819153634-c2fbb09e6c08 + github.com/dylanmei/winrmtest v0.0.0-20210303004826-fbc9ae56efb6 github.com/fatih/camelcase v1.0.0 github.com/fatih/color v1.12.0 // indirect github.com/fatih/structtag v1.2.0 @@ -61,7 +60,6 @@ require ( github.com/pkg/errors v0.9.1 github.com/pkg/sftp v1.13.2 github.com/ryanuber/go-glob v1.0.0 - github.com/satori/go.uuid v1.2.0 // indirect github.com/stretchr/testify v1.7.0 github.com/ugorji/go/codec v1.2.6 github.com/ulikunitz/xz v0.5.10 // indirect @@ -86,6 +84,7 @@ require ( cloud.google.com/go/iam v0.6.0 // indirect github.com/Masterminds/semver v1.5.0 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect + github.com/antchfx/xmlquery v1.3.5 // indirect github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect diff --git a/go.sum b/go.sum index f608b2642..bc49b3036 100644 --- a/go.sum +++ b/go.sum @@ -36,10 +36,11 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/antchfx/xmlquery v1.3.5 h1:I7TuBRqsnfFuL11ruavGm911Awx9IqSdiU6W/ztSmVw= +github.com/antchfx/xmlquery v1.3.5/go.mod h1:64w0Xesg2sTaawIdNqMB+7qaW/bSqkQm+ssPaCMWNnc= +github.com/antchfx/xpath v1.1.10/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk= github.com/antchfx/xpath v1.1.11 h1:WOFtK8TVAjLm3lbgqeP0arlHpvCEeTANeWZ/csPpJkQ= github.com/antchfx/xpath v1.1.11/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= -github.com/antchfx/xquery v0.0.0-20180515051857-ad5b8c7a47b0 h1:JaCC8jz0zdMLk2m+qCCVLLLM/PL93p84w4pK3aJWj60= -github.com/antchfx/xquery v0.0.0-20180515051857-ad5b8c7a47b0/go.mod h1:LzD22aAzDP8/dyiCKFp31He4m2GPjl0AFyzDtZzUu9M= github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3 h1:ZSTrOEhiM5J5RFxEaFvMZVEAM1KvT1YzbEOwB2EAGjA= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= @@ -94,8 +95,8 @@ github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dylanmei/iso8601 v0.1.0 h1:812NGQDBcqquTfH5Yeo7lwR0nzx/cKdsmf3qMjPURUI= github.com/dylanmei/iso8601 v0.1.0/go.mod h1:w9KhXSgIyROl1DefbMYIE7UVSIvELTbMrCfx+QkYnoQ= -github.com/dylanmei/winrmtest v0.0.0-20170819153634-c2fbb09e6c08 h1:0bp6/GrNOrTDtSXe9YYGCwf8jp5Fb/b+4a6MTRm4qzY= -github.com/dylanmei/winrmtest v0.0.0-20170819153634-c2fbb09e6c08/go.mod h1:VBVDFSBXCIW8JaHQpI8lldSKfYaLMzP9oyq6IJ4fhzY= +github.com/dylanmei/winrmtest v0.0.0-20210303004826-fbc9ae56efb6 h1:zWydSUQBJApHwpQ4guHi+mGyQN/8yN6xbKWdDtL3ZNM= +github.com/dylanmei/winrmtest v0.0.0-20210303004826-fbc9ae56efb6/go.mod h1:6BLLhzn1VEiJ4veuAGhINBTrBlV889Wd+aU4auxKOww= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -405,8 +406,6 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= -github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= @@ -488,6 +487,7 @@ golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= From d4801bba5a67f2a0ac38e50baa27eb994fb70931 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Mon, 2 Oct 2023 15:18:10 +0000 Subject: [PATCH 3/6] Bump golang.org/x/net to address CVE-2023-3978 Addresses vulnerability with improper rendering of text nodes in golang.org/x/net/html --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index b165c8cb4..22440e680 100644 --- a/go.mod +++ b/go.mod @@ -63,14 +63,14 @@ require ( github.com/stretchr/testify v1.7.0 github.com/ugorji/go/codec v1.2.6 github.com/ulikunitz/xz v0.5.10 // indirect - golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167 + golang.org/x/crypto v0.13.0 golang.org/x/mobile v0.0.0-20210901025245-1fde1d6c3ca1 golang.org/x/mod v0.8.0 - golang.org/x/net v0.8.0 + golang.org/x/net v0.15.0 golang.org/x/sync v0.1.0 - golang.org/x/sys v0.6.0 // indirect - golang.org/x/term v0.6.0 - golang.org/x/text v0.8.0 // indirect + golang.org/x/sys v0.12.0 // indirect + golang.org/x/term v0.12.0 + golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect golang.org/x/tools v0.6.0 google.golang.org/api v0.101.0 // indirect diff --git a/go.sum b/go.sum index bc49b3036..2dc086696 100644 --- a/go.sum +++ b/go.sum @@ -452,8 +452,8 @@ golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167 h1:O8uGbHCqlTp2P6QJSLmCojM4mN6UemYv8K+dCnmHmu0= -golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= @@ -492,8 +492,8 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y= golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= @@ -538,18 +538,18 @@ golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs= From 0fed0a60ca88b9803b61166b4fedcf9ce1a97662 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Mon, 2 Oct 2023 15:30:17 +0000 Subject: [PATCH 4/6] Add 1.21.x to testing matrix --- .github/workflows/go-test.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index 64f6c3b0a..6b7f1c845 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -18,12 +18,13 @@ jobs: go-version: - '1.19' - '1.20' + - '1.21.x' permissions: id-token: write contents: read steps: - name: Setup go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0 with: go-version: ${{ matrix.go-version }} @@ -81,6 +82,7 @@ jobs: go-version: - '1.19' - '1.20' + - '1.21.x' permissions: id-token: write contents: read @@ -89,7 +91,7 @@ jobs: run: git config --global core.autocrlf false - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0 with: go-version: ${{ matrix.go-version }} @@ -130,12 +132,13 @@ jobs: go-version: - '1.19' - '1.20' + - '1.21.x' permissions: id-token: write contents: read steps: - name: Setup go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0 with: go-version: ${{ matrix.go-version }} From 2ed94e43aacb1163e97b45b45746df106ec6bcf2 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Mon, 2 Oct 2023 15:47:05 +0000 Subject: [PATCH 5/6] Bump Go tool chain to 1.20 This change was made to address a number of vulnerabilities reported by govulncheck in Go 1.19.13 Support for Go1.19 is removed with this change. Moving forward the minimum Go version will be bumped after a new Go minor version is released. ``` ~> govulncheck ./... Scanning your code and 599 packages across 99 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.19.13 Fixed in: html/template@go1.21.1 Example traces found: #1: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.Execute #2: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate Vulnerability #2: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.19.13 Fixed in: html/template@go1.21.1 Example traces found: #1: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.Execute #2: multistep/commonsteps/step_http_server.go:123:2: commonsteps.StepHTTPServer.Run calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate Your code is affected by 2 vulnerabilities from the Go standard library. ``` --- .github/workflows/go-test.yml | 3 --- go.mod | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index 6b7f1c845..99bf9b694 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -16,7 +16,6 @@ jobs: strategy: matrix: go-version: - - '1.19' - '1.20' - '1.21.x' permissions: @@ -80,7 +79,6 @@ jobs: strategy: matrix: go-version: - - '1.19' - '1.20' - '1.21.x' permissions: @@ -130,7 +128,6 @@ jobs: strategy: matrix: go-version: - - '1.19' - '1.20' - '1.21.x' permissions: diff --git a/go.mod b/go.mod index 22440e680..af5e90bec 100644 --- a/go.mod +++ b/go.mod @@ -117,6 +117,6 @@ require ( google.golang.org/protobuf v1.28.1 // indirect ) -go 1.19 +go 1.20 retract v0.5.0 // v0.5.0 of the SDK was broken because of the replace statement for go-cty From 7587a60df98b984697cf7e0123c98fab3ec1a7b2 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Fri, 13 Oct 2023 12:22:48 -0400 Subject: [PATCH 6/6] Fix filepath.Clean for file prefixed URLs --- multistep/commonsteps/step_download.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/multistep/commonsteps/step_download.go b/multistep/commonsteps/step_download.go index e0a4272cd..8daa8ab40 100644 --- a/multistep/commonsteps/step_download.go +++ b/multistep/commonsteps/step_download.go @@ -221,11 +221,16 @@ func (s *StepDownload) download(ctx context.Context, ui packersdk.Ui, source str } src := u.String() if u.Scheme == "" || strings.ToLower(u.Scheme) == "file" { - // If a local filepath, then we need to preprocess to make sure the - // path doens't have any multiple successive path separators; if it + // If a local filepath, then we need to pre-process to make sure the + // path doesn't have any multiple successive path separators; if it // does, go-getter will read this as a specialized go-getter-specific // subdirectory command, which it most likely isn't. src = filepath.Clean(u.String()) + // Starting with Go 1.21.0 filepath.Clean on Windows treats paths containing file: as invalid + // so they are prefixed with a dot (.) followed by the os.PathSeparator + if runtime.GOOS == "windows" && (src[0] == '.' && os.IsPathSeparator(src[1])) { + src = src[2:] + } if _, err := os.Stat(filepath.Clean(u.Path)); err != nil { // Cleaned path isn't present on system so it must be some other // scheme. Don't error right away; see if go-getter can figure it