Fixing CVE (#512)

Signed-off-by: Rohit Aggarwal <[email protected]> Co-authored-by: Rohit Aggarwal <[email protected]>
carvel-dev · Sep 10, 2024 · dcdefbe · dcdefbe
1 parent 2821bee
commit dcdefbe
Show file tree

Hide file tree

Showing 26 changed files with 197 additions and 2,918 deletions.
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21.9"
+          go-version: "1.22.5"
       - uses: actions/checkout@v2
         with:
           fetch-depth: '0'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.21.9
+          go-version: 1.22.5
       - name: Retrieve version
         run: |
           echo "TAG_NAME=$(echo ${{ github.ref }}  | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT

diff --git a/.github/workflows/test-gh.yml b/.github/workflows/test-gh.yml
@@ -23,7 +23,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v3
       with:
-        go-version: "1.21.9"
+        go-version: "1.22.5"
     - name: Check out code into the Go module directory
       uses: actions/[email protected]
       with:

diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -10,7 +10,7 @@ jobs:
     with:
       repo: carvel-dev/kbld
       tool: kbld
-      goVersion: 1.21.9
+      goVersion: 1.22.5
     secrets:
       githubToken: ${{ secrets.GITHUB_TOKEN }}
       slackWebhookURL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/vmware-tanzu/carvel-kbld
 
-go 1.21
+go 1.22
 
 require (
 	github.com/cppforlife/cobrautil v0.0.0-20221021151949-d60711905d65
@@ -10,8 +10,8 @@ require (
 	github.com/kisielk/errcheck v1.6.3
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	github.com/vmware-tanzu/carvel-imgpkg v0.38.4
-	github.com/vmware-tanzu/carvel-vendir v0.35.4
+	github.com/vmware-tanzu/carvel-imgpkg v0.38.5
+	github.com/vmware-tanzu/carvel-vendir v0.35.5
 	golang.org/x/sync v0.3.0
 	k8s.io/apimachinery v0.28.1
 	sigs.k8s.io/yaml v1.3.0
@@ -22,9 +22,8 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/cppforlife/color v1.9.1-0.20200716202919-6706ac40b835 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v24.0.0+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v24.0.0+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect

diff --git a/go.sum b/go.sum
@@ -17,12 +17,10 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM=
-github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
+github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.0+incompatible h1:z4bf8HvONXX9Tde5lGBMQ7yCJgNahmJumdrStZAbeY4=
-github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -129,10 +127,10 @@ github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RV
 github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
 github.com/vito/go-interact v1.0.1 h1:O8xi8c93bRUv2Tb/v6HdiuGc+WnWt+AQzF74MOOdlBs=
 github.com/vito/go-interact v1.0.1/go.mod h1:HrdHSJXD2yn1MhlTwSIMeFgQ5WftiIorszVGd3S/DAA=
-github.com/vmware-tanzu/carvel-imgpkg v0.38.4 h1:58YL5+1ERrKOTKQ6CU2a3QriUIceYGixEGqF33NMN3Q=
-github.com/vmware-tanzu/carvel-imgpkg v0.38.4/go.mod h1:v9BcO1qfXwwIQFw2zmksdUkx8eI1e+/a0Md3xG2BzDE=
-github.com/vmware-tanzu/carvel-vendir v0.35.4 h1:NVi7LKq4vd4Cow4/4AaLEr+GNjj5q/bEM95Bb0spZ74=
-github.com/vmware-tanzu/carvel-vendir v0.35.4/go.mod h1:CAwvjC0XXhtSuREFc062RNmjB6yR8vOCkG2uboiTgL0=
+github.com/vmware-tanzu/carvel-imgpkg v0.38.5 h1:Aul6pbOs+2uLSpaQipHVWY+vAxFLX8W2ud+ZsdZWLG4=
+github.com/vmware-tanzu/carvel-imgpkg v0.38.5/go.mod h1:p9w6xgOrRFg3iKaHzpDkja6nYpqm3QjUOGjY9QIiebY=
+github.com/vmware-tanzu/carvel-vendir v0.35.5 h1:Uo5wKt7O/xndRn78/yONehpYP7+bTazQFbiiBQPhQuo=
+github.com/vmware-tanzu/carvel-vendir v0.35.5/go.mod h1:ECbGKk0nEidyzNQ9y1iMo66NxFCquRVQABWAONoBd5M=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

diff --git a/hack/Dockerfile.dev b/hack/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM golang:1.21
+FROM golang:1.22
 
 RUN apt-get update -y
 RUN apt-get install docker.io apt-transport-https ca-certificates gnupg python-is-python3 -y

diff --git a/test/e2e/packaging_test.go b/test/e2e/packaging_test.go
@@ -178,9 +178,6 @@ overrides:
 - image: cfidentity/uaa@sha256:9f1e7e399c96309935145624d1824b2c2bf93656fd9c4dcf1c593b55f98aa6a8
   newImage: index.docker.io/cfidentity/uaa@sha256:9f1e7e399c96309935145624d1824b2c2bf93656fd9c4dcf1c593b55f98aa6a8
   preresolved: true
-- image: cloudfoundry/capi-kpack-watcher:956150dae0a95dcdf3c1f29c23c3bf11db90f7a0@sha256:67125e0d3a4026a23342d80e09aad9284c08ab4f7b3d9a993ae66e403d5d0796
-  newImage: index.docker.io/cloudfoundry/capi-kpack-watcher@sha256:67125e0d3a4026a23342d80e09aad9284c08ab4f7b3d9a993ae66e403d5d0796
-  preresolved: true
 - image: cloudfoundry/capi:nginx@sha256:51e4e48c457d5cb922cf0f569e145054e557e214afa78fb2b312a39bb2f938b6
   newImage: index.docker.io/cloudfoundry/capi@sha256:51e4e48c457d5cb922cf0f569e145054e557e214afa78fb2b312a39bb2f938b6
   preresolved: true
@@ -252,7 +249,7 @@ overrides:
   preresolved: true
 `
 
-	expectedPackagedSHA := "9d2f9e15541d6c136c28cc10e0e469f6a8b48876"
+	expectedPackagedSHA := "e2c66f42fdac6993741440ba157fe4fb3f505eb3"
 
 	path := "/tmp/kbld-test-pkg-unpkg-successful-with-many-images"
 	defer os.RemoveAll(path)

diff --git a/test/e2e/relocate_test.go b/test/e2e/relocate_test.go
@@ -57,7 +57,6 @@ func TestRelocateSuccessfulWithManyImages(t *testing.T) {
 kind: Object
 spec:
 - image: index.docker.io/cfidentity/uaa@sha256:9f1e7e399c96309935145624d1824b2c2bf93656fd9c4dcf1c593b55f98aa6a8
-- image: index.docker.io/cloudfoundry/capi-kpack-watcher@sha256:67125e0d3a4026a23342d80e09aad9284c08ab4f7b3d9a993ae66e403d5d0796
 - image: index.docker.io/cloudfoundry/capi@sha256:51e4e48c457d5cb922cf0f569e145054e557e214afa78fb2b312a39bb2f938b6
 - image: index.docker.io/cloudfoundry/cloud-controller-ng@sha256:374f967edd7db4d7efc2f38cb849988aa36a8248dd240d56f49484b8159fd800
 - image: index.docker.io/cloudfoundry/cnb@sha256:5b03a853e636b78c44e475bbc514e2b7b140cc41cca8ab907e9753431ae8c0b0
@@ -91,7 +90,6 @@ spec:
 kind: Object
 spec:
 - image: index.docker.io/*username*/kbld-test-relocate-successful-with-many-images@sha256:9f1e7e399c96309935145624d1824b2c2bf93656fd9c4dcf1c593b55f98aa6a8
-- image: index.docker.io/*username*/kbld-test-relocate-successful-with-many-images@sha256:67125e0d3a4026a23342d80e09aad9284c08ab4f7b3d9a993ae66e403d5d0796
 - image: index.docker.io/*username*/kbld-test-relocate-successful-with-many-images@sha256:51e4e48c457d5cb922cf0f569e145054e557e214afa78fb2b312a39bb2f938b6
 - image: index.docker.io/*username*/kbld-test-relocate-successful-with-many-images@sha256:374f967edd7db4d7efc2f38cb849988aa36a8248dd240d56f49484b8159fd800
 - image: index.docker.io/*username*/kbld-test-relocate-successful-with-many-images@sha256:5b03a853e636b78c44e475bbc514e2b7b140cc41cca8ab907e9753431ae8c0b0