Fix vuln as of 2024-12-17 #42

ref DEV-2372
authgear · Dec 17, 2024 · f0eeabf · f0eeabf
2 parents 046665e + 9afab18
commit f0eeabf
Show file tree

Hide file tree

Showing 10 changed files with 345 additions and 530 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -13,6 +13,8 @@ jobs:
         with:
           go-version-file: "./go.mod"
       - run: make vendor
+      - run: make govulncheck
+        if: ${{ !cancelled() }}
       - run: make lint
         if: ${{ !cancelled() }}
       - run: make test

diff --git a/.tool-versions b/.tool-versions
@@ -1 +1 @@
-golang 1.21.9
+golang 1.22.10
diff --git a/Makefile b/Makefile
@@ -16,6 +16,14 @@ vendor:
 	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin v1.55.2
 	go mod download
 	go install github.com/google/wire/cmd/wire
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+
+.PHONY: go-mod-outdated
+go-mod-outdated:
+	# https://stackoverflow.com/questions/55866604/whats-the-go-mod-equivalent-of-npm-outdated
+	# Since go 1.21, this command will exit 2 when one of the dependencies require a go version newer than us.
+	# This implies we have to use the latest verion of Go whenever possible.
+	go list -u -m -f '{{if .Update}}{{if not .Indirect}}{{.}}{{end}}{{end}}' all
 
 .PHONY: generate
 generate:
@@ -29,6 +37,10 @@ test:
 lint:
 	golangci-lint run ./cmd/... ./pkg/...
 
+.PHONY: govulncheck
+govulncheck:
+	govulncheck -show traces,version,verbose ./...
+
 .PHONY: fmt
 fmt:
 	go fmt ./...

diff --git a/cmd/server/Dockerfile b/cmd/server/Dockerfile
@@ -1,5 +1,5 @@
 # Build Stage
-FROM golang:1.21.9-bookworm as builder
+FROM golang:1.22.10-bookworm as builder
 
 ARG GIT_HASH
 WORKDIR /src

diff --git a/cmd/server/cmd/cmdstart/start.go b/cmd/server/cmd/cmdstart/start.go
@@ -23,7 +23,7 @@ var cmdStart = &cobra.Command{
 			Config: config,
 		}
 
-		ctrl.Start()
+		ctrl.Start(cmd.Context())
 		return nil
 	},
 }

diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"os"
 
 	"github.com/authgear/authgear-nft-indexer/cmd/server/cmd"
@@ -9,7 +10,8 @@ import (
 )
 
 func main() {
-	err := cmd.Root.Execute()
+	ctx := context.Background()
+	err := cmd.Root.ExecuteContext(ctx)
 	if err != nil {
 		os.Exit(1)
 	} else {

diff --git a/cmd/server/server/router.go b/cmd/server/server/router.go
@@ -1,14 +1,16 @@
 package server
 
 import (
+	"net/http"
+
 	"github.com/authgear/authgear-nft-indexer/pkg/config"
 	"github.com/authgear/authgear-nft-indexer/pkg/handler"
 	"github.com/authgear/authgear-server/pkg/util/httproute"
 	"github.com/authgear/authgear-server/pkg/util/log"
 	"github.com/uptrace/bun"
 )
 
-func NewRouter(config config.Config, session *bun.DB, lf *log.Factory) *httproute.Router {
+func NewRouter(config config.Config, session *bun.DB, lf *log.Factory) http.Handler {
 	router := httproute.NewRouter()
 
 	routeHandler := handler.RouteHandler{
@@ -21,5 +23,5 @@ func NewRouter(config config.Config, session *bun.DB, lf *log.Factory) *httprout
 	router.Add(handler.ConfigureListOwnerNFTRoute(route), routeHandler.Handle(NewListOwnerNFTAPIHandler))
 	router.Add(handler.ConfigureGetCollectionMetadataRoute(route), routeHandler.Handle(NewGetCollectionMetadataAPIHandler))
 	router.Add(handler.ConfigureProbeCollectionRoute(route), routeHandler.Handle(NewProbeCollectionAPIHandler))
-	return router
+	return router.HTTPHandler()
 }
diff --git a/cmd/server/server/server.go b/cmd/server/server/server.go
@@ -1,6 +1,8 @@
 package server
 
 import (
+	"context"
+
 	"github.com/authgear/authgear-nft-indexer/pkg/config"
 	"github.com/authgear/authgear-nft-indexer/pkg/database"
 	"github.com/authgear/authgear-server/pkg/util/log"
@@ -13,7 +15,7 @@ type Controller struct {
 	logger *log.Logger
 }
 
-func (c *Controller) Start() {
+func (c *Controller) Start(ctx context.Context) {
 	u, err := server.ParseListenAddress(c.Config.Server.ListenAddr)
 	if err != nil {
 		c.logger.WithError(err).Fatal("failed to parse admin API server listen address")
@@ -24,8 +26,8 @@ func (c *Controller) Start() {
 	lf := log.NewFactory(log.LevelInfo)
 	c.logger = lf.New("server")
 
-	signalutil.Start(c.logger, []signalutil.Daemon{
-		server.NewSpec(&server.Spec{
+	signalutil.Start(ctx, c.logger, []signalutil.Daemon{
+		server.NewSpec(ctx, &server.Spec{
 			Name:          "Indexer API Server",
 			ListenAddress: u.Host,
 			Handler: NewRouter(

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/authgear/authgear-nft-indexer
 
-go 1.21.9
+go 1.22.10
 
 // btcd < 0.23.2 is affected by https://nvd.nist.gov/vuln/detail/CVE-2022-44797
 // I discovered Go module supports a exclude directive, so I used it here.
@@ -9,99 +9,129 @@ go 1.21.9
 exclude github.com/btcsuite/btcd v0.20.1-beta
 
 require (
-	github.com/authgear/authgear-server v0.0.0-20240430034819-f9cf50c118a5
+	github.com/authgear/authgear-server v0.0.0-20241213065238-3adac96b5d70
 	github.com/google/wire v0.5.0
 	github.com/oklog/ulid/v2 v2.1.0
-	github.com/rubenv/sql-migrate v1.5.2
-	github.com/spf13/cobra v1.8.0
-	github.com/uptrace/bun v1.1.17
-	github.com/uptrace/bun/dialect/pgdialect v1.1.17
-	github.com/uptrace/bun/driver/pgdriver v1.1.17
-	github.com/uptrace/bun/extra/bunbig v1.1.17
-	github.com/uptrace/bun/extra/bundebug v1.1.17
+	github.com/rubenv/sql-migrate v1.7.1
+	github.com/spf13/cobra v1.8.1
+	// bun increments go1.22 to go1.23 in a patch release :(
+	// So we stick with v1.2.5 here.
+	// See https://github.com/uptrace/bun/compare/v1.2.5..v1.2.6#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6
+	github.com/uptrace/bun v1.2.5
+	github.com/uptrace/bun/dialect/pgdialect v1.2.5
+	github.com/uptrace/bun/driver/pgdriver v1.2.5
+	github.com/uptrace/bun/extra/bunbig v1.2.5
+	github.com/uptrace/bun/extra/bundebug v1.2.5
 	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
-	github.com/boombuler/barcode v1.0.1 // indirect
-	github.com/btcsuite/btcd/btcec/v2 v2.3.2 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/XSAM/otelsql v0.35.0 // indirect
+	github.com/authgear/oauthrelyingparty v1.5.0 // indirect
+	github.com/beevik/etree v1.4.1 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cockroachdb/apd/v2 v2.0.2 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/ethereum/go-ethereum v1.13.15 // indirect
-	github.com/fatih/color v1.16.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
-	github.com/go-redis/redis/v8 v8.11.5 // indirect
-	github.com/go-redsync/redsync/v4 v4.11.0 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.8 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-redsync/redsync/v4 v4.13.0 // indirect
 	github.com/go-webauthn/webauthn v0.8.6 // indirect
 	github.com/go-webauthn/x v0.1.4 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/subcommands v1.0.1 // indirect
-	github.com/google/uuid v1.4.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
-	github.com/holiman/uint256 v1.2.4 // indirect
 	github.com/iawaknahc/jsonschema v0.0.0-20211026064614-d05c07b7760d // indirect
-	github.com/iawaknahc/originmatcher v0.0.0-20221013032908-274b9eda03bc // indirect
+	github.com/iawaknahc/originmatcher v0.0.0-20240717084358-ac10088d8800 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/julienschmidt/httprouter v1.3.0 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.5 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.21 // indirect
+	github.com/lestrrat-go/jwx/v2 v2.1.3 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/nyaruka/phonenumbers v1.2.2 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/nyaruka/phonenumbers v1.4.3 // indirect
+	github.com/onsi/gomega v1.18.1 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/otp v1.4.0 // indirect
-	github.com/sagikazarmark/locafero v0.3.0 // indirect
+	github.com/puzpuzpuz/xsync/v3 v3.4.0 // indirect
+	github.com/redis/go-redis/v9 v9.7.0 // indirect
+	github.com/russellhaering/goxmldsig v1.4.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.10.0 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.17.0 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
-	github.com/ua-parser/uap-go v0.0.0-20230823213814-f77b3e91e9dc // indirect
+	github.com/ua-parser/uap-go v0.0.0-20241012191800-bbb40edc15aa // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect
+	go.opentelemetry.io/otel v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 // indirect
+	go.opentelemetry.io/otel/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.32.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/trace v1.32.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/term v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.15.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/exp v0.0.0-20241210194714-1829a127f884 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/tools v0.28.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	mellium.im/sasl v0.3.1 // indirect
+	mellium.im/sasl v0.3.2 // indirect
 )