Fix: Vulnerability in golang.org/x/net/http2 & github.com/sirupsen/logrus

.github/workflows/build.yaml

@@ -22,9 +22,9 @@ jobs:
       - uses: actions/checkout@v3
       - uses: WillAbides/[email protected]
         with:
-          go-version: "1.17.7"
+          go-version: "1.23.2"
       - run: |
-          go install honnef.co/go/tools/cmd/staticcheck@2022.1.3
+          go install honnef.co/go/tools/cmd/staticcheck@2024.1.1
       - uses: extractions/setup-just@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

cmd/kube-mgmt/main.go

@@ -80,16 +80,16 @@ func main() {
 	rootCmd.Flags().BoolVarP(&params.opaAllowInsecure, "opa-allow-insecure", "", false, "allow insecure https connections to OPA")
 	rootCmd.Flags().StringVar(&params.logLevel, "log-level", "info", "set log level {debug, info, warn}")
 
-    // policy / data
-    rootCmd.Flags().BoolVarP(&params.enablePolicies, "enable-policies", "", true, "whether to automatically discover policies from labelled ConfigMaps")
-    rootCmd.Flags().StringVar(&params.policyLabel, "policy-label", "openpolicyagent.org/policy", "label name for filtering ConfigMaps with policies")
-    rootCmd.Flags().StringVar(&params.policyValue, "policy-value", "rego", "label value for filtering ConfigMaps with policies")
-    rootCmd.Flags().BoolVarP(&params.enableData, "enable-data", "", true, "whether to automatically discover data from labelled ConfigMaps")
-    rootCmd.Flags().StringVar(&params.dataLabel, "data-label", "openpolicyagent.org/data", "label name for filtering ConfigMaps with data")
-    rootCmd.Flags().StringVar(&params.dataValue, "data-value", "opa", "label value for filtering ConfigMaps with data")
+	// policy / data
+	rootCmd.Flags().BoolVarP(&params.enablePolicies, "enable-policies", "", true, "whether to automatically discover policies from labelled ConfigMaps")
+	rootCmd.Flags().StringVar(&params.policyLabel, "policy-label", "openpolicyagent.org/policy", "label name for filtering ConfigMaps with policies")
+	rootCmd.Flags().StringVar(&params.policyValue, "policy-value", "rego", "label value for filtering ConfigMaps with policies")
+	rootCmd.Flags().BoolVarP(&params.enableData, "enable-data", "", true, "whether to automatically discover data from labelled ConfigMaps")
+	rootCmd.Flags().StringVar(&params.dataLabel, "data-label", "openpolicyagent.org/data", "label name for filtering ConfigMaps with data")
+	rootCmd.Flags().StringVar(&params.dataValue, "data-value", "opa", "label value for filtering ConfigMaps with data")
 	rootCmd.Flags().StringSliceVarP(&params.namespaces, "namespaces", "", []string{""}, "namespaces to load policies and data from")
 
-    // replication
+	// replication
 	rootCmd.Flags().VarP(&params.replicateNamespace, "replicate", "", "replicate namespace-level resources")
 	rootCmd.Flags().VarP(&params.replicateCluster, "replicate-cluster", "", "replicate cluster-level resources")
 	rootCmd.Flags().StringVarP(&params.replicatePath, "replicate-path", "", "kubernetes", "set path to replicate data into")

go.mod

@@ -1,9 +1,9 @@
 module github.com/open-policy-agent/kube-mgmt
 
-go 1.17
+go 1.18
 
 require (
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.8.3
 	github.com/spf13/cobra v1.3.0
 	k8s.io/api v0.23.17
 	k8s.io/apimachinery v0.23.17
@@ -28,11 +28,11 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect

pkg/configmap/configmap.go

@@ -10,9 +10,9 @@ import (
 	"fmt"
 	"hash/fnv"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
-	"strconv"
 
 	"github.com/open-policy-agent/kube-mgmt/pkg/opa"
 	"github.com/sirupsen/logrus"
@@ -31,8 +31,8 @@ import (
 )
 
 const (
- 	defaultRetries = 2
-	statusAnnotationKey = "openpolicyagent.org/kube-mgmt-status"
+	defaultRetries       = 2
+	statusAnnotationKey  = "openpolicyagent.org/kube-mgmt-status"
 	retriesAnnotationKey = "openpolicyagent.org/kube-mgmt-retries"
 	// Special namespace in Kubernetes federation that holds scheduling policies.
 	// commented because staticcheck: 'const kubeFederationSchedulingPolicy is unused (U1000)'
@@ -43,7 +43,7 @@ const (
 )
 
 // Label validator
-func CustomLabel(key, value string)  error {
+func CustomLabel(key, value string) error {
 	_, err := labels.NewRequirement(key, selection.Equals, []string{value})
 	if err != nil {
 		return err
@@ -135,7 +135,7 @@ func (s *Sync) Run(namespaces []string) (chan struct{}, error) {
 	}
 	quit := make(chan struct{})
 
- 	logrus.Infof("Policy/data ConfigMap processor connected to K8s: namespaces=%v", namespaces)
+	logrus.Infof("Policy/data ConfigMap processor connected to K8s: namespaces=%v", namespaces)
 	for _, namespace := range namespaces {
 		if namespace == "*" {
 			namespace = v1.NamespaceAll
@@ -162,19 +162,19 @@ func (s *Sync) Run(namespaces []string) (chan struct{}, error) {
 func (s *Sync) add(obj interface{}) {
 	cm := obj.(*v1.ConfigMap)
 	if match, isPolicy := s.matcher(cm); match {
- 		logrus.Debugf("OnAdd cm=%v/%v, isPolicy=%v", cm.Namespace, cm.Name, isPolicy)
+		logrus.Debugf("OnAdd cm=%v/%v, isPolicy=%v", cm.Namespace, cm.Name, isPolicy)
 		s.syncAdd(cm, isPolicy)
 	}
 }
 
 func (s *Sync) update(oldObj, obj interface{}) {
 	oldCm, cm := oldObj.(*v1.ConfigMap), obj.(*v1.ConfigMap)
 	if match, isPolicy := s.matcher(cm); match {
- 		logrus.Debugf("OnUpdate cm=%v/%v, isPolicy=%v, oldVer=%v, newVer=%v",
- 			cm.Namespace, cm.Name, isPolicy, oldCm.GetResourceVersion(), cm.GetResourceVersion())
+		logrus.Debugf("OnUpdate cm=%v/%v, isPolicy=%v, oldVer=%v, newVer=%v",
+			cm.Namespace, cm.Name, isPolicy, oldCm.GetResourceVersion(), cm.GetResourceVersion())
 		if cm.GetResourceVersion() != oldCm.GetResourceVersion() {
 			newFp, oldFp := fingerprint(cm), fingerprint(oldCm)
- 			rtrVal := cm.Annotations[retriesAnnotationKey]
+			rtrVal := cm.Annotations[retriesAnnotationKey]
 			logrus.Debugf("OnUpdate cm=%v/%v, retries=%v, oldFp=%v, newFp=%v", cm.Namespace, cm.Name, rtrVal, oldFp, newFp)
 			if newFp != oldFp || rtrVal != "0" {
 				s.syncAdd(cm, isPolicy)
@@ -194,7 +194,7 @@ func (s *Sync) delete(obj interface{}) {
 	}
 	cm := obj.(*v1.ConfigMap)
 	if match, isPolicy := s.matcher(cm); match {
- 		logrus.Debugf("OnDelete cm=%v/%v", cm.Namespace, cm.Name)
+		logrus.Debugf("OnDelete cm=%v/%v", cm.Namespace, cm.Name)
 		s.syncRemove(cm, isPolicy)
 	}
 }
@@ -215,7 +215,7 @@ func (s *Sync) syncAdd(cm *v1.ConfigMap, isPolicy bool) {
 		var err error
 		if isPolicy {
 			err = s.opa.InsertPolicy(id, []byte(value))
- 			logrus.Infof("Added policy %v, err=%v", id, err)
+			logrus.Infof("Added policy %v, err=%v", id, err)
 		} else {
 			// We don't need to know the JSON structure, just pass it
 			// directly to the OPA data store.
@@ -232,22 +232,22 @@ func (s *Sync) syncAdd(cm *v1.ConfigMap, isPolicy bool) {
 		}
 	}
 	if syncErr != nil {
- 		var retries int = 0
- 		if isPolicy {
- 			if rStr, ok := cm.Annotations[retriesAnnotationKey]; ok {
- 				r, err := strconv.Atoi(rStr)
- 				if err == nil && r > 0 {
- 		 	 	 	retries = r - 1
- 	 	 	 	 	logrus.Debugf("Adding policies error cm=%v, old retry=%v, new retry=%v", path, rStr, retries)
-                } else if err == nil && r == 0 {
- 		 	 	 	retries = defaultRetries
- 	 	 	 	 	logrus.Debugf("Adding policies error cm=%v, old retry=%v, new retry=%v", path, rStr, retries)
-                }
- 			} else {
- 				retries = defaultRetries
- 				logrus.Debugf("Adding policies error cm=%v, no retry annotation, new retry=%v", path, retries)
- 			}
- 		}
+		var retries int = 0
+		if isPolicy {
+			if rStr, ok := cm.Annotations[retriesAnnotationKey]; ok {
+				r, err := strconv.Atoi(rStr)
+				if err == nil && r > 0 {
+					retries = r - 1
+					logrus.Debugf("Adding policies error cm=%v, old retry=%v, new retry=%v", path, rStr, retries)
+				} else if err == nil && r == 0 {
+					retries = defaultRetries
+					logrus.Debugf("Adding policies error cm=%v, old retry=%v, new retry=%v", path, rStr, retries)
+				}
+			} else {
+				retries = defaultRetries
+				logrus.Debugf("Adding policies error cm=%v, no retry annotation, new retry=%v", path, retries)
+			}
+		}
 		s.setAnnotations(cm, status{
 			Status: "error",
 			Error:  syncErr,
@@ -260,7 +260,7 @@ func (s *Sync) syncAdd(cm *v1.ConfigMap, isPolicy bool) {
 }
 
 func (s *Sync) syncRemove(cm *v1.ConfigMap, isPolicy bool) {
- 	logrus.Debugf("Attempting to remove cm=%v/%v, isPolicy=%v", cm.Namespace, cm.Name, isPolicy)
+	logrus.Debugf("Attempting to remove cm=%v/%v, isPolicy=%v", cm.Namespace, cm.Name, isPolicy)
 	path := fmt.Sprintf("%v/%v", cm.Namespace, cm.Name)
 	for key := range cm.Data {
 		id := fmt.Sprintf("%v/%v", path, key)
@@ -286,7 +286,7 @@ func (s *Sync) setAnnotations(cm *v1.ConfigMap, st status, retries int) {
 	patch := map[string]interface{}{
 		"metadata": map[string]interface{}{
 			"annotations": map[string]interface{}{
-				statusAnnotationKey: string(bs),
+				statusAnnotationKey:  string(bs),
 				retriesAnnotationKey: strconv.Itoa(retries),
 			},
 		},
@@ -303,7 +303,7 @@ func (s *Sync) setAnnotations(cm *v1.ConfigMap, st status, retries int) {
 }
 
 func (s *Sync) syncReset(id string) {
- 	logrus.Debugf("Attempting to reset %v", id)
+	logrus.Debugf("Attempting to reset %v", id)
 	d := syncResetBackoffMin
 	for {
 		if err := s.opa.PutData("/", map[string]interface{}{}); err != nil {