Bump vendors to fix vulnerabilities (#534)

apache · Sep 12, 2024 · 70557d3 · 70557d3
1 parent 58422e3
commit 70557d3
Show file tree

Hide file tree

Showing 55 changed files with 1,117 additions and 741 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -25,7 +25,7 @@ on:
       timeout-minutes:
         required: false
         type: number
-        default: 30
+        default: 60
 
 jobs:
   test:

diff --git a/.golangci.yml b/.golangci.yml
@@ -29,7 +29,6 @@ linters:
     - exhaustive
     # TODO:// enable this lint
     # - exhaustruct
-    - exportloopref
     - gci
     - goconst
     - gocritic
@@ -88,7 +87,7 @@ linters-settings:
     sections:
       - standard
       - default
-      - prefix(github.com/apache/skywalking-banyandb/) 
+      - prefix(github.com/apache/skywalking-banyandb/)
   gocritic:
     enabled-checks:
       - appendCombine
@@ -116,6 +115,9 @@ linters-settings:
     #   toplevel     - for top level comments;
     #   all          - for all comments.
     scope: toplevel
+  gosec:
+    excludes:
+      - G115 # integer overflow conversion (TODO: verify these)
   staticcheck:
     checks: ["all", "-ST1000", "-ST1016", "-ST1020", "-ST1021", "-ST1022"]
   exhaustive:
@@ -129,7 +131,7 @@ linters-settings:
       - 'cobra\.Command$'
 
 run:
-  go: "1.22"
+  go: "1.23"
 issues:
   exclude-rules:
     - path: ".*\\.pb\\.go"

diff --git a/CHANGES.md b/CHANGES.md
@@ -63,6 +63,7 @@ Release Notes.
 - Push "skywalking-banyandb:<tag>-testing" image for e2e and stress test. This image contains bydbctl to do a health check.
 - Set etcd-client log level to "error" and etcd-server log level to "warn".
 - Push "skywalking-banyandb:<tag>-slim" image for the production environment. This image doesn't contain bydbctl and Web UI.
+- Bump go to 1.23.
 
 ## 0.6.1
 
@@ -122,6 +123,7 @@ Release Notes.
 - Bump all dependencies of Go and Node.
 - Combine banyand and bydbctl Dockerfile.
 - Update readme for bydbctl
+- Introduce the go vulnerability check to "pre-push" task.
 
 ## 0.5.0
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -41,7 +41,7 @@ Once we've discussed your changes and you've got your code ready, make sure that
 
 Users who want to build a binary from sources have to set up:
 
-* Go 1.22
+* Go 1.23
 * Node 20.12
 * Git >= 2.30
 * Linux, macOS or Windows + WSL2

diff --git a/Makefile b/Makefile
@@ -103,6 +103,11 @@ check-req: ## Check the requirements
 	@$(MAKE) -C scripts/ci/check test
 	@$(MAKE) -C ui check-version
 
+include scripts/build/vuln.mk
+
+vuln-check: $(GOVULNCHECK)
+	$(GOVULNCHECK) -show color,verbose ./...	
+
 check: ## Check that the status is consistent with CI
 	$(MAKE) license-check
 	$(MAKE) format
@@ -123,6 +128,7 @@ pre-push: ## Check source files before pushing to the remote repo
 	$(MAKE) lint
 	$(MAKE) license-dep
 	$(MAKE) check
+	$(MAKE) vuln-check
 
 ##@ License targets
 

diff --git a/api/proto/banyandb/property/v1/rpc.proto b/api/proto/banyandb/property/v1/rpc.proto
@@ -103,7 +103,7 @@ service PropertyService {
   rpc List(ListRequest) returns (ListResponse) {
     option (google.api.http) = {
       get: "/v1/property/lists/{container.group}/{container.name}/{ids}/{tags}"
-      additional_bindings {get: "/v1/property/lists/{container.group}"}
+      additional_bindings: {get: "/v1/property/lists/{container.group}"}
     };
   }
   rpc KeepAlive(KeepAliveRequest) returns (KeepAliveResponse) {

diff --git a/api/proto/buf.yaml b/api/proto/buf.yaml
@@ -24,7 +24,7 @@ deps:
   - buf.build/envoyproxy/protoc-gen-validate
 lint:
   use:
-    - DEFAULT
+    - STANDARD
 breaking:
   use:
-    - FILE
+    - FILE
diff --git a/banyand/metadata/schema/property.go b/banyand/metadata/schema/property.go
@@ -19,6 +19,7 @@ package schema
 
 import (
 	"context"
+	"math"
 	"path"
 	"time"
 
@@ -180,11 +181,27 @@ func (e *etcdSchemaRegistry) replaceProperty(ctx context.Context, key string, pr
 	if err != nil {
 		return false, 0, 0, err
 	}
-	return true, uint32(len(property.Tags)), leaseID, nil
+	var tagCount uint32
+	if tagCount, err = tagLen(property); err != nil {
+		return false, 0, 0, err
+	}
+	return true, tagCount, leaseID, nil
+}
+
+func tagLen(property *propertyv1.Property) (uint32, error) {
+	tagsCount := len(property.Tags)
+	if tagsCount < 0 || tagsCount > math.MaxUint32 {
+		return 0, errors.New("integer overflow: tags count exceeds uint32 range")
+	}
+	tagsNum := uint32(tagsCount)
+	return tagsNum, nil
 }
 
 func (e *etcdSchemaRegistry) mergeProperty(ctx context.Context, key string, property *propertyv1.Property, ttl int64) (bool, uint32, int64, error) {
-	tagsNum := uint32(len(property.Tags))
+	tagCount, err := tagLen(property)
+	if err != nil {
+		return false, 0, 0, err
+	}
 	existed, err := e.GetProperty(ctx, property.Metadata, nil)
 	if errors.Is(err, ErrGRPCResourceNotFound) {
 		return e.replaceProperty(ctx, key, property, ttl)
@@ -199,7 +216,7 @@ func (e *etcdSchemaRegistry) mergeProperty(ctx context.Context, key string, prop
 	}
 	merge := func(existed *propertyv1.Property) (*propertyv1.Property, error) {
 		tags := make([]*modelv1.Tag, 0)
-		for i := 0; i < int(tagsNum); i++ {
+		for i := 0; i < int(tagCount); i++ {
 			t := property.Tags[i]
 			tagExisted := false
 			for _, et := range existed.Tags {
@@ -262,7 +279,7 @@ func (e *etcdSchemaRegistry) mergeProperty(ctx context.Context, key string, prop
 	if prevLeaseID > 0 {
 		_, _ = e.client.Revoke(ctx, clientv3.LeaseID(prevLeaseID))
 	}
-	return false, tagsNum, leaseID, nil
+	return false, tagCount, leaseID, nil
 }
 
 func (e *etcdSchemaRegistry) grant(ctx context.Context, ttl int64) (int64, error) {

diff --git a/banyand/queue/pub/client.go b/banyand/queue/pub/client.go
@@ -124,7 +124,7 @@ func (p *pub) OnAddOrUpdate(md schema.Metadata) {
 	if _, ok := p.evictable[name]; ok {
 		return
 	}
-	conn, err := grpc.Dial(address, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDefaultServiceConfig(retryPolicy))
+	conn, err := grpc.NewClient(address, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDefaultServiceConfig(retryPolicy))
 	if err != nil {
 		p.log.Error().Err(err).Msg("failed to connect to grpc server")
 		return
@@ -248,7 +248,7 @@ func (p *pub) checkClientHealthAndReconnect(conn *grpc.ClientConn, md schema.Met
 		for {
 			select {
 			case <-time.After(backoff):
-				connEvict, errEvict := grpc.Dial(node.GrpcAddress, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDefaultServiceConfig(retryPolicy))
+				connEvict, errEvict := grpc.NewClient(node.GrpcAddress, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDefaultServiceConfig(retryPolicy))
 				if errEvict == nil && p.healthCheck(en.n, connEvict) {
 					func() {
 						p.mu.Lock()

diff --git a/banyand/queue/sub/server.go b/banyand/queue/sub/server.go
@@ -70,7 +70,7 @@ type server struct {
 	log       *logger.Logger
 	ser       *grpclib.Server
 	listeners map[bus.Topic]bus.MessageListener
-	*clusterv1.UnimplementedServiceServer
+	clusterv1.UnimplementedServiceServer
 	metrics        *metrics
 	clientCloser   context.CancelFunc
 	host           string

diff --git a/banyand/stream/benchmark_test.go b/banyand/stream/benchmark_test.go
@@ -105,8 +105,8 @@ func (dbs *databaseSupplier) SupplyTSDB() io.Closer {
 	return nil
 }
 
-func generateRandomNumber(max int64) int {
-	n, _ := rand.Int(rand.Reader, big.NewInt(max))
+func generateRandomNumber(maxValue int64) int {
+	n, _ := rand.Int(rand.Reader, big.NewInt(maxValue))
 	return int(n.Int64()) + 1
 }
 

diff --git a/bydbctl/internal/cmd/measure_test.go b/bydbctl/internal/cmd/measure_test.go
@@ -206,7 +206,7 @@ var _ = Describe("Measure Data Query", func() {
 	})
 
 	It("query all measure data", func() {
-		conn, err := grpclib.Dial(
+		conn, err := grpclib.NewClient(
 			grpcAddr,
 			grpclib.WithTransportCredentials(insecure.NewCredentials()),
 		)
@@ -242,7 +242,7 @@ tagProjection:
 	})
 
 	DescribeTable("query measure data with time range flags", func(timeArgs ...string) {
-		conn, err := grpclib.Dial(
+		conn, err := grpclib.NewClient(
 			grpcAddr,
 			grpclib.WithTransportCredentials(insecure.NewCredentials()),
 		)

diff --git a/bydbctl/internal/cmd/stream_test.go b/bydbctl/internal/cmd/stream_test.go
@@ -207,7 +207,7 @@ var _ = Describe("Stream Data Query", func() {
 	})
 
 	It("query stream all data", func() {
-		conn, err := grpclib.Dial(
+		conn, err := grpclib.NewClient(
 			grpcAddr,
 			grpclib.WithTransportCredentials(insecure.NewCredentials()),
 		)
@@ -243,7 +243,7 @@ projection:
 	})
 
 	DescribeTable("query stream data with time range flags", func(timeArgs ...string) {
-		conn, err := grpclib.Dial(
+		conn, err := grpclib.NewClient(
 			grpcAddr,
 			grpclib.WithTransportCredentials(insecure.NewCredentials()),
 		)