Upgrade Go to 1.22 and various other libraries to address vulnerabilities (#48)

Author: dmcwhorter-ddl

.circleci/config.yml

@@ -12,11 +12,11 @@ parameters:
 jobs:
   build-and-push:
     docker:
-     - image: cimg/base:2022.12@sha256:dc4d22de8262c8d50f86987ba49d5d122cfec6b7c7443e181e70cc2314486e12
+     - image: cimg/base:2024.07
     resource_class: medium
     steps:
       - go/install:
-          version: "1.20"
+          version: "1.22.5"
       - run:
           name: "Install kustomize"
           command: |
@@ -27,7 +27,7 @@ jobs:
             $SUDO chmod +x ./kustomize
             $SUDO mv ./kustomize /usr/local/bin
       - setup_remote_docker:
-          version: 20.10.14
+          version: docker24
       - checkout
       - run:
           name: "Docker login"
@@ -42,22 +42,22 @@ jobs:
 
   test:
     machine:
-      image: ubuntu-2004:current
+      image: ubuntu-2404:current
     environment:
       KUBECONFIG: "/etc/rancher/k3s/k3s.yaml"
-      KUSTOMIZE_VERSION: "v4.3.0"
+      KUSTOMIZE_VERSION: "v4.5.7"
       K3S_KUBECONFIG_MODE: "644"
     resource_class: large
     steps:
       - attach_workspace:
           at: ~/
       - checkout
       - helm/install-helm-client:
-          version: v3.13.1
+          version: v3.15.3
       - run:
           name: Install and Launch Kubernetes
           command: |
-            curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.3+k3s1 sh -x -
+            curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.11+k3s2 sh -x -
             sleep 10
             kubectl wait --for=condition=Available --timeout=60s deployments --all -n kube-system
       - run:

core-builder/Dockerfile

@@ -91,8 +91,8 @@ RUN apt-get remove -y --auto-remove \
 
 # INSTALL GO
 ENV PATH /usr/local/go/bin:$PATH
-RUN wget https://dl.google.com/go/go1.20.10.linux-amd64.tar.gz && \
-        tar -zxvf go1.20.10.linux-amd64.tar.gz && \
+RUN wget https://dl.google.com/go/go1.22.5.linux-amd64.tar.gz && \
+        tar -zxvf go1.22.5.linux-amd64.tar.gz && \
         mv go/ /usr/local/go
 
 # Install kubebuilder (using github link)

executor/Dockerfile.executor

@@ -1,6 +1,6 @@
 # Build the manager binary
-# 1.20-bookworm image points to the latest go 1.20.x
-FROM golang:1.20-bookworm as builder
+# 1.22-bookworm image points to the latest go 1.22.x
+FROM golang:1.22-bookworm as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

executor/api/rabbitmq/consumer_test.go

@@ -29,7 +29,6 @@ func TestConsume(t *testing.T) {
 		},
 	}
 	seldonMessageEnc, _ := proto2.Marshal(&seldonMessage)
-	seldonMessage.XXX_sizecache = 0 // to make test cases match
 
 	t.Run("success", func(t *testing.T) {
 		mockChan := &mockChannel{}
@@ -53,18 +52,18 @@ func TestConsume(t *testing.T) {
 		}
 
 		payloadHandler := func(pl *SeldonPayloadWithHeaders) error {
-			assert.Equal(
+			assert.NotNil(t, pl)
+			assertSeldonPayloadWithHeadersEqual(
 				t,
-				&SeldonPayloadWithHeaders{
+				SeldonPayloadWithHeaders{
 					&payload.BytesPayload{
 						Msg:             []byte(`"hello"`),
 						ContentType:     rest.ContentTypeJSON,
 						ContentEncoding: "",
 					},
 					make(map[string][]string),
 				},
-				pl,
-				"payloads not equal",
+				*pl,
 			)
 			return nil
 		}
@@ -137,16 +136,16 @@ func TestConsume(t *testing.T) {
 		}
 
 		payloadHandler := func(pl *SeldonPayloadWithHeaders) error {
-			assert.Equal(
+			assert.NotNil(t, pl)
+			assertSeldonPayloadWithHeadersEqual(
 				t,
-				&SeldonPayloadWithHeaders{
+				SeldonPayloadWithHeaders{
 					&payload.ProtoPayload{
 						Msg: &seldonMessage,
 					},
 					make(map[string][]string),
 				},
-				pl,
-				"payloads not equal",
+				*pl,
 			)
 			return nil
 		}
@@ -171,3 +170,13 @@ func createTestDelivery(ack amqp.Acknowledger, body []byte, contentType string)
 		ContentEncoding: "",
 	}
 }
+
+func assertSeldonPayloadWithHeadersEqual(t *testing.T, expected SeldonPayloadWithHeaders, actual SeldonPayloadWithHeaders) {
+	expectedBytes, expectedErr := expected.GetBytes()
+	actualBytes, actualErr := actual.GetBytes()
+	assert.Equal(t, expectedErr, actualErr)
+	assert.Equal(t, expectedBytes, actualBytes)
+	assert.Equal(t, expected.GetContentType(), actual.GetContentType())
+	assert.Equal(t, expected.GetContentEncoding(), actual.GetContentEncoding())
+	assert.Equal(t, expected.Headers, actual.Headers)
+}

executor/api/rabbitmq/utils_test.go

@@ -59,7 +59,6 @@ func TestDeliveryToPayload(t *testing.T) {
 		},
 	}
 	protoMessageEnc, _ := proto2.Marshal(protoMessage)
-	protoMessage.XXX_sizecache = 0 // to make test cases match
 	testDeliveryProto := amqp.Delivery{
 		Body:            protoMessageEnc,
 		ContentType:     payload.APPLICATION_TYPE_PROTOBUF,
@@ -70,7 +69,7 @@ func TestDeliveryToPayload(t *testing.T) {
 		pl, err := DeliveryToPayload(testDeliveryProto)
 
 		assert.NoError(t, err)
-		assert.Equal(t, protoMessage, pl.GetPayload())
+		assertSeldonMessageEqual(t, *protoMessage, pl.GetPayload())
 	})
 
 	t.Run("rest payload", func(t *testing.T) {
@@ -83,7 +82,7 @@ func TestDeliveryToPayload(t *testing.T) {
 		err = jsonpb.UnmarshalString(string(pl.GetPayload().([]byte)), body)
 
 		assert.NoError(t, err)
-		assert.Equal(t, protoMessage, body)
+		assertSeldonMessageEqual(t, *protoMessage, body)
 	})
 }
 
@@ -312,3 +311,14 @@ func TestUpdatePayloadWithPuid(t *testing.T) {
 		assert.Equal(t, oldPayload, updatedPayload)
 	})
 }
+
+func assertSeldonMessageEqual(t *testing.T, expected proto.SeldonMessage, actual interface{}) {
+	assert.IsType(t, &proto.SeldonMessage{}, actual)
+	actualMessage := actual.(*proto.SeldonMessage)
+	assert.Equal(t, expected.Meta, actualMessage.Meta)
+	assert.Equal(t, expected.DataOneof, actualMessage.DataOneof)
+	assert.Equal(t, expected.Status.Status, actualMessage.Status.Status)
+	assert.Equal(t, expected.Status.Info, actualMessage.Status.Info)
+	assert.Equal(t, expected.Status.Code, actualMessage.Status.Code)
+	assert.Equal(t, expected.Status.Reason, actualMessage.Status.Reason)
+}

executor/go.mod

@@ -1,97 +1,93 @@
 module github.com/seldonio/seldon-core/executor
 
-go 1.20
+go 1.22
 
 require (
 	github.com/cloudevents/sdk-go v1.2.0
 	github.com/confluentinc/confluent-kafka-go v1.8.2
 	github.com/ghodss/yaml v1.0.0
-	github.com/go-logr/logr v1.2.3
-	github.com/golang/protobuf v1.5.3
-	github.com/google/uuid v1.3.0
+	github.com/go-logr/logr v1.3.0
+	github.com/golang/protobuf v1.5.4
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/onsi/gomega v1.19.0
+	github.com/onsi/gomega v1.29.0
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.12.1
-	github.com/prometheus/common v0.34.0
+	github.com/prometheus/client_golang v1.16.0
+	github.com/prometheus/common v0.44.0
 	github.com/rabbitmq/amqp091-go v1.3.4
 	github.com/seldonio/seldon-core/operator v0.0.0-00010101000000-000000000000
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.8.4
 	github.com/tensorflow/tensorflow/tensorflow/go/core v0.0.0-00010101000000-000000000000
 	github.com/uber/jaeger-client-go v2.25.0+incompatible
 	go.uber.org/automaxprocs v1.4.0
-	go.uber.org/zap v1.19.1
-	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f
-	google.golang.org/grpc v1.56.3
-	google.golang.org/protobuf v1.30.0
+	go.uber.org/zap v1.25.0
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
+	google.golang.org/grpc v1.63.3
+	google.golang.org/protobuf v1.34.2
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.25.0
-	sigs.k8s.io/controller-runtime v0.12.2
+	k8s.io/api v0.27.16
+	sigs.k8s.io/controller-runtime v0.15.3
 )
 
 require (
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/codahale/hdrhistogram v0.0.0-00010101000000-000000000000 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful v2.15.0+incompatible // indirect
 	github.com/emicklei/go-restful/v3 v3.10.0 // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/go-logr/zapr v1.2.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.6 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/go-logr/zapr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/josharian/intern v1.0.1-0.20211109044230-42b52b674af5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kedacore/keda/v2 v2.7.1 // indirect
 	github.com/lightstep/tracecontext.go v0.0.0-20181129014701-1757c391b1ac // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/uber/jaeger-lib v2.2.0+incompatible // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.24.2 // indirect
-	k8s.io/apimachinery v0.25.0 // indirect
-	k8s.io/client-go v0.25.0 // indirect
-	k8s.io/component-base v0.24.2 // indirect
-	k8s.io/klog/v2 v2.70.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
-	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	k8s.io/apiextensions-apiserver v0.27.16 // indirect
+	k8s.io/apimachinery v0.27.16 // indirect
+	k8s.io/client-go v0.27.16 // indirect
+	k8s.io/component-base v0.27.16 // indirect
+	k8s.io/klog/v2 v2.90.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
 	knative.dev/pkg v0.0.0-20220502225657-4fced0164c9a // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )