GoogleCloudPlatform / functions-framework-go

FaaS (Function as a service) framework for writing portable Go functions
https://godoc.org/github.com/GoogleCloudPlatform/functions-framework-go
Apache License 2.0
464 stars 63 forks source link

chore(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security] - autoclosed #237

Closed renovate-bot closed 3 months ago

renovate-bot commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cloudevents/sdk-go/v2 v2.14.0 -> v2.15.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-28110

Impact

What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil {
  p.Client = **http.DefaultClient**
}

if p.roundTripper != nil {
  p.Client.**Transport = p.roundTripper**
}

When the transport is populated with an authenticated transport such as:

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!

Found and patched by: @​tcnghia and @​mattmoor

Patches

v.2.15.2


Release Notes

cloudevents/sdk-go (github.com/cloudevents/sdk-go/v2) ### [`v2.15.2`](https://togithub.com/cloudevents/sdk-go/releases/tag/v2.15.2) [Compare Source](https://togithub.com/cloudevents/sdk-go/compare/v2.15.1...v2.15.2) #### What's Changed - Patch for a potential security issue. See [CVE-2024-28110](TBD). - Note: this could be a breaking change for people if they purposely change golang's HTTP `DefaultClient`, or change the CloudEvents `Client` returned from `NewClient`, and expect those changes to be visible on other HTTP flows using those Clients. E.g. auth **Full Changelog**: https://github.com/cloudevents/sdk-go/compare/v2.15.1...v2.15.2 ### [`v2.15.1`](https://togithub.com/cloudevents/sdk-go/releases/tag/v2.15.1) [Compare Source](https://togithub.com/cloudevents/sdk-go/compare/v2.15.0...v2.15.1) #### What's Changed - Bump andstor/file-existence-action from 2 to 3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1009](https://togithub.com/cloudevents/sdk-go/pull/1009) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/conformance by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/993](https://togithub.com/cloudevents/sdk-go/pull/993) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/benchmark by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/994](https://togithub.com/cloudevents/sdk-go/pull/994) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/kafka by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/995](https://togithub.com/cloudevents/sdk-go/pull/995) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test/integration by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/996](https://togithub.com/cloudevents/sdk-go/pull/996) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/kafka_sarama/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/997](https://togithub.com/cloudevents/sdk-go/pull/997) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/http by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/998](https://togithub.com/cloudevents/sdk-go/pull/998) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/nats by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/999](https://togithub.com/cloudevents/sdk-go/pull/999) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/stan by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1004](https://togithub.com/cloudevents/sdk-go/pull/1004) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /samples/nats_jetstream by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1003](https://togithub.com/cloudevents/sdk-go/pull/1003) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/nats/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1002](https://togithub.com/cloudevents/sdk-go/pull/1002) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/nats_jetstream/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1001](https://togithub.com/cloudevents/sdk-go/pull/1001) - Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /protocol/stan/v2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1000](https://togithub.com/cloudevents/sdk-go/pull/1000) - Propose the `confluent-kafka-go` binding for Kafka by [@​yanmxa](https://togithub.com/yanmxa) in [https://github.com/cloudevents/sdk-go/pull/1008](https://togithub.com/cloudevents/sdk-go/pull/1008) - Sync CESQL tck tests by [@​Cali0707](https://togithub.com/Cali0707) in [https://github.com/cloudevents/sdk-go/pull/1010](https://togithub.com/cloudevents/sdk-go/pull/1010) - Fix docstring typos in nats and jetstream protocol by [@​jafossum](https://togithub.com/jafossum) in [https://github.com/cloudevents/sdk-go/pull/1013](https://togithub.com/cloudevents/sdk-go/pull/1013) - Bump golangci/golangci-lint-action from 3 to 4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1016](https://togithub.com/cloudevents/sdk-go/pull/1016) - Bump the bundler group across 1 directories with 1 update by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/cloudevents/sdk-go/pull/1011](https://togithub.com/cloudevents/sdk-go/pull/1011) - Remove vi swp file by [@​duglin](https://togithub.com/duglin) in [https://github.com/cloudevents/sdk-go/pull/1020](https://togithub.com/cloudevents/sdk-go/pull/1020) #### New Contributors - [@​Cali0707](https://togithub.com/Cali0707) made their first contribution in [https://github.com/cloudevents/sdk-go/pull/1010](https://togithub.com/cloudevents/sdk-go/pull/1010) - [@​jafossum](https://togithub.com/jafossum) made their first contribution in [https://github.com/cloudevents/sdk-go/pull/1013](https://togithub.com/cloudevents/sdk-go/pull/1013) **Full Changelog**: https://github.com/cloudevents/sdk-go/compare/v2.15.0...v2.15.1 ### [`v2.15.0`](https://togithub.com/cloudevents/sdk-go/releases/tag/v2.15.0) [Compare Source](https://togithub.com/cloudevents/sdk-go/compare/v2.14.0...v2.15.0) ### Highlights 💫 This release includes various updates and improvements such as README enhancements, dependency bumps, bug fixes, race condition resolutions, and protocol-related adjustments. Notable changes involve upgrading dependencies like grpc and go.opentelemetry, addressing race conditions, fixing Kafka test issues, and introducing new features like binary content mode for NATS and JetStream protocols. Additionally, there are governance documentation updates, link corrections, and improvements in error handling and documentation across different modules. ### Breaking 🚨 The Kafka Sarama protocol now uses the `"github.com/IBM/sarama"` Go module import path. ### Commits 📄 [`896e1d0`](https://togithub.com/cloudevents/sdk-go/commit/896e1d0) Update README.md [`75ec0f2`](https://togithub.com/cloudevents/sdk-go/commit/75ec0f2) Bump actions/setup-go from 4 to 5 [`41e80f7`](https://togithub.com/cloudevents/sdk-go/commit/41e80f7) fixed couple issues [`9ccd339`](https://togithub.com/cloudevents/sdk-go/commit/9ccd339) bugfix_value_type_of_dataschema [`c8cbca9`](https://togithub.com/cloudevents/sdk-go/commit/c8cbca9) adds unique package name for import [`f1bca09`](https://togithub.com/cloudevents/sdk-go/commit/f1bca09) relative .pb.go generation, go_package set to package name [`c20eef2`](https://togithub.com/cloudevents/sdk-go/commit/c20eef2) bump the pahao mqtt to v0.12 [`ed7be6b`](https://togithub.com/cloudevents/sdk-go/commit/ed7be6b) Add WithCustomAttributes for PubSub [`be31358`](https://togithub.com/cloudevents/sdk-go/commit/be31358) returning the error when doing a nack in the message [`ecead5c`](https://togithub.com/cloudevents/sdk-go/commit/ecead5c) Make a few comments a bit clearer [`57be3cd`](https://togithub.com/cloudevents/sdk-go/commit/57be3cd) Try to make sure the Receiver starts before we send events [`f5c7061`](https://togithub.com/cloudevents/sdk-go/commit/f5c7061) Try to fix race again - don't reuse clients for sender/receiver [`8bea925`](https://togithub.com/cloudevents/sdk-go/commit/8bea925) Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/http [`fa6be00`](https://togithub.com/cloudevents/sdk-go/commit/fa6be00) Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /protocol/pubsub/v2 [`7e05ecd`](https://togithub.com/cloudevents/sdk-go/commit/7e05ecd) Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/pubsub [`13825ba`](https://togithub.com/cloudevents/sdk-go/commit/13825ba) Sleep less to avoid timeouts [`3162d69`](https://togithub.com/cloudevents/sdk-go/commit/3162d69) Bump github.com/nats-io/nats-server/v2 in /protocol/stan/v2 [`ec8b0f9`](https://togithub.com/cloudevents/sdk-go/commit/ec8b0f9) deps: update nats dependencies [`dae9f6c`](https://togithub.com/cloudevents/sdk-go/commit/dae9f6c) Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp [`1d6360b`](https://togithub.com/cloudevents/sdk-go/commit/1d6360b) Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp [`06658a2`](https://togithub.com/cloudevents/sdk-go/commit/06658a2) Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp [`7c1a3b1`](https://togithub.com/cloudevents/sdk-go/commit/7c1a3b1) fix race [`6f5984b`](https://togithub.com/cloudevents/sdk-go/commit/6f5984b) Move to go 1.18 Had to run gofmt and fix some weird typos due to tabs in the comments [`0a006bb`](https://togithub.com/cloudevents/sdk-go/commit/0a006bb) Fix race condition in kafka tests [`510b002`](https://togithub.com/cloudevents/sdk-go/commit/510b002) issue 814 - Add binary content mode for NATS and JetStream protocols [`ac3d30c`](https://togithub.com/cloudevents/sdk-go/commit/ac3d30c) add link to our security mailing list [`9405398`](https://togithub.com/cloudevents/sdk-go/commit/9405398) Bump golang.org/x/net in /observability/opencensus/v2 [`3cbfae0`](https://togithub.com/cloudevents/sdk-go/commit/3cbfae0) Bump golang.org/x/net from 0.9.0 to 0.17.0 in /protocol/pubsub/v2 [`65eb52e`](https://togithub.com/cloudevents/sdk-go/commit/65eb52e) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /protocol/kafka_sarama/v2 [`d25d6e4`](https://togithub.com/cloudevents/sdk-go/commit/d25d6e4) Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/pubsub [`e4653a8`](https://togithub.com/cloudevents/sdk-go/commit/e4653a8) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/conformance [`6ed9f79`](https://togithub.com/cloudevents/sdk-go/commit/6ed9f79) Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/http [`6a3393c`](https://togithub.com/cloudevents/sdk-go/commit/6a3393c) Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/benchmark [`806ef35`](https://togithub.com/cloudevents/sdk-go/commit/806ef35) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /samples/kafka [`de13f1b`](https://togithub.com/cloudevents/sdk-go/commit/de13f1b) Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/integration [`3eefeb1`](https://togithub.com/cloudevents/sdk-go/commit/3eefeb1) Governance docs per CE PR 1226 [`1bcaa28`](https://togithub.com/cloudevents/sdk-go/commit/1bcaa28) Update links to cloudevents spec [`6aa2742`](https://togithub.com/cloudevents/sdk-go/commit/6aa2742) context.Done() may never reach if waiting on r.incoming <- msgErr [`4bcddda`](https://togithub.com/cloudevents/sdk-go/commit/4bcddda) move it to write message [`d06aea7`](https://togithub.com/cloudevents/sdk-go/commit/d06aea7) clean the the previous properties [`0cc4fba`](https://togithub.com/cloudevents/sdk-go/commit/0cc4fba) Bump actions/checkout from 3 to 4 [`f1c0d0a`](https://togithub.com/cloudevents/sdk-go/commit/f1c0d0a) change denpendency sarama from Shopify to IBM [`f84be73`](https://togithub.com/cloudevents/sdk-go/commit/f84be73) Updated based on feedback [`310da90`](https://togithub.com/cloudevents/sdk-go/commit/310da90) Support ACK when receiving malformed events [`808bf38`](https://togithub.com/cloudevents/sdk-go/commit/808bf38) provide the qos and retain configuration for mqtt protocol [`e085f1a`](https://togithub.com/cloudevents/sdk-go/commit/e085f1a) correct the doc links [`766b88e`](https://togithub.com/cloudevents/sdk-go/commit/766b88e) remove the usage of deprecated io/ioutil package [`e15d03d`](https://togithub.com/cloudevents/sdk-go/commit/e15d03d) add assertion helper for extension keys ([#​920](https://togithub.com/cloudevents/sdk-go/issues/920)) [`c1482af`](https://togithub.com/cloudevents/sdk-go/commit/c1482af) append mqtt to the doc of protocol binding ([#​919](https://togithub.com/cloudevents/sdk-go/issues/919)) [`ff22db5`](https://togithub.com/cloudevents/sdk-go/commit/ff22db5) Bump andstor/file-existence-action from 1 to 2 ([#​917](https://togithub.com/cloudevents/sdk-go/issues/917)) [`bf156f1`](https://togithub.com/cloudevents/sdk-go/commit/bf156f1) call finish on unused messages; tidy retry logic [`fdcb2d2`](https://togithub.com/cloudevents/sdk-go/commit/fdcb2d2) mqtt protocol binding ([#​910](https://togithub.com/cloudevents/sdk-go/issues/910)) [`f681ac6`](https://togithub.com/cloudevents/sdk-go/commit/f681ac6) Bump grpc dependencies and workflow versions ([#​914](https://togithub.com/cloudevents/sdk-go/issues/914)) [`c684ae9`](https://togithub.com/cloudevents/sdk-go/commit/c684ae9) vote to add embano1 as a maintainer [`50b18a0`](https://togithub.com/cloudevents/sdk-go/commit/50b18a0) Bump golang.org/x/crypto in /samples/http ([#​902](https://togithub.com/cloudevents/sdk-go/issues/902)) [`5232986`](https://togithub.com/cloudevents/sdk-go/commit/5232986) http: Fixes for Gin http receiver sample ([#​905](https://togithub.com/cloudevents/sdk-go/issues/905)) [`9970acc`](https://togithub.com/cloudevents/sdk-go/commit/9970acc) Added a Gin http receiver sample ([#​842](https://togithub.com/cloudevents/sdk-go/issues/842)) [`b7a65db`](https://togithub.com/cloudevents/sdk-go/commit/b7a65db) add kafka topic/partition/offset to the extension of event ([#​896](https://togithub.com/cloudevents/sdk-go/issues/896)) [`bc9170f`](https://togithub.com/cloudevents/sdk-go/commit/bc9170f) Short-circuit AND expressions ([#​899](https://togithub.com/cloudevents/sdk-go/issues/899)) [`eae656f`](https://togithub.com/cloudevents/sdk-go/commit/eae656f) Bump nokogiri from 1.14.2 to 1.14.3 in /docs ([#​891](https://togithub.com/cloudevents/sdk-go/issues/891)) [`ff0a142`](https://togithub.com/cloudevents/sdk-go/commit/ff0a142) fix: Fixing syntax errors and add some test feedback ([#​892](https://togithub.com/cloudevents/sdk-go/issues/892)) [`55e5dba`](https://togithub.com/cloudevents/sdk-go/commit/55e5dba) Update RELEASING to be more explicit

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.

jasonneurohr-stake commented 5 months ago

@janell-chen Any ETA on sorting this out?

jrmfg commented 5 months ago

hi @jasonneurohr-stake - sorry for the delay - i'd love to push this along but it looks like the new version depends on io.NopCloser, which was added in go 1.16 - so this breaks go 1.13. i'll work on a path forward.