search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
290 stars 35 forks source link

can't be built on Go 1.20 #90

Closed m-si closed 11 months ago

m-si commented 12 months ago

Describe the bug

a build of corazawaf/coraza-caddy fails due to old requirement in go.mod line 69 with error:

/go/pkg/mod/github.com/lucas-clemente/quic-go@v0.29.2/internal/qtls/go120.go:5:13: cannot use "The version of quic-go you're using can't be built on Go 1.20 yet. For more details, please see https://github.com/lucas-clemente/quic-go/wiki/quic-go-and-Go-versions." (untyped string constant "The version of quic-go you're using can't be built on Go 1.20 yet. F...) as int value in variable declaration

To Reproduce

Clone https://github.com/corazawaf/coraza-caddy and build:

git clone --depth 1 https://github.com/corazawaf/coraza-caddy
...
go build caddy/main.go

ideas

Two ideas to solve the issue

jcchavezs commented 12 months ago

is this a caddy dependency or a coraza dependency?

On Tue, 18 Jul 2023, 09:19 m-si, @.***> wrote:

Describe the bug

a build of corazawaf/coraza-caddy fails due to old requirement in go.mod line 69 with error:

@.***/internal/qtls/go120.go:5:13: cannot use "The version of quic-go you're using can't be built on Go 1.20 yet. For more details, please see https://github.com/lucas-clemente/quic-go/wiki/quic-go-and-Go-versions." (untyped string constant "The version of quic-go you're using can't be built on Go 1.20 yet. F...) as int value in variable declaration

To Reproduce

Clone https://github.com/corazawaf/coraza-caddy and build:

git clone --depth 1 https://github.com/corazawaf/coraza-caddy ... go build caddy/main.go

ideas

Two ideas to solve the issue

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/90, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYARVKGH2UDIYNBVGLM3XQY2J7ANCNFSM6AAAAAA2N6ONGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>

m-si commented 12 months ago

First of all , thank you for your fast response. As I am new to this, it's a bit difficult to find out for me. I can't find it in their go.mod of v2.6.4 and v2.7 so I guess it seems to be a corazza requierment, isn't it?

jcchavezs commented 12 months ago

It is a Caddy dependency https://github.com/caddyserver/caddy/blob/master/go.mod#L20, we might need to upgrade this repo to latest caddy and go 1.19 once a new release. Any idea on when go 1.20 is going to be supported @mholt?

Another option in the meantime is to try patching this repo, are you up to try that @m-si? In any case it isn't any good we are still in 1.18.

jptosso commented 12 months ago

I have tested caddy main and it works fine with go 1.20. We have to wait for the 2.7 release

jcchavezs commented 12 months ago

@jptosso could you add 1.19 and 1.20 to the CI and drop 1.18?

jcchavezs commented 12 months ago

Uhmm https://github.com/corazawaf/coraza-caddy/pull/91

On Tue, 18 Jul 2023, 11:31 Juan Pablo Tosso, @.***> wrote:

I have tested caddy main and it works fine with go 1.20

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/90#issuecomment-1639873891, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAWJY5TB2YMQWATQJBTXQZJWZANCNFSM6AAAAAA2N6ONGE . You are receiving this because you commented.Message ID: @.***>

m-si commented 12 months ago

@jcchavezs today I have no time, but I can try later this week. But to me, it looks even more promising to go with 1.19 or 1.20 as we need to do that anyway to keep up.

mholt commented 12 months ago

@jcchavezs To clarify, the latest Go is (almost?) always supported. We just have to support one prior Go release to please the Debian packaging gods. :man_shrugging:

Quic-Go isn't generally forward-compatible because it relies on a fork of crypto/tls (due to API limitations in that package, which are currently being addressed in partnership with the Go team) -- but it definitely supports Go 1.20.

M4tteoP commented 11 months ago

Since https://github.com/corazawaf/coraza-caddy/pull/96, we are building coraza-caddy in the CI with Go 1.20 and caddy is updated to v2.7.3, I think we can close this one