Sec-fixes (#598)

* update golang to 1.23 * code.gitea.io/sdk/gitea v0.17.1 => v0.19.0 * upgraded github.com/argoproj/argo-cd/v2 v2.10.0 => v2.13.1 * upgraded github.com/briandowns/spinner v1.23.0 => v1.23.1 * upgraded github.com/go-git/go-git/v5 v5.11.0 => v5.12.0 * upgraded github.com/ktrysmt/go-bitbucket v0.9.75 => v0.9.81 * upgraded github.com/spf13/cobra v1.8.0 => v1.8.1 * upgraded github.com/spf13/viper v1.18.2 => v1.19.0 * upgraded github.com/stretchr/testify v1.8.4 => v1.10.0 * upgraded github.com/xanzy/go-gitlab v0.97.0 => v0.114.0 * upgraded k8s.io/api v0.26.11 => v0.31.0 * upgraded k8s.io/apimachinery v0.26.11 => v0.31.0 * upgraded k8s.io/cli-runtime v0.26.11 => v0.31.0 * upgraded k8s.io/client-go v0.26.11 => v0.31.0 *upgraded k8s.io/kubectl v0.26.11 => v0.31.2 * upgraded sigs.k8s.io/kustomize/api v0.12.1 => v0.17.2 * upgraded sigs.k8s.io/kustomize/kyaml v0.13.9 => v0.17.1 * replaced github.com/ghodss/yaml v1.0.0 with sigs.k8s.io/yaml v1.4.0 --------- Signed-off-by: Noam Gal <[email protected]>
argoproj-labs · Nov 26, 2024 · 27048d7 · 27048d7
1 parent 98519df
commit 27048d7
Show file tree

Hide file tree

Showing 20 changed files with 668 additions and 1,908 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 
 ### Base
-FROM $BASE_IMAGE as base
+FROM $BASE_IMAGE AS base
 
 USER root
 
@@ -25,7 +25,7 @@ USER 999
 WORKDIR /home/autopilot
 
 ### Build
-FROM docker.io/library/golang:1.22 as build
+FROM docker.io/library/golang:1.23 AS build
 
 WORKDIR /go/src/github.com/argoproj-labs/argocd-autopilot
 

diff --git a/Makefile b/Makefile
@@ -163,4 +163,4 @@ $(GOBIN)/mockgen:
 $(GOBIN)/golangci-lint:
 	@mkdir dist || true
 	@echo installing: golangci-lint
-	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.55.2
+	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.62.0
diff --git a/build/ci.yml b/build/ci.yml
@@ -19,7 +19,7 @@ steps:
   prepare_env_vars: &deps
     stage: Prepare
     title: prepare-env
-    image: quay.io/codefresh/golang-ci-helper:1.22
+    image: quay.io/codefresh/golang-ci-helper:1.23
     commands:
       - cf_export GO111MODULE=on
       - cf_export GOCACHE=/codefresh/volume/gocache # change gopath to codefresh shared volume
@@ -86,7 +86,7 @@ steps:
 
   codecov-report:
     stage: Test
-    type: codecov-reporter
+    type: codecov-reporter:2.1.0
     title: report code coverage
     arguments:
       codecov_integration: ${{CODECOV_INTEGRATION}}
@@ -119,18 +119,12 @@ steps:
       - SNYK_TOKEN=${{SNYK_TOKEN}}
       - LOCAL_IMAGE_REF=${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
     commands:
-      - |
-        snyk test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} || fail=1
-        snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
-        if [ "$fail" == "1" ]; then exit 1; fi
+      - snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
     when:
       steps:
         - name: build
           on:
             - success
-        - name: codegen
-          on:
-            - success
 
   push_dev:
     stage: Push Dev

diff --git a/build/release.yml b/build/release.yml
@@ -20,7 +20,7 @@ steps:
   check_version: &deps
     stage: Prepare
     title: check version
-    image: quay.io/codefresh/golang-ci-helper:1.22
+    image: quay.io/codefresh/golang-ci-helper:1.23
     commands:
     - cf_export GO111MODULE=on
     - cf_export GOCACHE=/codefresh/volume/gocache # change gopath to codefresh shared volume

diff --git a/build/sanity.yml b/build/sanity.yml
@@ -18,7 +18,7 @@ steps:
   prep: &deps
     stage: "prepare"
     title: "prepare env vars"
-    image: quay.io/codefresh/golang-ci-helper:1.22
+    image: quay.io/codefresh/golang-ci-helper:1.23
     commands:
     - cf_export GO111MODULE=on
     - cf_export NAMESPACE=${{KUBE_NAMESPACE}}-$(date "+%M-%S")

diff --git a/cmd/commands/app.go b/cmd/commands/app.go
@@ -476,7 +476,7 @@ func RunAppDelete(ctx context.Context, opts *AppDeleteOptions) error {
 	appDir := repofs.Join(store.Default.AppsDir, opts.AppName)
 	appExists := repofs.ExistsOrDie(appDir)
 	if !appExists {
-		return fmt.Errorf(util.Doc(fmt.Sprintf("application '%s' not found", opts.AppName)))
+		return errors.New(util.Doc(fmt.Sprintf("application '%s' not found", opts.AppName)))
 	}
 
 	var dirToRemove string
@@ -493,7 +493,7 @@ func RunAppDelete(ctx context.Context, opts *AppDeleteOptions) error {
 		appProjectDir := repofs.Join(appOverlaysDir, opts.ProjectName)
 		overlayExists := repofs.ExistsOrDie(appProjectDir)
 		if !overlayExists {
-			return fmt.Errorf(util.Doc(fmt.Sprintf("application '%s' not found in project '%s'", opts.AppName, opts.ProjectName)))
+			return errors.New(util.Doc(fmt.Sprintf("application '%s' not found in project '%s'", opts.AppName, opts.ProjectName)))
 		}
 
 		allOverlays, err := repofs.ReadDir(appOverlaysDir)

diff --git a/cmd/commands/common.go b/cmd/commands/common.go
@@ -3,6 +3,7 @@ package commands
 import (
 	"context"
 	_ "embed"
+	"errors"
 	"fmt"
 	"os"
 	"time"
@@ -16,8 +17,8 @@ import (
 	"github.com/argoproj-labs/argocd-autopilot/pkg/util"
 
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 )
 
 // used for mocking
@@ -63,7 +64,7 @@ var (
 		if projectName != "" {
 			projExists := repofs.ExistsOrDie(repofs.Join(store.Default.ProjectsDir, projectName+".yaml"))
 			if !projExists {
-				return nil, nil, fmt.Errorf(util.Doc(fmt.Sprintf("project '%[1]s' not found, please execute `<BIN> project create %[1]s`", projectName)))
+				return nil, nil, errors.New(util.Doc(fmt.Sprintf("project '%[1]s' not found, please execute `<BIN> project create %[1]s`", projectName)))
 			}
 		}
 

diff --git a/cmd/commands/project.go b/cmd/commands/project.go
@@ -20,11 +20,11 @@ import (
 	"github.com/argoproj-labs/argocd-autopilot/pkg/util"
 
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 )
 
 type (
@@ -130,7 +130,7 @@ func NewProjectCreateCommand() *cobra.Command {
 	}
 
 	cmd.Flags().StringVar(&kubeServer, "dest-server", "", "The default destination kubernetes server for applications in this project")
-	cmd.Flags().StringVar(&kubeContext, "dest-kube-context", "", "The default destination kubernetes context for applications in this project (will be ignored if --dest-kube-server is supplied)")
+	cmd.Flags().StringVar(&kubeContext, "dest-kube-context", "", "The default destination kubernetes context for applications in this project (will be ignored if --dest-server is supplied)")
 	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "If true, print manifests instead of applying them to the cluster (nothing will be commited to git)")
 	cmd.Flags().StringToStringVar(&labels, "labels", nil, "Optional labels that will be set on the Application resource. (e.g. \"app.kubernetes.io/managed-by={{ placeholder }}\"")
 	cmd.Flags().StringToStringVar(&annotations, "annotations", nil, "Optional annotations that will be set on the Application resource. (e.g. \"argocd.argoproj.io/sync-wave={{ placeholder }}\"")

diff --git a/cmd/commands/project_test.go b/cmd/commands/project_test.go
@@ -20,13 +20,12 @@ import (
 	"github.com/argoproj-labs/argocd-autopilot/pkg/util"
 
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
-	"github.com/golang/mock/gomock"
-
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
+	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 )
 
 func TestRunProjectCreate(t *testing.T) {
@@ -195,7 +194,7 @@ func Test_generateProjectManifests(t *testing.T) {
 				store.Default.LabelKeyAppName:      "{{ appName }}",
 			},
 			wantAnnotations: map[string]string{
-				"some-key":                         "some-value",
+				"some-key": "some-value",
 			},
 		},
 	}
@@ -277,7 +276,7 @@ func Test_getInstallationNamespace(t *testing.T) {
 				_ = billyUtils.WriteFile(repofs, filepath.Join(store.Default.BootsrtrapDir, store.Default.ArgoCDName+".yaml"), []byte("some string"), 0666)
 				return repofs
 			},
-			wantErr: "failed to unmarshal namespace: error unmarshaling JSON: json: cannot unmarshal string into Go value of type v1alpha1.Application",
+			wantErr: "failed to unmarshal namespace: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type v1alpha1.Application",
 		},
 	}
 	for ttName, tt := range tests {

diff --git a/cmd/commands/repo.go b/cmd/commands/repo.go
@@ -24,14 +24,14 @@ import (
 	argocdcommon "github.com/argoproj/argo-cd/v2/common"
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argocdsettings "github.com/argoproj/argo-cd/v2/util/settings"
-	"github.com/ghodss/yaml"
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kusttypes "sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
 )
 
 const (
@@ -757,13 +757,12 @@ func createBootstrapKustomization(namespace, appSpecifier string, cloneOpts *git
 		})
 	}
 
-	k.FixKustomizationPostUnmarshalling()
 	errs := k.EnforceFields()
 	if len(errs) > 0 {
 		return nil, fmt.Errorf("kustomization errors: %s", strings.Join(errs, "\n"))
 	}
 
-	return k, k.FixKustomizationPreMarshalling()
+	return k, nil
 }
 
 func createCreds(repoUrl string) ([]byte, error) {

diff --git a/cmd/commands/repo_test.go b/cmd/commands/repo_test.go
@@ -17,16 +17,15 @@ import (
 
 	argocdcommon "github.com/argoproj/argo-cd/v2/common"
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
+	"github.com/go-git/go-billy/v5/memfs"
+	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
 	kusttypes "sigs.k8s.io/kustomize/api/types"
-
-	"github.com/go-git/go-billy/v5/memfs"
-	billyUtils "github.com/go-git/go-billy/v5/util"
-	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/yaml"
 )
 
 func Test_setBootstrapOptsDefaults(t *testing.T) {

diff --git a/docs/commands/argocd-autopilot_project_create.md b/docs/commands/argocd-autopilot_project_create.md
@@ -31,8 +31,10 @@ argocd-autopilot project create [PROJECT] [flags]
 ```
       --annotation stringArray             Set metadata annotations (e.g. --annotation key=value)
       --annotations stringToString         Optional annotations that will be set on the Application resource. (e.g. "argocd.argoproj.io/sync-wave={{ placeholder }}" (default [])
+      --argocd-context string              The name of the Argo-CD server context to use
       --auth-token string                  Authentication token
       --aws-cluster-name string            AWS Cluster name if set then aws cli eks token command will be used to access cluster
+      --aws-profile string                 Optional AWS profile. If set then AWS IAM Authenticator uses this profile to perform cluster operations instead of the default AWS credential provider chain.
       --aws-role-arn string                Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.
       --client-crt string                  Client certificate file
       --client-crt-key string              Client certificate key file
@@ -41,7 +43,7 @@ argocd-autopilot project create [PROJECT] [flags]
       --config string                      Path to Argo CD config (default "/home/user/.config/argocd/config")
       --controller-name string             Name of the Argo CD Application controller; set this or the ARGOCD_APPLICATION_CONTROLLER_NAME environment variable when the controller's name label differs from the default, for example when installing via the Helm chart (default "argocd-application-controller")
       --core                               If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server
-      --dest-kube-context string           The default destination kubernetes context for applications in this project (will be ignored if --dest-kube-server is supplied)
+      --dest-kube-context string           The default destination kubernetes context for applications in this project (will be ignored if --dest-server is supplied)
       --dest-server string                 The default destination kubernetes server for applications in this project
       --dry-run                            If true, print manifests instead of applying them to the cluster (nothing will be commited to git)
       --exec-command string                Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.

diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,3 +1,6 @@
 mkdocs-material
 markdown_include
-pygments==2.15.0
+pygments==2.15.0
+
+urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
+requests>=2.32.0 # not directly required, pinned by Snyk to avoid a vulnerability