Merge pull request #66 from kumparan/hotfix/upgrade-go-net-dependenci…

…es-vulnerability hotfix: upgrade go version and dependencies to fix vulnerability issue
kumparan · Dec 19, 2024 · 941fe8d · 941fe8d
2 parents 1379b0b + a1bf4cb
commit 941fe8d
Show file tree

Hide file tree

Showing 11 changed files with 105 additions and 77 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -12,12 +12,12 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.22
+        go-version: 1.23.4
 
     - name: Golangci-lint
       uses: golangci/golangci-lint-action@v6
       with:
-        version: v1.56.2
+        version: v1.62.2
         args: --print-issued-lines=false --exclude-use-default=false --enable=revive --enable=goimports --enable=unconvert --concurrency=2
 
     - name: Test

diff --git a/.golangci.yml b/.golangci.yml
@@ -13,7 +13,7 @@ run:
 
   # Include test files or not.
   # Default: true
-  tests: false
+  tests: true
 
   # List of build tags, all linters use it.
   # Default: [].
@@ -68,15 +68,34 @@ run:
 
 # output configuration options
 output:
-  # Format: colored-line-number|line-number|json|tab|checkstyle|code-climate|junit-xml|github-actions
-  #
-  # Multiple can be specified by separating them by comma, output can be provided
-  # for each of them by separating format name and path by colon symbol.
+  # The formats used to render issues.
+  # Formats:
+  # - `colored-line-number`
+  # - `line-number`
+  # - `json`
+  # - `colored-tab`
+  # - `tab`
+  # - `html`
+  # - `checkstyle`
+  # - `code-climate`
+  # - `junit-xml`
+  # - `junit-xml-extended`
+  # - `github-actions`
+  # - `teamcity`
+  # - `sarif`
   # Output path can be either `stdout`, `stderr` or path to the file to write to.
-  # Example: "checkstyle:report.json,colored-line-number"
   #
-  # Default: colored-line-number
-  format: colored-line-number
+  # For the CLI flag (`--out-format`), multiple formats can be specified by separating them by comma.
+  # The output can be specified for each of them by separating format name and path by colon symbol.
+  # Example: "--out-format=checkstyle:report.xml,json:stdout,colored-line-number"
+  # The CLI flag (`--out-format`) override the configuration file.
+  #
+  # Default:
+  #   formats:
+  #     - format: colored-line-number
+  #       path: stdout
+  formats:
+    - format: colored-line-number
 
   # Print lines of code with issue.
   # Default: true
@@ -117,8 +136,8 @@ linters:
     - typecheck
     - ineffassign
     - gosimple
-    - exhaustive
     - nilerr
+    - exhaustive
 
   # Enable all available linters.
   # Default: false
@@ -159,14 +178,9 @@ issues:
   # Default: https://golangci-lint.run/usage/false-positives/#default-exclusions
   exclude:
     - "should have a package comment"
+    - "G115"
   # Excluding configuration per-path, per-linter, per-text and per-source
   exclude-rules:
-    - text: "G404:" # Use of weak random number generator (math/rand instead of crypto/rand)"
-      linters:
-        - gosec
-    - text: "G109:" # Use of weak random number generator (math/rand instead of crypto/rand)"
-      linters:
-        - gosec
     # Exclude some linters from running on tests files.
     - path: _test\.go
       linters:
@@ -262,4 +276,4 @@ severity:
   rules:
     - linters:
         - dupl
-      severity: info
+      severity: info
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,15 @@
 # go-utils
 
+<a name="v1.39.5"></a>
+## [v1.39.5] - 2024-12-19
+### Fixes
+- upgrade go version and dependencies to fix vulnerability issue
+
+
 <a name="v1.39.4"></a>
 ## [v1.39.4] - 2024-09-23
 ### Other Improvements
-- add log on status not ok
+- add log on status not ok ([#65](https://github.com/kumparan/go-utils/issues/65))
 
 
 <a name="v1.39.3"></a>
@@ -337,7 +343,8 @@
 - init go-utils
 
 
-[Unreleased]: https://github.com/kumparan/go-utils/compare/v1.39.4...HEAD
+[Unreleased]: https://github.com/kumparan/go-utils/compare/v1.39.5...HEAD
+[v1.39.5]: https://github.com/kumparan/go-utils/compare/v1.39.4...v1.39.5
 [v1.39.4]: https://github.com/kumparan/go-utils/compare/v1.39.3...v1.39.4
 [v1.39.3]: https://github.com/kumparan/go-utils/compare/v1.39.2...v1.39.3
 [v1.39.2]: https://github.com/kumparan/go-utils/compare/v1.39.1...v1.39.2

diff --git a/go.mod b/go.mod
@@ -1,13 +1,13 @@
 module github.com/kumparan/go-utils
 
-go 1.22
+go 1.23.4
 
 require (
 	github.com/99designs/gqlgen v0.17.49
 	github.com/agiledragon/gomonkey/v2 v2.12.0
-	github.com/getsentry/sentry-go v0.28.1
+	github.com/getsentry/sentry-go v0.30.0
 	github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8
-	github.com/gofrs/uuid/v5 v5.2.0
+	github.com/gofrs/uuid/v5 v5.3.0
 	github.com/goodsign/monday v1.0.2
 	github.com/graph-gophers/graphql-go v1.5.0
 	github.com/leekchan/accounting v1.0.0
@@ -17,8 +17,8 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
 	github.com/vektah/gqlparser/v2 v2.5.16
-	golang.org/x/text v0.16.0
-	google.golang.org/grpc v1.65.0
+	golang.org/x/text v0.21.0
+	google.golang.org/grpc v1.69.2
 	gopkg.in/guregu/null.v4 v4.0.0
 	gorm.io/gorm v1.22.4
 )
@@ -39,6 +39,6 @@ require (
 	github.com/oklog/ulid v1.3.1
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/net v0.26.0
-	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/net v0.33.0
+	golang.org/x/sys v0.28.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -11,17 +11,17 @@ github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMe
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/getsentry/sentry-go v0.28.1 h1:zzaSm/vHmGllRM6Tpx1492r0YDzauArdBfkJRtY6P5k=
-github.com/getsentry/sentry-go v0.28.1/go.mod h1:1fQZ+7l7eeJ3wYi82q5Hg8GqAPgefRq+FP/QhafYVgg=
+github.com/getsentry/sentry-go v0.30.0 h1:lWUwDnY7sKHaVIoZ9wYqRHJ5iEmoc0pqcRqFkosKzBo=
+github.com/getsentry/sentry-go v0.30.0/go.mod h1:WU9B9/1/sHDqeV8T+3VwwbjeR5MSXs/6aqG3mqZrezA=
 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8 h1:DujepqpGd1hyOd7aW59XpK7Qymp8iy83xq74fLr21is=
 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
-github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
+github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/goodsign/monday v1.0.2 h1:k8kRMkCRVfCTWOU4dRfRgneQsWlB1+mJd3MxG0lGLzQ=
 github.com/goodsign/monday v1.0.2/go.mod h1:r4T4breXpoFwspQNM+u2sLxJb2zyTaxVGqUfTBjWOu8=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
@@ -80,19 +80,19 @@ go.opentelemetry.io/otel v1.6.3/go.mod h1:7BgNga5fNlF/iZjG06hM3yofffp0ofKCDwSXx1
 go.opentelemetry.io/otel/trace v1.6.3/go.mod h1:GNJQusJlUgZl9/TQBPKU/Y/ty+0iVB5fjhKeJGZPGFs=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
+google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/guregu/null.v4 v4.0.0 h1:1Wm3S1WEA2I26Kq+6vcW+w0gcDo44YKYD7YIEJNHDjg=

diff --git a/graphql.go b/graphql.go
@@ -39,16 +39,16 @@ func GraphQLIDPointerToInt64(id *graphql.ID) int64 {
 	return StringToInt64(string(*id))
 }
 
-// GraphQLIDToInt32 :nodoc:
+// GraphQLIDToInt32 Deprecated. Do not use.
 func GraphQLIDToInt32(id graphql.ID) int32 {
 	newID, err := strconv.Atoi(string(id))
 	if err != nil {
 		return int32(0)
 	}
-	return int32(newID)
+	return int32(newID) //nolint:gosec
 }
 
-// GraphQLIDPointerToInt32 :nodoc:
+// GraphQLIDPointerToInt32 Deprecated. Do not use.
 func GraphQLIDPointerToInt32(id *graphql.ID) int32 {
 	if id == nil {
 		return int32(0)
@@ -58,5 +58,5 @@ func GraphQLIDPointerToInt32(id *graphql.ID) int32 {
 	if err != nil {
 		return int32(0)
 	}
-	return int32(newID)
+	return int32(newID) //nolint:gosec
 }
diff --git a/integer.go b/integer.go
@@ -1,7 +1,8 @@
 package utils
 
 import (
-	"math/rand"
+	"crypto/rand"
+	"math/big"
 	"strconv"
 	"time"
 )
@@ -12,7 +13,7 @@ func Int64ToString(i int64) string {
 	return s
 }
 
-// Offset to get offset from page and limit, min value for page = 1
+// Offset to get offset from page and limit, minimum value for page = 1
 func Offset(page, limit int64) int64 {
 	offset := (page - 1) * limit
 	if offset < 0 {
@@ -23,7 +24,13 @@ func Offset(page, limit int64) int64 {
 
 // GenerateID based on current time
 func GenerateID() int64 {
-	return time.Now().UnixNano() + int64(rand.Intn(10000))
+	now := time.Now().UnixNano()
+	randomInt, err := rand.Int(rand.Reader, big.NewInt(10000))
+	if err != nil {
+		return now
+	}
+
+	return now + randomInt.Int64()
 }
 
 // Int32PointerToInt64 :nodoc:
@@ -78,14 +85,14 @@ func Int64WithLimit(input int64, limit int64) int64 {
 	return input
 }
 
-// Int64WithMinAndMaxLimit check input value. if bigger than max, then return max. if smaller than min, then return min. else return input.
-func Int64WithMinAndMaxLimit(input, min, max int64) int64 {
-	if input < min {
-		return min
+// Int64WithMinAndMaxLimit check input value. if bigger than maximum, then return maximum. if smaller than minimum, then return minimum. else return input.
+func Int64WithMinAndMaxLimit(input, minimum, maximum int64) int64 {
+	if input < minimum {
+		return minimum
 	}
 
-	if input > max {
-		return max
+	if input > maximum {
+		return maximum
 	}
 
 	return input

diff --git a/integer_test.go b/integer_test.go
@@ -66,14 +66,14 @@ func Test_Int64WithLimit(t *testing.T) {
 
 func Test_Int64WithMinAndMaxLimit(t *testing.T) {
 	var (
-		min int64 = 1
-		max int64 = 25
-		a   int64 = 5
-		b   int64
-		c   int64 = 26
+		minimum int64 = 1
+		maximum int64 = 25
+		a       int64 = 5
+		b       int64
+		c       int64 = 26
 	)
 
-	assert.Equal(t, a, Int64WithMinAndMaxLimit(a, min, max))
-	assert.Equal(t, min, Int64WithMinAndMaxLimit(b, min, max))
-	assert.Equal(t, max, Int64WithMinAndMaxLimit(c, min, max))
+	assert.Equal(t, a, Int64WithMinAndMaxLimit(a, minimum, maximum))
+	assert.Equal(t, minimum, Int64WithMinAndMaxLimit(b, minimum, maximum))
+	assert.Equal(t, maximum, Int64WithMinAndMaxLimit(c, minimum, maximum))
 }
diff --git a/time.go b/time.go
@@ -61,7 +61,7 @@ func Int64MillisToPointerTime(millis int64) *time.Time {
 
 // GenerateULIDFromTime :nodoc:
 func GenerateULIDFromTime(t time.Time) string {
-	entropy := ulid.Monotonic(rand.New(rand.NewSource(t.UnixNano())), 0)
+	entropy := ulid.Monotonic(rand.New(rand.NewSource(t.UnixNano())), 0) // nolint: gosec
 	return strings.ToLower(ulid.MustNew(ulid.Timestamp(t), entropy).String())
 }
 

diff --git a/xgqlgen/xgqlgen.go b/xgqlgen/xgqlgen.go
@@ -12,7 +12,7 @@ import (
 	"gorm.io/gorm"
 
 	"github.com/99designs/gqlgen/graphql"
-	"github.com/kumparan/go-utils"
+	utils "github.com/kumparan/go-utils"
 	"gopkg.in/guregu/null.v4"
 )
 
@@ -207,8 +207,8 @@ func MarshalNullString(i null.String) graphql.Marshaler {
 	})
 }
 
-// ConstraintSize directive to constrain field between min and max values. if field is above max, then directive returns max. if field is below min, then directive returns min. else return field.
-func ConstraintSize(ctx context.Context, obj interface{}, next graphql.Resolver, min int64, max int64, field *string) (interface{}, error) {
+// ConstraintSize directive to constrain field between minimun and maximum values. if field is above maximum, then directive returns maximum. if field is below minimun, then directive returns minimun. else return field.
+func ConstraintSize(ctx context.Context, obj interface{}, next graphql.Resolver, minimun int64, maximum int64, field *string) (interface{}, error) {
 	val, ok := obj.(map[string]interface{}) // safe check is valid map
 	if !ok {
 		return next(ctx) // skip if invalid
@@ -224,5 +224,5 @@ func ConstraintSize(ctx context.Context, obj interface{}, next graphql.Resolver,
 		return next(ctx) // skip if invalid
 	}
 
-	return utils.Int64WithMinAndMaxLimit(valInt, min, max), nil
+	return utils.Int64WithMinAndMaxLimit(valInt, minimun, maximum), nil
 }