Fix(build): Update Go, base images, and dependencies to fix CVEs

- Upgrades Go build version to 1.24-bookworm.
- Updates Ubuntu image to 22.04 and pins all base image digests.
- Updates Go modules to patched versions based on grype scans.
- Configures FIPS mode for the boring build.
- Updated build.yaml

This resolves OS and Go vulnerabilities reported in b/386210486.

Fixes: b/386210486

Author: Lavanya-Polipalli

.github/workflows/build.yaml

@@ -25,10 +25,10 @@ jobs:
     steps:
       - 
         name: Check out code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
       - 
         name: Reviewdog Lint
-        uses: reviewdog/action-golangci-lint@v1
+        uses: reviewdog/action-golangci-lint@v2
         with:
           reporter: github-check
 
@@ -38,17 +38,17 @@ jobs:
     steps:
       - 
         name: Check out code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
       -
         name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.16
+          go-version: 1.24
       - 
         name: Run Unit tests
         run: go test -coverprofile=coverage.txt ./...
       - 
         name: Upload Coverage report to CodeCov
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v4
         with:
           file: ./coverage.txt

.github/workflows/docker.yaml

@@ -24,7 +24,7 @@ jobs:
     name: Build Default Docker image
     runs-on: ubuntu-latest
     steps:
-      - 
+      -
         name: Check out code
         uses: actions/checkout@v2
       -
@@ -54,20 +54,26 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       -
-        name: Scratch image
+        name: Default image
         uses: docker/build-push-action@v2
         with:
           context: .
           file: ./Dockerfile
           push: true
           tags: ${{ steps.prep.outputs.tags }}
-          build-args: LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
+          build-args: |
+            BUILD_CONTAINER=golang:1.24-bookworm@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac
+            RUN_CONTAINER=gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93
+            CGO_ENABLED=0
+            GODEBUG=""
+            GO_TAGS=netgo,osusergo
+            LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
 
   ubuntu:
     name: Build Ubuntu Docker image
     runs-on: ubuntu-latest
     steps:
-      - 
+      -
         name: Check out code
         uses: actions/checkout@v2
       -
@@ -105,14 +111,18 @@ jobs:
           push: true
           tags: ${{ steps.prep.outputs.tags }}
           build-args: |
-            RUN_CONTAINER=ubuntu:xenial
+            BUILD_CONTAINER=golang:1.24-bookworm@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac
+            RUN_CONTAINER=ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1
+            CGO_ENABLED=0
+            GODEBUG=""
+            GO_TAGS=""
             LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
 
   boring:
     name: Build Boring Crypto Docker image
     runs-on: ubuntu-latest
     steps:
-      - 
+      -
         name: Check out code
         uses: actions/checkout@v2
       -
@@ -150,7 +160,10 @@ jobs:
           push: true
           tags: ${{ steps.prep.outputs.tags }}
           build-args: |
-            BUILD_CONTAINER=goboring/golang:1.16.1b7
-            RUN_CONTAINER=gcr.io/distroless/base
+            BUILD_CONTAINER=golang:1.24-bookworm@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac
+            RUN_CONTAINER=gcr.io/distroless/base-nossl-debian12@sha256:c0d97a3f0d6ad7d75c6494e3d6da54f09a961b80d755f0a09c7328f5a8edee5e
             CGO_ENABLED=1
+            GODEBUG=fips140=on
+            GO_TAGS=""
             LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
+

Dockerfile

@@ -12,40 +12,45 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Default build will be a standard Go binary in a distroless container.
-# Default LDFLAGS includes `-s -w` to strip symbols for a small binary.
+# Default build arguments are set for the 'default' flavor (static, no cgo, no FIPS).
+# These are overridden in the .github/workflows/docker.yaml for other flavors.
 
-# Include the following LDFLAGS for version information in the binary:
-# LDFLAGS="-X main.version=${BUILD_VERSION} -X main.commit=${BUILD_COMMIT} -X main.date=${BUILD_DATE}"
+# Use golang:1.24-bookworm as the builder image.
+ARG BUILD_CONTAINER=golang:1.24-bookworm@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac
 
-# Use the following combination to build an image linked with Boring Crypto:
-# --build-arg CGO_ENABLED=1
-# --build-arg BUILD_CONTAINER=goboring/golang:1.16b7
-# --build-arg RUN_CONTAINER=gcr.io/distroless/base
-
-ARG BUILD_CONTAINER=golang:1.16
-ARG RUN_CONTAINER=gcr.io/distroless/static
+ARG RUN_CONTAINER=gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93
 
 #--- Build binary in Go container ---#
 FROM ${BUILD_CONTAINER} as builder
 
 ARG CGO_ENABLED=0
-ARG LDFLAGS="-s -w -X main.version=unknown -X main.commit=unknown -X main.date=unknown" 
+ARG GODEBUG=""  
+ARG LDFLAGS="-s -w -X main.version=unknown -X main.commit=unknown -X main.date=unknown"
+ARG GO_TAGS="netgo,osusergo" # Tags for static build
+
+# Install git - required for go mod download in some base images.
+USER root
+RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 
 # Build app
 WORKDIR /app
 ADD . .
+
 RUN go mod download
-RUN CGO_ENABLED=$CGO_ENABLED go build -a \
+
+# Build the application.
+RUN echo "Building with: CGO_ENABLED=${CGO_ENABLED} GODEBUG=${GODEBUG} GO_TAGS='${GO_TAGS}'"
+RUN GOTOOLCHAIN=local GOOS=linux GOARCH=amd64 CGO_ENABLED=${CGO_ENABLED} GODEBUG=${GODEBUG} go build -a \
+  -tags="${GO_TAGS}" \
   -ldflags "${LDFLAGS}" \
   -o apigee-remote-service-envoy .
 
 # add apigee:apigee user
 RUN groupadd -g 999 apigee && \
     useradd -r -u 999 -g apigee apigee
 
-# remove all write privileges from ca-certificates.crt
-RUN chmod 4444 /etc/ssl/certs/ca-certificates.crt
+# Adjust ca-certificates permissions if the file exists.
+RUN if [ -f /etc/ssl/certs/ca-certificates.crt ]; then chmod a+r /etc/ssl/certs/ca-certificates.crt; fi
 
 #--- Build runtime container ---#
 FROM ${RUN_CONTAINER}
@@ -56,6 +61,8 @@ COPY --from=builder /app/apigee-remote-service-envoy .
 COPY --from=builder /etc/passwd /etc/group /etc/shadow /etc/
 USER apigee
 
-# Run entrypoint
-ENTRYPOINT ["/apigee-remote-service-envoy"]
 EXPOSE 5000/tcp 5001/tcp
+
+# Run entrypoint.
+ENTRYPOINT ["/apigee-remote-service-envoy"]
+

go.mod

@@ -1,28 +1,57 @@
 module github.com/apigee/apigee-remote-service-envoy/v2
 
-go 1.16
+go 1.24.0
+
+toolchain go1.24.8
 
 // replace github.com/apigee/apigee-remote-service-golib/v2 => ../apigee-remote-service-golib
 
 require (
 	github.com/apigee/apigee-remote-service-golib/v2 v2.1.3
-	github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad
+	github.com/envoyproxy/go-control-plane v0.12.0
 	github.com/gogo/googleapis v1.4.1
-	github.com/golang/protobuf v1.5.2
-	github.com/google/go-cmp v0.5.5
+	github.com/golang/protobuf v1.5.4
+	github.com/google/go-cmp v0.6.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
-	github.com/lestrrat-go/jwx v1.1.6
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/lestrrat-go/jwx v1.2.30
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.12.1
 	github.com/spf13/cobra v1.1.3
-	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.16.0
-	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20210315173758-2651cd453018
-	google.golang.org/grpc v1.36.0
-	google.golang.org/protobuf v1.26.0
-	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
+	golang.org/x/oauth2 v0.27.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157
+	google.golang.org/grpc v1.65.1
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
 )
+
+require (
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+)