Fix: Resolve CVEs by updating Go, base images, and dependencies

.github/workflows/build.yaml

@@ -17,38 +17,48 @@ name: Build
 on:
   push:
   pull_request:
-  
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - 
-        name: Check out code
-        uses: actions/checkout@v1
-      - 
-        name: Reviewdog Lint
-        uses: reviewdog/action-golangci-lint@v1
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+
+      - name: Reviewdog Lint
+        uses: reviewdog/action-golangci-lint@v2
         with:
           reporter: github-check
-
+          go_version: '1.25'
+
   test:
     name: Test and Cover
     runs-on: ubuntu-latest
     steps:
-      - 
-        name: Check out code
-        uses: actions/checkout@v1
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.16
-      - 
-        name: Run Unit tests
-        run: go test -coverprofile=coverage.txt ./...
-      - 
-        name: Upload Coverage report to CodeCov
-        uses: codecov/codecov-action@v1
+          go-version: '1.25'
+          cache: true
+
+      - name: Run Unit tests
+        env:
+          GOTOOLCHAIN: local
+        run: go test -race -coverprofile=coverage.txt ./...
+
+      - name: Upload Coverage report to CodeCov
+        uses: codecov/codecov-action@v4
         with:
           file: ./coverage.txt
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: true
+          verbose: true

.github/workflows/docker.yaml

@@ -24,7 +24,7 @@ jobs:
     name: Build Default Docker image
     runs-on: ubuntu-latest
     steps:
-      - 
+      -
         name: Check out code
         uses: actions/checkout@v2
       -
@@ -54,20 +54,26 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       -
-        name: Scratch image
+        name: Default image
         uses: docker/build-push-action@v2
         with:
           context: .
           file: ./Dockerfile
           push: true
           tags: ${{ steps.prep.outputs.tags }}
-          build-args: LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
+          build-args: |
+            BUILD_CONTAINER=golang:1.25-bookworm@sha256:7af46e70d2017aef0b4ce2422afbcf39af0511a61993103e948b61011233ec42
+            RUN_CONTAINER=gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93
+            CGO_ENABLED=0
+            GODEBUG=""
+            GO_TAGS=netgo,osusergo
+            LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
 
   ubuntu:
     name: Build Ubuntu Docker image
     runs-on: ubuntu-latest
     steps:
-      - 
+      -
         name: Check out code
         uses: actions/checkout@v2
       -
@@ -105,14 +111,18 @@ jobs:
           push: true
           tags: ${{ steps.prep.outputs.tags }}
           build-args: |
-            RUN_CONTAINER=ubuntu:xenial
+            BUILD_CONTAINER=golang:1.25-bookworm@sha256:7af46e70d2017aef0b4ce2422afbcf39af0511a61993103e948b61011233ec42
+            RUN_CONTAINER=ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1
+            CGO_ENABLED=0
+            GODEBUG=""
+            GO_TAGS=""
             LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
 
   boring:
     name: Build Boring Crypto Docker image
     runs-on: ubuntu-latest
     steps:
-      - 
+      -
         name: Check out code
         uses: actions/checkout@v2
       -
@@ -150,7 +160,10 @@ jobs:
           push: true
           tags: ${{ steps.prep.outputs.tags }}
           build-args: |
-            BUILD_CONTAINER=goboring/golang:1.16.1b7
-            RUN_CONTAINER=gcr.io/distroless/base
+            BUILD_CONTAINER=golang:1.25-bookworm@sha256:7af46e70d2017aef0b4ce2422afbcf39af0511a61993103e948b61011233ec42
+            RUN_CONTAINER=gcr.io/distroless/base-nossl-debian12@sha256:c0d97a3f0d6ad7d75c6494e3d6da54f09a961b80d755f0a09c7328f5a8edee5e
             CGO_ENABLED=1
+            GODEBUG=fips140=on
+            GO_TAGS=""
             LDFLAGS=-s -w -X main.version=${{ steps.prep.outputs.version }} -X main.commit=${{ github.SHA }} -X main.date=${{ steps.prep.outputs.created }}
+

Dockerfile

@@ -12,40 +12,45 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Default build will be a standard Go binary in a distroless container.
-# Default LDFLAGS includes `-s -w` to strip symbols for a small binary.
+# Default build arguments are set for the 'default' flavor (static, no cgo, no FIPS).
+# These are overridden in the .github/workflows/docker.yaml for other flavors.
 
-# Include the following LDFLAGS for version information in the binary:
-# LDFLAGS="-X main.version=${BUILD_VERSION} -X main.commit=${BUILD_COMMIT} -X main.date=${BUILD_DATE}"
+# Use golang:1.25-bookworm as the builder image.
+ARG BUILD_CONTAINER=golang:1.25-bookworm@sha256:7af46e70d2017aef0b4ce2422afbcf39af0511a61993103e948b61011233ec42
 
-# Use the following combination to build an image linked with Boring Crypto:
-# --build-arg CGO_ENABLED=1
-# --build-arg BUILD_CONTAINER=goboring/golang:1.16b7
-# --build-arg RUN_CONTAINER=gcr.io/distroless/base
-
-ARG BUILD_CONTAINER=golang:1.16
-ARG RUN_CONTAINER=gcr.io/distroless/static
+ARG RUN_CONTAINER=gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93
 
 #--- Build binary in Go container ---#
 FROM ${BUILD_CONTAINER} as builder
 
 ARG CGO_ENABLED=0
-ARG LDFLAGS="-s -w -X main.version=unknown -X main.commit=unknown -X main.date=unknown" 
+ARG GODEBUG=""  
+ARG LDFLAGS="-s -w -X main.version=unknown -X main.commit=unknown -X main.date=unknown"
+ARG GO_TAGS="netgo,osusergo" # Tags for static build
+
+# Install git - required for go mod download in some base images.
+USER root
+RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 
 # Build app
 WORKDIR /app
 ADD . .
+
 RUN go mod download
-RUN CGO_ENABLED=$CGO_ENABLED go build -a \
+
+# Build the application.
+RUN echo "Building with: CGO_ENABLED=${CGO_ENABLED} GODEBUG=${GODEBUG} GO_TAGS='${GO_TAGS}'"
+RUN GOTOOLCHAIN=local GOOS=linux GOARCH=amd64 CGO_ENABLED=${CGO_ENABLED} GODEBUG=${GODEBUG} go build -a \
+  -tags="${GO_TAGS}" \
   -ldflags "${LDFLAGS}" \
   -o apigee-remote-service-envoy .
 
 # add apigee:apigee user
 RUN groupadd -g 999 apigee && \
     useradd -r -u 999 -g apigee apigee
 
-# remove all write privileges from ca-certificates.crt
-RUN chmod 4444 /etc/ssl/certs/ca-certificates.crt
+# Adjust ca-certificates permissions if the file exists.
+RUN if [ -f /etc/ssl/certs/ca-certificates.crt ]; then chmod a+r /etc/ssl/certs/ca-certificates.crt; fi
 
 #--- Build runtime container ---#
 FROM ${RUN_CONTAINER}
@@ -56,6 +61,8 @@ COPY --from=builder /app/apigee-remote-service-envoy .
 COPY --from=builder /etc/passwd /etc/group /etc/shadow /etc/
 USER apigee
 
-# Run entrypoint
-ENTRYPOINT ["/apigee-remote-service-envoy"]
 EXPOSE 5000/tcp 5001/tcp
+
+# Run entrypoint.
+ENTRYPOINT ["/apigee-remote-service-envoy"]
+

go.mod

@@ -1,28 +1,75 @@
 module github.com/apigee/apigee-remote-service-envoy/v2
 
-go 1.16
+go 1.25.0
+
+toolchain go1.25.8
 
 // replace github.com/apigee/apigee-remote-service-golib/v2 => ../apigee-remote-service-golib
 
 require (
 	github.com/apigee/apigee-remote-service-golib/v2 v2.1.3
-	github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad
+	github.com/envoyproxy/go-control-plane/envoy v1.36.0
 	github.com/gogo/googleapis v1.4.1
-	github.com/golang/protobuf v1.5.2
-	github.com/google/go-cmp v0.5.5
+	github.com/golang/protobuf v1.5.4
+	github.com/google/go-cmp v0.7.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
-	github.com/lestrrat-go/jwx v1.1.6
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/lestrrat-go/jwx v1.2.30
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.12.1
 	github.com/spf13/cobra v1.1.3
-	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.16.0
-	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20210315173758-2651cd453018
-	google.golang.org/grpc v1.36.0
-	google.golang.org/protobuf v1.26.0
-	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
+	golang.org/x/oauth2 v0.36.0
+	google.golang.org/api v0.162.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171
+	google.golang.org/grpc v1.79.1
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
 )
+
+require (
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+)
+
+replace (
+	cloud.google.com/go => cloud.google.com/go v0.110.0
+	google.golang.org/genproto => google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de
+)