fix(go-dependencies): CVEs (#6867)

* fix: operator CVEs

* CVE fixes

* fix tests

* fix setup env

* test against all supported k8s versions

* fix executor CVEs

* fix linter

* fix downgrade of controller-gen

* lint

Author: domsolutions

.github/workflows/images.yml

@@ -12,7 +12,7 @@ on:
         required: false
 
 env:
-  GOLANG_VERSION: 1.20.9
+  GOLANG_VERSION: 1.24.7
 
 jobs:
   operator:

.github/workflows/security_code_tests_v1.yml

@@ -0,0 +1,57 @@
+name: V1 Security code Tests
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  security-python:
+    runs-on: ubuntu-latest
+    container: snyk/snyk:python-3.8
+    steps:
+    - uses: actions/checkout@v2
+    - name: security-python
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      run: |
+        pip install -e python/.
+        snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high
+
+  security-operator:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: security-operator
+      # NOTE: We use the Snyk action (instead of the Snyk base image) so that
+      # it respects the Go version we use.
+      uses: snyk/actions/golang@master
+      with:
+        args: --fail-on=upgradable
+          --severity-threshold=high
+          --file=operator/go.mod
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  security-executor:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: snyk/actions/setup@master
+    - uses: actions/setup-go@v3
+      with:
+        go-version: '^1.24.7'
+    - name: Set up executor's environment
+      # NOTE: The executor needs a couple extra steps before we can build it,
+      # like copying the operator's package into the executor's folder so that
+      # it's accessible.
+      run: make -C executor/ executor
+    - name: security-executor
+      run: snyk test \
+        --fail-on=upgradable
+        --severity-threshold=high
+        --file=executor/go.mod
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/security_tests.yml …ub/workflows/security_image_tests_v1.yml.github/workflows/security_tests.yml renamed to .github/workflows/security_image_tests_v1.yml .github/workflows/security_tests.yml renamed to .github/workflows/security_image_tests_v1.yml

@@ -1,67 +1,12 @@
-name: V1 Security Tests
+name: V1 Security docker image tests
 
 on:
   push:
     branches: [ master ]
   workflow_dispatch:
 
 jobs:
-  security-python:
-
-    runs-on: ubuntu-latest
-    container: snyk/snyk:python-3.8
-
-    steps:
-    - uses: actions/checkout@v2
-    - name: security-python
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      run: |
-        pip install -e python/.
-        snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high
-
-  security-operator:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-    - name: security-operator
-      # NOTE: We use the Snyk action (instead of the Snyk base image) so that
-      # it respects the Go version we use.
-      uses: snyk/actions/golang@master
-      with:
-        args: --fail-on=upgradable
-          --severity-threshold=high
-          --file=operator/go.mod
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-  security-executor:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-    - uses: snyk/actions/setup@master
-    - uses: actions/setup-go@v3
-      with:
-        go-version: '^1.17.0'
-    - name: Set up executor's environmnet
-      # NOTE: The executor needs a couple extra steps before we can build it,
-      # like copying the operator's package into the executor's folder so that
-      # it's accessible.
-      run: make -C executor/ executor
-    - name: security-executor
-      run: snyk test \
-        --fail-on=upgradable
-        --severity-threshold=high
-        --file=executor/go.mod
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
   security-image-executor:
-
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -74,7 +19,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor
 
   security-image-operator:
-
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -87,7 +31,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=operator/Dockerfile
 
   security-image-python-base:
-
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -100,7 +43,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile
 
   security-image-python-sklearn:
-
     runs-on: ubuntu-latest
     steps:
     - name: security-image-python-sklearn
@@ -112,7 +54,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high
 
   security-image-python-mlflow:
-
     runs-on: ubuntu-latest
     steps:
     - name: security-image-python-mlflow
@@ -124,7 +65,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high
 
   security-image-python-xgboost:
-
     runs-on: ubuntu-latest
     steps:
     - name: security-image-python-xgboost
@@ -136,7 +76,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high
 
   security-image-alibi-explain:
-
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -149,7 +88,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile
 
   security-image-alibi-detect:
-
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -162,7 +100,6 @@ jobs:
         args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile
 
   security-image-initializer-rclone:
-
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2

.github/workflows/test-executor.yml

@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
 
 env:
-  GOLANG_VERSION: 1.20.9
+  GOLANG_VERSION: 1.24.7
 
 jobs:
   executor-lint:

.github/workflows/test-operator.yml

@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
 
 env:
-  GOLANG_VERSION: 1.20.9
+  GOLANG_VERSION: 1.24.7
 
 jobs:
   operator-lint:

executor/Dockerfile.executor

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20.9 as builder
+FROM golang:1.24.7 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

executor/Makefile

@@ -7,8 +7,6 @@ DOCKER_REGISTRY ?= seldonio
 IMAGE_NAME_BASE=seldon-core-executor
 IMG ?= ${DOCKER_REGISTRY}/${IMAGE_NAME_BASE}:${VERSION}
 
-EXECUTOR_FOLDERS ?= ./api/... ./predictor/... ./k8s/... ./logger/...
-
 KIND_NAME ?= kind
 
 # # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
@@ -20,11 +18,11 @@ KIND_NAME ?= kind
 
 # Run go fmt against code
 fmt:
-	go fmt ${EXECUTOR_FOLDERS}
+	go fmt ./...
 
 # Run go vet against code
 vet:
-	go vet ${EXECUTOR_FOLDERS}
+	go vet ./...
 
 
 # Build manager binary
@@ -82,7 +80,7 @@ add_protos:
 
 # Run tests
 test: copy_operator fmt vet
-	go test ${EXECUTOR_FOLDERS} -coverprofile cover.out
+	go test ./... -coverprofile cover.out
 
 copy_openapi_resources:
 	mkdir -p api/rest/openapi

executor/go.mod

@@ -1,17 +1,17 @@
 module github.com/seldonio/seldon-core/executor
 
-go 1.20
+go 1.24.7
 
 require (
 	github.com/cloudevents/sdk-go v1.2.0
 	github.com/confluentinc/confluent-kafka-go v1.8.2
 	github.com/ghodss/yaml v1.0.0
-	github.com/go-logr/logr v1.2.4
-	github.com/golang/protobuf v1.5.3
-	github.com/google/uuid v1.3.0
+	github.com/go-logr/logr v1.4.2
+	github.com/golang/protobuf v1.5.4
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/onsi/gomega v1.27.10
+	github.com/onsi/gomega v1.36.2
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
@@ -20,30 +20,30 @@ require (
 	github.com/tensorflow/tensorflow/tensorflow/go/core v0.0.0-00010101000000-000000000000
 	github.com/uber/jaeger-client-go v2.25.0+incompatible
 	go.uber.org/automaxprocs v1.4.0
-	go.uber.org/zap v1.25.0
+	go.uber.org/zap v1.27.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/grpc v1.54.0
+	google.golang.org/grpc v1.56.3
 	gotest.tools v2.2.0+incompatible
 	k8s.io/api v0.28.4
 	sigs.k8s.io/controller-runtime v0.16.3
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/codahale/hdrhistogram v0.0.0-00010101000000-000000000000 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/zapr v1.2.4 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/josharian/intern v1.0.1-0.20211109044230-42b52b674af5 // indirect
@@ -53,48 +53,51 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/procfs v0.10.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/uber/jaeger-lib v2.2.0+incompatible // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.28.3 // indirect
-	k8s.io/apimachinery v0.28.4 // indirect
+	k8s.io/apimachinery v0.34.1 // indirect
 	k8s.io/client-go v12.0.0+incompatible // indirect
 	k8s.io/component-base v0.28.3 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	knative.dev/pkg v0.0.0-20220502225657-4fced0164c9a // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
-replace github.com/tensorflow/tensorflow/tensorflow/go/core => ./proto/tensorflow/core
-
-replace github.com/seldonio/seldon-core/operator => ./_operator
-
-replace k8s.io/client-go => k8s.io/client-go v0.28.4
-
-replace github.com/codahale/hdrhistogram => github.com/HdrHistogram/hdrhistogram-go v1.1.2
+replace (
+	github.com/codahale/hdrhistogram => github.com/HdrHistogram/hdrhistogram-go v1.1.2
+	github.com/seldonio/seldon-core/operator => ./_operator
+	github.com/tensorflow/tensorflow/tensorflow/go/core => ./proto/tensorflow/core
+	k8s.io/apimachinery => k8s.io/apimachinery v0.29.0-alpha.3
+	k8s.io/client-go => k8s.io/client-go v0.28.4
+	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250628140032-d90c4fd18f59
+)
 
 exclude github.com/go-logr/logr v1.0.0