DISTMYSQL-430: Vulnerabilities fixes

https://perconadev.atlassian.net/browse/DISTMYSQL-430

1. Orchestrator used go-sqlite3 that's affected by CVE-2023-7104
2. Updated go version to 1.22.5
3. https://pkg.go.dev/vuln/GO-2024-2963
4. https://pkg.go.dev/vuln/GO-2024-2887

Author: kamil-holubicki

docker/Dockerfile

@@ -14,7 +14,7 @@
 # ORC_USER (default: orc_server_user): username used to login to orchestrator backend MySQL server
 # ORC_PASSWORD (default: orc_server_password): password used to login to orchestrator backend MySQL server
 
-FROM golang:1.22.3-alpine3.20 as build
+FROM golang:1.22.5-alpine3.20 as build
 
 ENV GOPATH=/tmp/go
 

docker/Dockerfile.packaging

@@ -14,7 +14,7 @@
 # ORC_USER (default: orc_server_user): username used to login to orchestrator backend MySQL server
 # ORC_PASSWORD (default: orc_server_password): password used to login to orchestrator backend MySQL server
 
-FROM golang:1.22.3-bullseye
+FROM golang:1.22.5-bullseye
 
 RUN apt-get update
 RUN apt-get install -y ruby ruby-dev rubygems build-essential

docker/Dockerfile.raft

@@ -1,4 +1,4 @@
-FROM golang:1.22.3-bullseye
+FROM golang:1.22.5-bullseye
 LABEL maintainer="[email protected]"
 
 RUN apt-get update -q -y

docker/Dockerfile.system

@@ -1,4 +1,4 @@
-FROM golang:1.22.3-bullseye
+FROM golang:1.22.5-bullseye
 LABEL maintainer="[email protected]"
 
 ARG ci_env_repo="https://github.com/percona/orchestrator-ci-env.git"

docker/Dockerfile.test

@@ -1,4 +1,4 @@
-FROM golang:1.22.3-bullseye
+FROM golang:1.22.5-bullseye
 LABEL maintainer="[email protected]"
 
 RUN apt-get update

go.mod

@@ -1,48 +1,54 @@
 module github.com/openark/orchestrator
 
-go 1.16
+go 1.22.5
 
 require (
-	github.com/Showmax/go-fqdn v1.0.0 // indirect
+	github.com/Showmax/go-fqdn v1.0.0
 	github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6
-	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
 	github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432
-	github.com/fatih/color v1.10.0 // indirect
 	github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab
-	github.com/go-sql-driver/mysql v1.7.1
-	github.com/google/btree v1.0.0 // indirect
-	github.com/hashicorp/consul/api v1.7.0
-	github.com/hashicorp/go-cleanhttp v0.5.2-0.20190406162018-d3fcbee8e181 // indirect
-	github.com/hashicorp/go-hclog v0.15.1-0.20201116205511-59fbd7b93270 // indirect
-	github.com/hashicorp/go-immutable-radix v1.3.0 // indirect
-	github.com/hashicorp/go-rootcerts v1.0.3-0.20191216101743-c8a9a31cbd76 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/go-uuid v1.0.2 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/hashicorp/raft v0.0.0-00010101000000-000000000000
-	github.com/hashicorp/serf v0.9.5 // indirect
-	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
+	github.com/go-sql-driver/mysql v1.8.1
+	github.com/hashicorp/consul/api v1.29.2
+	github.com/hashicorp/raft v1.7.0
+	github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef
 	github.com/martini-contrib/auth v0.0.0-20150219114609-fa62c19b7ae8
 	github.com/martini-contrib/gzip v0.0.0-20151124214156-6c035326b43f
 	github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11
-	github.com/mattn/go-isatty v0.0.13-0.20200128103942-cb30d6282491 // indirect
-	github.com/mattn/go-sqlite3 v1.14.7
-	github.com/miekg/dns v1.1.31 // indirect
-	github.com/mitchellh/go-testing-interface v1.14.0 // indirect
-	github.com/mitchellh/mapstructure v1.3.3 // indirect
-	github.com/montanaflynn/stats v0.0.0-20161102194025-f8cd06f93c6c
-	github.com/openark/golib v0.0.0-20210520103621-827f3ea62180
-	github.com/outbrain/golib v0.0.0-20200503083229-2531e5dbcc71 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/montanaflynn/stats v0.7.1
+	github.com/openark/golib v0.0.0-20210531070646-355f37940af8
 	github.com/outbrain/zookeepercli v1.0.12
-	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
 	github.com/samuel/go-zookeeper v0.0.0-20201211165307-7117e9ea2414
-	github.com/sjmudd/stopwatch v0.0.0-20170103085848-637ef30077b7
-	github.com/stretchr/testify v1.6.1 // indirect
-	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
-	golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect
+	github.com/sjmudd/stopwatch v0.1.1
 	gopkg.in/gcfg.v1 v1.2.3
+)
+
+require (
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/armon/go-metrics v0.4.1 // indirect
+	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-msgpack v0.5.5 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.3-0.20191216101743-c8a9a31cbd76 // indirect
+	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/serf v0.10.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/outbrain/golib v0.0.0-20200503083229-2531e5dbcc71 // indirect
+	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )