Skip to content

[fix][sec] Bump golang.org/x/net to address CVE-2025-22870, requires go 1.23 #1351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Mar 28, 2025
Merged

[fix][sec] Bump golang.org/x/net to address CVE-2025-22870, requires go 1.23 #1351

merged 9 commits into from
Mar 28, 2025

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Mar 28, 2025

Motivation

We have an unresolved vulnerability CVE-2025-22870

Modifications

  • bump golang.org/x/net to latest (v0.38.0) which requires go 1.23
  • bump minimum required golang version to 1.23

Documentation

Minimum required golang version is updated in README

Copilot
Copilot AI reviewed Mar 28, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR bumps golang.org/x/net to v0.38.0 to address CVE-2025-22870 and raises the minimum required Go version to 1.23.

  • Update README.md to reflect the new minimum Go version and update test command.
  • Modify CI workflows to test on updated Go versions and update the bot workflow runner.

Reviewed Changes

Copilot reviewed 4 out of 7 changed files in this pull request and generated no comments.

File Description
README.md Minimum required Go version updated and test command now invokes Go 1.23.
.github/workflows/ci.yml Test matrix versions updated from [1.22, 1.23] to [1.23, 1.24]; explicit go-version remains fixed.
.github/workflows/bot.yml Update runner from ubuntu-20.04 to ubuntu-latest.
Files not reviewed (3)
  • Dockerfile: Language not supported
  • Makefile: Language not supported
  • go.mod: Language not supported
Comments suppressed due to low confidence (2)

.github/workflows/ci.yml:25

  • [nitpick] The CI test matrix now includes Go 1.24 even though the PR specifies a minimum version of 1.23. Please confirm that including Go 1.24 is intentional and compatible with project requirements.
go-version: [ '1.23', '1.24' ]

.github/workflows/ci.yml:39

  • [nitpick] Consider parameterizing this go-version setting using the matrix variable to ensure the tests run on both specified versions instead of hardcoding '1.23'.
go-version: '1.23'

@lhotari lhotari requested a review from merlimat March 28, 2025 09:14
tisonkun
tisonkun reviewed Mar 28, 2025
View reviewed changes
@lhotari lhotari force-pushed the lh-fix-CVE-2025-22870 branch from 592944b to 9ca9053 Compare March 28, 2025 09:44
@lhotari
Copy link
Member Author

lhotari commented Mar 28, 2025

Tests are failing and it looks like the tests aren't executed in the best possible way. -race is combined with -coverprofile which I guess could cause issues. I'm checking if removing those options cause the results.

@lhotari
Copy link
Member Author

lhotari commented Mar 28, 2025
edited
Loading

Some progress after removing -race and -coverprofile:

2025-03-28T11:34:16.0000032Z === RUN   TestPartitionTopicsConsumerPubSubEncryption
2025-03-28T11:34:16.0000312Z time="2025-03-28T11:33:45Z" level=info msg="Connecting to broker" remote_addr="pulsar://localhost:6650"
2025-03-28T11:34:16.0000692Z time="2025-03-28T11:33:45Z" level=info msg="TCP connection established" local_addr="127.0.0.1:54866" remote_addr="pulsar://localhost:6650"
2025-03-28T11:34:16.0001040Z time="2025-03-28T11:33:45Z" level=info msg="Connection is ready" local_addr="127.0.0.1:54866" remote_addr="pulsar://localhost:6650"
2025-03-28T11:34:16.0001640Z time="2025-03-28T11:33:45Z" level=info msg="Connected producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" epoch=0 topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0002233Z time="2025-03-28T11:33:45Z" level=info msg="Created producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=4 producer_name=standalone-0-152 topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0002832Z time="2025-03-28T11:33:45Z" level=info msg="Connected producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" epoch=0 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0003512Z time="2025-03-28T11:33:45Z" level=info msg="Created producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0003986Z time="2025-03-28T11:33:45Z" level=info msg="Connected producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" epoch=0 topic="persistent://public/default/testGetPartitions-partition-5"
2025-03-28T11:34:16.0004573Z time="2025-03-28T11:33:45Z" level=info msg="Created producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=1 producer_name=standalone-0-151 topic="persistent://public/default/testGetPartitions-partition-5"
2025-03-28T11:34:16.0005047Z time="2025-03-28T11:33:45Z" level=info msg="Connected producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" epoch=0 topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0005630Z time="2025-03-28T11:33:45Z" level=info msg="Created producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=2 producer_name=standalone-0-155 topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0006104Z time="2025-03-28T11:33:45Z" level=info msg="Connected producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" epoch=0 topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0006687Z time="2025-03-28T11:33:45Z" level=info msg="Created producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=5 producer_name=standalone-0-154 topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0007155Z time="2025-03-28T11:33:45Z" level=info msg="Connected producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" epoch=0 topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0007732Z time="2025-03-28T11:33:45Z" level=info msg="Created producer" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=6 producer_name=standalone-0-150 topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0008250Z time="2025-03-28T11:33:45Z" level=info msg="Connected consumer" consumerID=1 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0008743Z time="2025-03-28T11:33:45Z" level=info msg="Created consumer" consumerID=1 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0009255Z time="2025-03-28T11:33:45Z" level=info msg="Connected consumer" consumerID=2 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0009747Z time="2025-03-28T11:33:45Z" level=info msg="Created consumer" consumerID=2 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0010251Z time="2025-03-28T11:33:45Z" level=info msg="Connected consumer" consumerID=3 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0010746Z time="2025-03-28T11:33:45Z" level=info msg="Created consumer" consumerID=3 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0011251Z time="2025-03-28T11:33:45Z" level=info msg="Connected consumer" consumerID=6 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0011855Z time="2025-03-28T11:33:45Z" level=info msg="Created consumer" consumerID=6 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0012364Z time="2025-03-28T11:33:45Z" level=info msg="Connected consumer" consumerID=5 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0012854Z time="2025-03-28T11:33:45Z" level=info msg="Created consumer" consumerID=5 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0013589Z time="2025-03-28T11:34:15Z" level=info msg="Broker notification of Closed producer: 3" local_addr="127.0.0.1:54866" remote_addr="pulsar://localhost:6650"
2025-03-28T11:34:16.0014218Z time="2025-03-28T11:34:15Z" level=warning msg="Connection was closed" cnx="127.0.0.1:54866 -> 127.0.0.1:6650" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0014820Z time="2025-03-28T11:34:15Z" level=info msg="runEventsLoop will reconnect in producer" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0015236Z time="2025-03-28T11:34:15Z" level=info msg="Broker notification of Closed consumer: 1" local_addr="127.0.0.1:54866" remote_addr="pulsar://localhost:6650"
2025-03-28T11:34:16.0015853Z time="2025-03-28T11:34:15Z" level=error msg="Failed to create consumer" consumerID=4 error="request timed out" name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-5"
2025-03-28T11:34:16.0016452Z time="2025-03-28T11:34:15Z" level=error msg="Failed to create consumer" consumerID=4 error="request timed out" name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-5"
2025-03-28T11:34:16.0016955Z time="2025-03-28T11:34:15Z" level=info msg="Closing consumer=6" consumerID=6 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0017447Z time="2025-03-28T11:34:15Z" level=info msg="Closed consumer" consumerID=6 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0017945Z time="2025-03-28T11:34:15Z" level=info msg="Closing consumer=3" consumerID=3 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0018453Z time="2025-03-28T11:34:15Z" level=info msg="Closed consumer" consumerID=3 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0018953Z time="2025-03-28T11:34:15Z" level=info msg="Closing consumer=2" consumerID=2 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0019439Z time="2025-03-28T11:34:15Z" level=info msg="Closed consumer" consumerID=2 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0020218Z time="2025-03-28T11:34:15Z" level=error msg="Failed to create consumer" consumerID=1 error="server error: ServiceNotReady: Topic is temporarily unavailable" name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0021029Z time="2025-03-28T11:34:15Z" level=error msg="Failed to create consumer at reconnect" consumerID=1 error="server error: ServiceNotReady: Topic is temporarily unavailable" name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0021740Z time="2025-03-28T11:34:15Z" level=info msg="Reconnecting to broker" assignedBrokerURL= consumerID=1 delayReconnectTime=115.070709ms name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0022236Z time="2025-03-28T11:34:15Z" level=info msg="Closing consumer=1" consumerID=1 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0023690Z time="2025-03-28T11:34:15Z" level=error msg="Failed to create producer at send PRODUCER request" error="server error: ServiceNotReady: org.apache.pulsar.broker.service.BrokerServiceException$TopicFencedException: Topic is temporarily unavailable" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0024934Z time="2025-03-28T11:34:15Z" level=error msg="Failed to create producer at reconnect" error="server error: ServiceNotReady: org.apache.pulsar.broker.service.BrokerServiceException$TopicFencedException: Topic is temporarily unavailable" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0025665Z time="2025-03-28T11:34:15Z" level=info msg="Reconnecting to broker" assignedBrokerURL= delayReconnectTime=102.813486ms producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0026171Z time="2025-03-28T11:34:15Z" level=info msg="Closed consumer" consumerID=1 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0026708Z time="2025-03-28T11:34:15Z" level=info msg="Closing consumer=5" consumerID=5 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0027213Z time="2025-03-28T11:34:15Z" level=info msg="Closed consumer" consumerID=5 name=fffxd subscription=my-sub topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0027376Z     consumer_test.go:578: 
2025-03-28T11:34:16.0027743Z         	Error Trace:	/pulsar/pulsar-client-go/pulsar/consumer_test.go:578
2025-03-28T11:34:16.0028115Z         	Error:      	Expected nil, but got: &errors.errorString{s:"request timed out"}
2025-03-28T11:34:16.0028394Z         	Test:       	TestPartitionTopicsConsumerPubSubEncryption
2025-03-28T11:34:16.0028938Z time="2025-03-28T11:34:15Z" level=info msg="Closing producer" producerID=2 producer_name=standalone-0-155 topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0029462Z time="2025-03-28T11:34:15Z" level=info msg="Closed producer" producerID=2 producer_name=standalone-0-155 topic="persistent://public/default/testGetPartitions-partition-0"
2025-03-28T11:34:16.0029979Z time="2025-03-28T11:34:15Z" level=info msg="Closing producer" producerID=4 producer_name=standalone-0-152 topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0030498Z time="2025-03-28T11:34:15Z" level=info msg="Closed producer" producerID=4 producer_name=standalone-0-152 topic="persistent://public/default/testGetPartitions-partition-1"
2025-03-28T11:34:16.0031011Z time="2025-03-28T11:34:15Z" level=info msg="Closing producer" producerID=5 producer_name=standalone-0-154 topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0031530Z time="2025-03-28T11:34:15Z" level=info msg="Closed producer" producerID=5 producer_name=standalone-0-154 topic="persistent://public/default/testGetPartitions-partition-2"
2025-03-28T11:34:16.0032043Z time="2025-03-28T11:34:15Z" level=info msg="Closing producer" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0032556Z time="2025-03-28T11:34:15Z" level=info msg="Closed producer" producerID=3 producer_name=standalone-0-153 topic="persistent://public/default/testGetPartitions-partition-3"
2025-03-28T11:34:16.0033076Z time="2025-03-28T11:34:15Z" level=info msg="Closing producer" producerID=6 producer_name=standalone-0-150 topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0033785Z time="2025-03-28T11:34:15Z" level=info msg="Closed producer" producerID=6 producer_name=standalone-0-150 topic="persistent://public/default/testGetPartitions-partition-4"
2025-03-28T11:34:16.0034428Z time="2025-03-28T11:34:15Z" level=info msg="Closing producer" producerID=1 producer_name=standalone-0-151 topic="persistent://public/default/testGetPartitions-partition-5"
2025-03-28T11:34:16.0034951Z time="2025-03-28T11:34:15Z" level=info msg="Closed producer" producerID=1 producer_name=standalone-0-151 topic="persistent://public/default/testGetPartitions-partition-5"
2025-03-28T11:34:16.0035142Z --- FAIL: TestPartitionTopicsConsumerPubSubEncryption (30.07s)
2025-03-28T11:34:16.0035489Z panic: runtime error: invalid memory address or nil pointer dereference [recovered]
2025-03-28T11:34:16.0035707Z 	panic: runtime error: invalid memory address or nil pointer dereference
2025-03-28T11:34:16.0035914Z [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xc7b9ba]
2025-03-28T11:34:16.0035921Z 
2025-03-28T11:34:16.0036010Z goroutine 4968 [running]:
2025-03-28T11:34:16.0036136Z testing.tRunner.func1.2({0xeab7a0, 0x1794050})
2025-03-28T11:34:16.0036281Z 	/pulsar/go/src/testing/testing.go:1632 +0x230
2025-03-28T11:34:16.0036373Z testing.tRunner.func1()
2025-03-28T11:34:16.0036515Z 	/pulsar/go/src/testing/testing.go:1635 +0x35e
2025-03-28T11:34:16.0036606Z panic({0xeab7a0?, 0x1794050?})
2025-03-28T11:34:16.0036738Z 	/pulsar/go/src/runtime/panic.go:791 +0x132
2025-03-28T11:34:16.0037084Z github.com/apache/pulsar-client-go/pulsar.TestPartitionTopicsConsumerPubSubEncryption(0xc000322000)
2025-03-28T11:34:16.0037273Z 	/pulsar/pulsar-client-go/pulsar/consumer_test.go:579 +0x69a
2025-03-28T11:34:16.0037387Z testing.tRunner(0xc000322000, 0x104b2d0)
2025-03-28T11:34:16.0037513Z 	/pulsar/go/src/testing/testing.go:1690 +0xf4
2025-03-28T11:34:16.0037625Z created by testing.(*T).Run in goroutine 1
2025-03-28T11:34:16.0037752Z 	/pulsar/go/src/testing/testing.go:1743 +0x390
2025-03-28T11:34:16.0037912Z FAIL	github.com/apache/pulsar-client-go/pulsar	117.897s

@lhotari lhotari requested a review from RobertIndie March 28, 2025 12:37
@lhotari lhotari marked this pull request as draft March 28, 2025 13:07
@lhotari lhotari marked this pull request as ready for review March 28, 2025 13:19
@lhotari
Copy link
Member Author

lhotari commented Mar 28, 2025

I added a solution where it's easier to run tests without -race and -coverprofile.

For example

make TEST_RACE=0 TEST_COVERAGE=0 test_standalone

This will help finding test issues in the future where there's a failure without any additional information. It's necessary to run without -race and -coverprofile in that case to find the issue.

@lhotari lhotari requested a review from tisonkun March 28, 2025 13:24
@lhotari
Disable collecting test coverage by default
dff2725 
- it could cause issues when it's enabled with "-race"
- the coverage reports aren't uploaded anywhere
@lhotari
Copy link
Member Author

lhotari commented Mar 28, 2025

I'm disabling -coverprofile by default since the tests take very long to execute together with -race. It's better to not have them enabled at the same time.

@lhotari lhotari merged commit 02ee51e into apache:master Mar 28, 2025
7 checks passed
@RobertIndie RobertIndie mentioned this pull request May 14, 2025
Merged
1 task
RobertIndie added a commit that referenced this pull request May 15, 2025
@RobertIndie
Fix CI can't be failed even the tests are failed (#1367)
a5c6dee 
### Motivation

This PR #1351 introduced some changes but breaked the CI. Currently, even if there are some failed tests, the CI won't be failed: https://github.com/apache/pulsar-client-go/actions/runs/14973771263/job/42060743359?pr=1364#step:6:9285

The root cause is because it captures the exit status of the tee command instead of the go test command. This causes the script to report "Tests passed" even when tests actually fail, leading to false positive CI results.

```
$TEST_CMD 2>&1 | tee $TEST_LOG
```

### Modification

- Use `set -o pipefail` to correctly capture the exit status of the `go test` command in the pipeline
RobertIndie pushed a commit that referenced this pull request May 15, 2025
@lhotari @RobertIndie
[fix][sec] Bump golang.org/x/net to address CVE-2025-22870, requires …
4413ae1 
…go 1.23 (#1351)

(cherry picked from commit 02ee51e)
RobertIndie added a commit that referenced this pull request May 15, 2025
@RobertIndie
Fix CI can't be failed even the tests are failed (#1367)
4513446 
### Motivation

This PR #1351 introduced some changes but breaked the CI. Currently, even if there are some failed tests, the CI won't be failed: https://github.com/apache/pulsar-client-go/actions/runs/14973771263/job/42060743359?pr=1364#step:6:9285

The root cause is because it captures the exit status of the tee command instead of the go test command. This causes the script to report "Tests passed" even when tests actually fail, leading to false positive CI results.

```
$TEST_CMD 2>&1 | tee $TEST_LOG
```

### Modification

- Use `set -o pipefail` to correctly capture the exit status of the `go test` command in the pipeline

(cherry picked from commit a5c6dee)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@nodece nodece nodece approved these changes

@gaoran10 gaoran10 Awaiting requested review from gaoran10

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower

@wolfstudy wolfstudy Awaiting requested review from wolfstudy

@merlimat merlimat Awaiting requested review from merlimat

@RobertIndie RobertIndie Awaiting requested review from RobertIndie

@tisonkun tisonkun Awaiting requested review from tisonkun

Assignees
No one assigned
Labels
area/security cherry-picked/branch-0.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lhotari @nodece @tisonkun @RobertIndie