Update dependencies to resolve CVEs and fix lint errors (#81)

* update dependencies to resolve CVEs and fix lint errors
* update BK plugin versions and go version
* update linter version
* update nats server version to resolve trivy scan findings

.buildkite/pipeline.yml

@@ -7,23 +7,23 @@ steps:
   - label: ":golangci-lint: lint :lint-roller:"
     key: "lint"
     plugins:
-      - docker#v5.7.0:
-          image: "registry.hub.docker.com/golangci/golangci-lint:v1.51-alpine"
+      - docker#v5.9.0:
+          image: "registry.hub.docker.com/golangci/golangci-lint:v1.61-alpine"
           command: ["golangci-lint", "run", "-v", "--timeout", "5m"]
 
   - label: ":test_tube: test"
     key: "test"
     plugins:
-      - docker#v5.7.0:
-          image: "golang:1.20"
+      - docker#v5.9.0:
+          image: "golang:1.23"
           command: ["go", "test", "-cover" ,"-race", "./..."]
 
   - label: ":golang: build"
     key: "gobuild"
     artifact_paths: "bin/${APP_NAME}"
     plugins:
-      - docker#v5.7.0:
-          image: "golang:1.20"
+      - docker#v5.9.0:
+          image: "golang:1.23"
           environment:
             - CGO_ENABLED=0
             - GOOS=linux
@@ -58,7 +58,7 @@ steps:
       - equinixmetal-buildkite/cosign#main:
           image: "${IMAGE_REPO}:${IMAGE_TAG}"
           keyless: true
-      - equinixmetal-buildkite/trivy#v1.18.2:
+      - equinixmetal-buildkite/trivy#v1.19.1:
           severity: CRITICAL,HIGH
           ignore-unfixed: true
           security-checks: config,secret,vuln

.golangci.yml

@@ -19,11 +19,12 @@ linters:
     - bodyclose
     - gocritic
     - gocyclo
-    - goerr113
+    - gosec
+    - err113
     - gofmt
     - gofumpt
     - goimports
-    - gomnd
+    - mnd
     - govet
     - misspell
     - noctx

cmd/serve.go

@@ -29,7 +29,7 @@ import (
 var serveCmd = &cobra.Command{
 	Use:   "serve",
 	Short: "starts the gov-slack-addon service",
-	RunE: func(cmd *cobra.Command, args []string) error {
+	RunE: func(cmd *cobra.Command, _ []string) error {
 		return serve(cmd.Context(), viper.GetViper())
 	},
 }
@@ -91,7 +91,7 @@ func init() {
 	viperBindFlag("nats.subject-prefix", serveCmd.Flags().Lookup("nats-subject-prefix"))
 	serveCmd.Flags().String("nats-queue-group", "governor.addons.gov-slack-addon", "queue group for load balancing messages across NATS consumers")
 	viperBindFlag("nats.queue-group", serveCmd.Flags().Lookup("nats-queue-group"))
-	serveCmd.Flags().Int("nats-queue-size", 3, "queue size for load balancing messages across NATS consumers") //nolint: gomnd
+	serveCmd.Flags().Int("nats-queue-size", 3, "queue size for load balancing messages across NATS consumers") //nolint:mnd
 	viperBindFlag("nats.queue-size", serveCmd.Flags().Lookup("nats-queue-size"))
 }
 
@@ -294,5 +294,5 @@ func validateMandatoryFlags() error {
 		return nil
 	}
 
-	return fmt.Errorf(strings.Join(errs, "\n")) //nolint:goerr113
+	return fmt.Errorf(strings.Join(errs, "\n")) //nolint:govet,err113,staticcheck
 }

cmd/tracing.go

@@ -1,28 +1,35 @@
 package cmd
 
 import (
+	"context"
+	"errors"
+	"fmt"
+	"net/url"
+
 	"github.com/spf13/viper"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/exporters/jaeger"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp"
+	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/sdk/resource"
 	tracesdk "go.opentelemetry.io/otel/sdk/trace"
 	semconv "go.opentelemetry.io/otel/semconv/v1.4.0"
 )
 
+// ErrInvalidTracingConfig is returned when the tracing configuration is invalid.
+var ErrInvalidTracingConfig = errors.New("invalid tracing config")
+
 func initTracing() {
 	if viper.GetBool("tracing.enabled") {
-		initTracer(viper.GetString("tracing.endpoint"))
+		initTracer()
 	}
 }
 
-// initTracer returns an OpenTelemetry TracerProvider configured to use
-// the Jaeger exporter that will send spans to the provided url. The returned
-// TracerProvider will also use a Resource configured with all the information
-// about the application.
-func initTracer(url string) *tracesdk.TracerProvider {
-	// Create the Jaeger exporter
-	exp, err := jaeger.New(jaeger.WithCollectorEndpoint(jaeger.WithEndpoint(url)))
+// initTracer returns an OpenTelemetry TracerProvider.
+func initTracer() *tracesdk.TracerProvider {
+	exp, err := newExporter()
 	if err != nil {
 		logger.Fatalw("failed to initialize tracing exporter", "error", err)
 	}
@@ -39,6 +46,57 @@ func initTracer(url string) *tracesdk.TracerProvider {
 	)
 
 	otel.SetTracerProvider(tp)
+	otel.SetTextMapPropagator(propagation.NewCompositeTextMapPropagator(
+		propagation.TraceContext{},
+		propagation.Baggage{},
+	))
 
 	return tp
 }
+
+func newExporter() (tracesdk.SpanExporter, error) {
+	switch viper.GetString("tracing.provider") {
+	case "otlpgrpc":
+		return newOTLPGRPCExporter()
+	case "otlphttp":
+		return newOTLPHTTPExporter()
+	}
+
+	return nil, fmt.Errorf("%w: tracing exporter must be otlpgrpc or otlphttp", ErrInvalidTracingConfig)
+}
+
+func newOTLPGRPCExporter() (tracesdk.SpanExporter, error) {
+	_, err := url.Parse(viper.GetString("tracing.endpoint"))
+	if err != nil {
+		return nil, fmt.Errorf("%w: missing OTLP config options; you must pass a valid endpoint: %w", ErrInvalidTracingConfig, err)
+	}
+
+	opts := []otlptracegrpc.Option{
+		otlptracegrpc.WithEndpoint(viper.GetString("tracing.endpoint")),
+		otlptracegrpc.WithTimeout(viper.GetDuration("tracing.timeout")),
+	}
+
+	if viper.GetBool("tracing.insecure") {
+		opts = append(opts, otlptracegrpc.WithInsecure())
+	}
+
+	return otlptrace.New(context.Background(), otlptracegrpc.NewClient(opts...))
+}
+
+func newOTLPHTTPExporter() (tracesdk.SpanExporter, error) {
+	_, err := url.Parse(viper.GetString("tracing.endpoint"))
+	if err != nil {
+		return nil, fmt.Errorf("%w: missing OTLP config options; you must pass a valid endpoint: %w", ErrInvalidTracingConfig, err)
+	}
+
+	opts := []otlptracehttp.Option{
+		otlptracehttp.WithEndpoint(viper.GetString("tracing.endpoint")),
+		otlptracehttp.WithTimeout(viper.GetDuration("tracing.timeout")),
+	}
+
+	if viper.GetBool("tracing.insecure") {
+		opts = append(opts, otlptracehttp.WithInsecure())
+	}
+
+	return otlptrace.New(context.Background(), otlptracehttp.NewClient(opts...))
+}

go.mod

@@ -1,119 +1,132 @@
 module github.com/metal-toolbox/gov-slack-addon
 
-go 1.20
+go 1.23.0
+
+toolchain go1.23.3
 
 replace github.com/slack-go/slack => github.com/tenyo/slack v0.0.0-20230302003044-bf98edf7265a
 
 require (
-	github.com/avast/retry-go/v4 v4.3.4
-	github.com/gin-contrib/cors v1.4.0
-	github.com/gin-contrib/zap v0.1.0
-	github.com/gin-gonic/gin v1.9.1
+	github.com/avast/retry-go/v4 v4.6.0
+	github.com/gin-contrib/cors v1.7.2
+	github.com/gin-contrib/zap v1.1.4
+	github.com/gin-gonic/gin v1.10.0
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/metal-toolbox/auditevent v0.8.0
-	github.com/metal-toolbox/governor-api v0.1.6
+	github.com/metal-toolbox/governor-api v0.2.4
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/nats-io/nats-server/v2 v2.9.15
-	github.com/nats-io/nats.go v1.28.0
+	github.com/nats-io/nats-server/v2 v2.10.22
+	github.com/nats-io/nats.go v1.37.0
 	github.com/slack-go/slack v0.12.2
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.16.0
-	github.com/stretchr/testify v1.8.4
+	github.com/spf13/viper v1.19.0
+	github.com/stretchr/testify v1.9.0
 	github.com/zsais/go-gin-prometheus v0.1.0
-	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.42.0
-	go.opentelemetry.io/otel v1.16.0
-	go.opentelemetry.io/otel/exporters/jaeger v1.16.0
-	go.opentelemetry.io/otel/sdk v1.16.0
-	go.uber.org/zap v1.24.0
-	golang.org/x/net v0.12.0
-	golang.org/x/oauth2 v0.10.0
+	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.57.0
+	go.opentelemetry.io/otel v1.32.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0
+	go.opentelemetry.io/otel/sdk v1.32.0
+	go.uber.org/zap v1.27.0
+	golang.org/x/net v0.31.0
+	golang.org/x/oauth2 v0.24.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/sonic v1.10.0-rc3 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
-	github.com/chenzhuoyu/iasm v0.9.0 // indirect
-	github.com/cockroachdb/cockroach-go/v2 v2.3.5 // indirect
-	github.com/coreos/go-oidc/v3 v3.6.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/ericlagergren/decimal v0.0.0-20221120152707-495c53812d05 // indirect
+	github.com/bytedance/sonic v1.12.4 // indirect
+	github.com/bytedance/sonic/loader v0.2.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/cockroachdb/cockroach-go/v2 v2.3.8 // indirect
+	github.com/coreos/go-oidc/v3 v3.11.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/ericlagergren/decimal v0.0.0-20240411145413-00de7ca16731 // indirect
 	github.com/friendsofgo/errors v0.9.2 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.6 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-logr/zapr v1.2.4 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.14.1 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/gosimple/slug v1.13.1 // indirect
+	github.com/go-playground/validator/v10 v10.22.1 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/gosimple/slug v1.14.0 // indirect
 	github.com/gosimple/unidecode v1.0.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.1 // indirect
+	github.com/jackc/pgconn v1.14.3 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.2 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgtype v1.14.0 // indirect
-	github.com/jackc/pgx/v4 v4.18.1 // indirect
-	github.com/jmoiron/sqlx v1.3.5 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgtype v1.14.4 // indirect
+	github.com/jackc/pgx/v4 v4.18.3 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
-	github.com/leodido/go-urn v1.2.4 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/minio/highwayhash v1.0.2 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/minio/highwayhash v1.0.3 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/nats-io/jwt/v2 v2.3.0 // indirect
-	github.com/nats-io/nkeys v0.4.4 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nats-io/jwt/v2 v2.7.2 // indirect
+	github.com/nats-io/nkeys v0.4.7 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.16.0 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.11.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.60.1 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.11 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/volatiletech/inflect v0.0.1 // indirect
 	github.com/volatiletech/null/v8 v8.1.2 // indirect
 	github.com/volatiletech/randomize v0.0.1 // indirect
-	github.com/volatiletech/sqlboiler/v4 v4.14.2 // indirect
-	github.com/volatiletech/strmangle v0.0.5 // indirect
-	go.hollow.sh/toolbox v0.6.1 // indirect
-	go.opentelemetry.io/otel/metric v1.16.0 // indirect
-	go.opentelemetry.io/otel/trace v1.16.0 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
+	github.com/volatiletech/sqlboiler/v4 v4.17.1 // indirect
+	github.com/volatiletech/strmangle v0.0.8 // indirect
+	go.hollow.sh/toolbox v0.6.3 // indirect
+	go.opentelemetry.io/otel/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/trace v1.32.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/arch v0.4.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	golang.org/x/arch v0.12.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
+	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/time v0.8.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect
+	google.golang.org/grpc v1.68.0 // indirect
+	google.golang.org/protobuf v1.35.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect