go.mod: update dependencies

[thaJeztah]

This PR updates most dependencies to a more current version, better reflecting
the versions of these dependencies that are used in code consuming the notary
module. By updating, we're able to verify that the code in this repository doesn't
break with the newer versions.

There's a couple more dependencies to update, but some of those may require local
changes, so doing that separately.

I split the updates into many commits, picking an order of updates that allowed
for individual dependencies to be updated (using a different order often led to
many dependencies to be updated at once, which makes reviewing the changes more
difficult). I included a link to the "full" diff for each update to assist in
reviewing as well.

I'm keeping this in draft for now, as I'm planning to do a round of "draft" PRs
in repositories that use notary as a dependency, to verify these updates are all
compatible (there's some indirect dependencies that are known to be problemeatic).

go.mod: github.com/spf13/cobra v1.6.1

Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed

full diff: spf13/cobra@v1.6.0...v1.6.1

go.mod: golang.org/x/term v0.1.0

The golang.org/x/ projects now tag releases.

full diff: golang/term@f5c789d...v0.1.0

go.mod: golang.org/x/sys v0.1.0

The golang.org/x/ projects now tag releases.

full diff: golang/sys@bc2c85a...v0.1.0

go.mod: golang.org/x/text v0.4.0

The golang.org/x/ projects now tag releases.

includes fixes for CVE-2022-32149 (v0.3.8)

full diff: golang/text@v0.3.3...v0.4.0

go.mod: golang.org/x/net v0.1.0

The golang.org/x/ projects now tag releases.

• updates to a version that fixes CVE-2022-27664

full diff: golang/net@f585440...v0.1.0

go.mod: golang.org/x/crypto v0.1.0

The golang.org/x/ projects now tag releases.

Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib:

Beginning with Go 1.13, the functionality of this package was moved to the
standard library as crypto/ed25519. This package only acts as a compatibility
wrapper.

full diff: golang/crypto@f585440...v0.1.0

go.mod: github.com/dvsekhvalnov/jose2go v1.5.0

Adds go.mod support

full diff: dvsekhvalnov/jose2go@248326c...v1.5.0

go.mod: github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d

full diff: Shopify/logrus-bugsnag@6dbc35f...577dee2

go.mod: github.com/sirupsen/logrus v1.9.0

full diff: sirupsen/logrus@v1.7.1...v1.9.0

go.mod: github.com/miekg/pkcs11 v1.0.3

full diff: miekg/pkcs11@v1.0.3...v1.1.1

go.mod: github.com/stretchr/testify v1.8.1

go.mod: google.golang.org/protobuf v1.28.0

go.mod: github.com/gogo/protobuf v1.3.2

contains fixes for CVE-2021-3121 "skippy peanut butter"

full diff: gogo/protobuf@v1.0.0...v1.3.2

go.mod: github.com/spf13/viper v1.13.0

removes the deprecated github.com/BurntSushi/toml dependency

full diff: spf13/viper@be5ff3e...v1.13.0

go.mod: github.com/opencontainers/image-spec v1.0.2

This is a dependency for docker/distribution, which does not yet use go modules,
so indirect dependencies aren't updated automatically.

image-spec v1.0.2 contains mitigations for CVE-2021-41190.

full diff: opencontainers/image-spec@v1.0.1...v1.0.2

go.mod: github.com/docker/distribution v2.8.1

full diff: distribution/distribution@v2.7.1...v2.8.1

go.mod: github.com/gorilla/mux v1.8.0

full diff: gorilla/mux@v1.7.0...v1.8.0

go.mod: github.com/prometheus/client_golang v1.12.1

not the latest version, but this version looks to be commonly used in various
projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1)

full diff: prometheus/client_golang@c332b6f...v1.12.1

go.mod: github.com/docker/go-metrics v0.0.1

adds go.mod

full diff: docker/go-metrics@c332b6f...v0.0.1

go.mod: github.com/cloudflare/cfssl v1.5.0

• not using latest version, as that brings many indirect dependencies (through cobra)
• removes github.com/gogo/protobuf dependency
• unfortunately, brings back golang.org/x/crypto/ed25519 (will open a PR for that)

go.mod: github.com/matttproud/golang_protobuf_extensions v1.0.2

updating the indirect dependency to match other projects; this version adds
a go.mod;

full diff: matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2

[thaJeztah]

Ah, I think this may be the "good ol" permissions issue; go mod does not persist executable permissions; golang/go#45231

We defined the Go module representation to be absolutely least common denominator across systems for portability. The Go module zip file is for dependencies that need to be downloaded and built by the go command. It is not meant to support anything more. By design, there are no permission bits, nor special files like symlinks, nor modification times.

Executing busybox-1.35.0-r15.trigger
OK: 22 MiB in 25 packages
go: downloading github.com/docker/distribution v2.8.1+incompatible
...
go: downloading github.com/cespare/xxhash v1.1.0

These files were modified:

?? vendor/github.com/docker/go-metrics/LICENSE

This is an actual failure; looks like some changes are needed for compatibility with Prometheus updates;

pkcs11 import was not found anywhere without a build tag, yay
+ /go/src/github.com/theupdateframework/notary/bin/static/notary-server
# github.com/theupdateframework/notary/server
server/server.go:127:9: undefined: prometheus.InstrumentHandlerWithOpts
server/server.go:235:44: undefined: prometheus.Handler
make: *** [Makefile:76: /go/src/github.com/theupdateframework/notary/bin/static/notary-server] Error 2

[thaJeztah]

Ah, I think this may be the "good ol" permissions issue; go mod does not persist executable permissions

whoops, nope, was my mistake, didn't stage a file 😂

[thaJeztah]

Interesting; breaking change in golang/x/sys?

+ go build -o /go/src/github.com/theupdateframework/notary/cross/darwin/amd64/notary -a -tags 'pkcs11 netgo' -ldflags '-w -X github.com/theupdateframework/notary/version.GitCommit=1c7f7186 -X github.com/theupdateframework/notary/version.NotaryVersion=0.7.0 ' ./cmd/notary
# golang.org/x/sys/unix
vendor/golang.org/x/sys/unix/syscall.go:83:16: undefined: unsafe.Slice
vendor/golang.org/x/sys/unix/syscall_darwin.go:95:8: undefined: unsafe.Slice
vendor/golang.org/x/sys/unix/syscall_unix.go:118:7: undefined: unsafe.Slice
vendor/golang.org/x/sys/unix/sysvshm_unix.go:33:7: undefined: unsafe.Slice
make: *** [Makefile:224: cross] Error 2

Exited with code exit status 2