diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 0de5144bcf..c0918cd1b2 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -39,7 +39,7 @@ jobs: uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: v2.1.0 + version: v2.5.0 # Give the job more time to execute. # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but, diff --git a/.go-version b/.go-version index 8407e26008..d905a6d1d6 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.7 +1.25.1 diff --git a/.golangci.yml b/.golangci.yml index 79a5435c4d..7e6232d7d1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -4,7 +4,7 @@ run: timeout: 1m build-tags: - integration - go: "1.24.7" + go: "1.25.1" issues: # Maximum count of issues with the same text. diff --git a/changelog/fragments/1758819869-bump-golang-1.25.1.yaml b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml new file mode 100644 index 0000000000..9d7955c853 --- /dev/null +++ b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: enhancement + +# Change summary; a 80ish characters long description of the change. +summary: Update Go to v1.25.1 + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: fleet-server + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/fleet-server/pull/5562 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/dev-tools/go.mod b/dev-tools/go.mod index 669353510e..f848625bcd 100644 --- a/dev-tools/go.mod +++ b/dev-tools/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/dev-tools -go 1.24.7 +go 1.25.1 tool ( github.com/elastic/go-json-schema-generate/cmd/schema-generate diff --git a/docs/fips.md b/docs/fips.md index 291f0287f9..c0680f035e 100644 --- a/docs/fips.md +++ b/docs/fips.md @@ -12,12 +12,12 @@ This toolchain must be present for local compilation. As we are using micrsoft/go as a base we follow their conventions. -Our FIPS changes require the `requirefips` and `ms_tls13kdf` buildtags. +Our FIPS changes require the `requirefips` build tag. When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set. Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go). The `FIPS=true` env var is used by our magefile as the FIPS toggle. -This env var applies to all targets, at a minimum the `requirefips` and `ms_tls13kdf` tags will be set. +This env var applies to all targets, at a minimum the `requirefips` tag will be set. For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set. For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain. diff --git a/go.mod b/go.mod index ad0ef4c355..2751e67a28 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/v7 -go 1.24.7 +go 1.25.1 require ( github.com/Pallinder/go-randomdata v1.2.0 diff --git a/magefile.go b/magefile.go index b745afe919..3dea041495 100644 --- a/magefile.go +++ b/magefile.go @@ -326,7 +326,7 @@ var ( tags = append(tags, "snapshot") } if isFIPS() { - tags = append(tags, "requirefips", "ms_tls13kdf") + tags = append(tags, "requirefips") } return strings.Join(tags, ",") }) @@ -486,7 +486,7 @@ func (Check) Notice() { // DetectFIPSCryptoImports will do a best effort attempt to ensure that the imports list for FIPS compatible artifacts does not contain any external crypto libraries. // Specifically it will fail if the modules list contains an entry with: "crypto", "gokrb5", or "pbkdf2" func (Check) DetectFIPSCryptoImports() error { - tags := []string{"requirefips", "ms_tls13kdf"} + tags := []string{"requirefips"} mods, err := getModules(tags...) if err != nil { return err @@ -514,7 +514,7 @@ func genNotice(fips bool) error { outFile := "NOTICE.txt" if fips { log.Println("Generating NOTICE-fips.txt.") - tags = append(tags, "requirefips", "ms_tls13kdf") + tags = append(tags, "requirefips") outFile = "NOTICE-fips.txt" } else { log.Println("Generating NOTICE.txt.") @@ -1202,7 +1202,7 @@ func (Docker) CustomAgentImage() error { // Unit runs unit tests. // Produces a unit test output file, and test coverage file in the build directory. // SNAPSHOT adds the snapshot build tag. -// FIPS adds the requirefips and ms_tls13kdf build tags. +// FIPS adds the requirefips build tag. func (Test) Unit() error { mg.Deps(mg.F(mkDir, "build")) output, err := teeCommand(environMap(), "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...") @@ -1214,11 +1214,18 @@ func (Test) Unit() error { // This is done because mage may have issues when running with fips140=only set. // Produces a unit test output file, and test coverage file in the build directory. // SNAPSHOT adds the snapshot build tag. -// FIPS adds the requirefips and ms_tls13kdf build tags. +// FIPS adds the requirefips build tag. func (Test) UnitFIPSOnly() error { mg.Deps(mg.F(mkDir, "build")) + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! env := environMap() - env["GODEBUG"] = "fips140=only" + env["GODEBUG"] = "fips140=only,tlsmlkem=0" + output, err := teeCommand(env, "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...") err = errors.Join(err, os.WriteFile(filepath.Join("build", "test-unit-fipsonly-"+runtime.GOOS+".out"), output, 0o644)) return err @@ -1226,7 +1233,7 @@ func (Test) UnitFIPSOnly() error { // Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment. // SNAPSHOT runs integration tests with the snapshot build tag. -// FIPS runs the integration tests the requirefips and ms_tls13kdf build tags. +// FIPS runs the integration tests the requirefips build tag. func (Test) Integration() { mg.SerialDeps(mg.F(mkDir, "build"), Test.IntegrationUp, Test.IntegrationRun, Test.IntegrationDown) } @@ -1240,7 +1247,7 @@ func (Test) IntegrationUp() error { // Assumes that the integration test environment is up. // Produces an integration test output file in the build directory. // SNAPSHOT runs integration tests with the snapshot build tag. -// FIPS runs the integration tests the requirefips and ms_tls13kdf build tags. +// FIPS runs the integration tests the requirefips build tag. func (Test) IntegrationRun(ctx context.Context) error { env, err := readEnvFile(filepath.Join("dev-tools", "integration", ".env")) if err != nil { @@ -1592,9 +1599,6 @@ func checkFIPSBinary(path string) error { if !strings.Contains(setting.Value, "requirefips") { return fmt.Errorf("requirefips tag not found in %s", setting.Value) } - if !strings.Contains(setting.Value, "ms_tls13kdf") { - return fmt.Errorf("requirefips tag not found in %s", setting.Value) - } continue case "GOEXPERIMENT": foundExperiment = true @@ -1665,7 +1669,7 @@ func (Test) JunitReport() error { // All runs unit and integration tests and produces junit reports for all the tests. // SNAPSHOT adds the snapshot build tag. -// FIPS adds the requirefips and ms_tls13kdf build tags. +// FIPS adds the requirefips build tag. func (Test) All() { mg.SerialDeps(mg.F(mkDir, "build"), Test.Unit, Test.Integration, Test.JunitReport) } @@ -1673,7 +1677,7 @@ func (Test) All() { // Benchmark runs the included benchmarks // Produces a benchmark file in the build directory. // SNAPSHOT adds the snapshot build tag. -// FIPS adds the requirefips and ms_tls13kdf build tags. +// FIPS adds the requirefips build tag. // BENCHMARK_FILTER can be used to filter what benchmarks run. // BENCHMARK_ARGS can be used to change what is being benchmarked. Default: -count=10 -benchtime=3s -benchmem. // BENCH_BASE can be used to change the output file name. diff --git a/testing/go.mod b/testing/go.mod index 6e25bdbb02..6301136eac 100644 --- a/testing/go.mod +++ b/testing/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/testing -go 1.24.7 +go 1.25.1 replace ( github.com/elastic/fleet-server/pkg/api => ../pkg/api