opentelemetry-collector icon indicating copy to clipboard operation
opentelemetry-collector copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[chore] follow codeql recommendation

Open codeboten opened this issue 1 year ago • 3 comments

CodeQL is currently reporting "Invalid Go toolchain version: As of Go 1.21, toolchain versions must use the 1.N.P syntax.". This PR attempts to fix this.

codeboten avatar May 15 '24 22:05 codeboten

This breaks our compatibility promise: we are dropping support for Go 1.21.x for x less than 10. There were also recently some fixes upstream (see golang/go@27ed85d) that I think should make this message go away.

Happy to close this, however this PR does bring up a good question of whether we should support versions of go 1.21.x with known CVEs.

codeboten avatar May 16 '24 14:05 codeboten

This breaks our compatibility promise: we are dropping support for Go 1.21.x for x less than 10. There were also recently some fixes upstream (see golang/go@27ed85d) that I think should make this message go away.

Happy to close this, however this PR does bring up a good question of whether we should support versions of go 1.21.x with known CVEs.

We should definitely encourage using the latest version. We could add a toolchain directive on the builder to force the latest version to be used.

In terms of support however, I don't think we lose much by continuing to support those versions, but we can discuss it!

mx-psi avatar May 16 '24 16:05 mx-psi

In terms of support however, I don't think we lose much by continuing to support those versions, but we can discuss it!

Right, I'm thinking that if we were to only support versions greater than any with known CVEs it would act as incentive to any consumers of the collector libraries to also update to newer versions. I can open a separate issue to discuss and close this PR after I do so.

codeboten avatar May 16 '24 16:05 codeboten

100% we should enforce latest (hopefully no CVEs) version when we build the final binary that we release as a binary, but for libraries like artifacts we cannot enforce this.

bogdandrutu avatar May 20 '24 09:05 bogdandrutu

@mx-psi @bogdandrutu to appease codeql and ensure we continue to support all version 1.21, i updated the version in go.mod to 1.21.0

codeboten avatar May 21 '24 18:05 codeboten

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 91.98%. Comparing base (d9dbfbc) to head (4ac0648). Report is 9 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #10165      +/-   ##
==========================================
+ Coverage   91.90%   91.98%   +0.08%     
==========================================
  Files         361      361              
  Lines       16970    16968       -2     
==========================================
+ Hits        15596    15608      +12     
+ Misses       1032     1020      -12     
+ Partials      342      340       -2

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar May 21 '24 18:05 codecov[bot]