bug: Vuln Scan Fixes (#3829)

Vuln Scan Fixes: Closes #3828 

All Critical, High and Medium if possible.

Author: piotr-roslaniec

.github/workflows/client.yml

@@ -36,7 +36,7 @@ jobs:
     outputs:
       path-filter: ${{ steps.filter.outputs.path-filter }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: github.event_name == 'pull_request'
 
       - uses: dorny/paths-filter@v2
@@ -52,7 +52,7 @@ jobs:
     outputs:
       path-filter: ${{ steps.filter.outputs.path-filter }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: github.event_name == 'pull_request'
 
       - uses: dorny/paths-filter@v2
@@ -71,7 +71,7 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           # Fetch the whole history for the `git describe` command to work.
           fetch-depth: 0
@@ -88,18 +88,18 @@ jobs:
           environment: ${{ github.event.inputs.environment }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Cache Docker layers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
 
       - name: Build Docker Build Image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           target: build-docker
           tags: go-build-env
@@ -123,7 +123,7 @@ jobs:
           docker save --output /tmp/go-build-env-image.tar go-build-env
 
       - name: Upload Docker Build Image
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: go-build-env-image
           path: /tmp/go-build-env-image.tar
@@ -133,11 +133,11 @@ jobs:
           docker run \
             --workdir /go/src/github.com/keep-network/keep-core \
             go-build-env \
-            gotestsum
+            gotestsum -- -timeout 15m
 
       - name: Build Docker Runtime Image
         if: github.event_name != 'workflow_dispatch'
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           target: runtime-docker
           labels: |
@@ -148,15 +148,15 @@ jobs:
 
       - name: Login to Google Container Registry
         if: github.event_name == 'workflow_dispatch'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.GCR_REGISTRY_URL }}
           username: _json_key
           password: ${{ secrets.KEEP_TEST_GCR_JSON_KEY }}
 
       - name: Build and publish Docker Runtime Image
         if: github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         env:
           IMAGE_NAME: "keep-client"
         with:
@@ -177,7 +177,7 @@ jobs:
           context: .
 
       - name: Build Client Binaries
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           target: output-bins
           outputs: type=local,dest=./out/bin/
@@ -189,7 +189,7 @@ jobs:
           context: .
 
       - name: Archive Client Binaries
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: binaries
           path: |
@@ -240,10 +240,11 @@ jobs:
     env:
       GO111MODULE: on
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: securego/gosec@master
         with:
           args: |
+            -exclude=G115
             -exclude-dir=pkg/chain/ethereum/beacon/gen
             -exclude-dir=pkg/chain/ethereum/ecdsa/gen
             -exclude-dir=pkg/chain/ethereum/threshold/gen
@@ -257,8 +258,8 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: gofmt
@@ -275,8 +276,8 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - run: go vet
@@ -288,15 +289,16 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Staticcheck
-        uses: dominikh/staticcheck-action@v1.3.0
+        uses: dominikh/staticcheck-action@v1.4.0
         with:
-          version: "2023.1.6"
+          version: "2025.1.1"
           install-go: false
+          checks: "-SA1019"
 
   client-integration-test:
     needs: [electrum-integration-detect-changes, client-build-test-publish]
@@ -306,10 +308,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Download Docker Build Image
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: go-build-env-image
           path: /tmp

.gitignore

@@ -55,6 +55,8 @@ yarn-error.log
 /solidity*/**/export.json
 
 # Go bindings generator
+# Note: Some specific _address files are committed as empty placeholders
+# to satisfy //go:embed directives during CI builds that don't run go generate
 /pkg/chain/**/gen/_address/
 /pkg/chain/**/gen/_contracts/
 /pkg/chain/**/gen/abi/*.abi

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.13-alpine3.19 AS build-sources
+FROM golang:1.24-alpine3.21 AS build-sources
 
 ENV GOPATH=/go \
 	GOBIN=/go/bin \
@@ -10,7 +10,7 @@ ENV GOPATH=/go \
 
 # TODO: Remove perl once go-ethereum is upgraded to 1.11.
 #       See pkg/chain/ethereum/tbtc/gen/Makefile and after_abi_hook for details.
-RUN apk add --update --no-cache \
+RUN apk update && apk upgrade && apk add --update --no-cache \
 	g++ \
 	linux-headers \
 	protobuf-dev \
@@ -26,7 +26,7 @@ RUN apk add --update --no-cache \
 	rm -rf /var/cache/apk/ && mkdir /var/cache/apk/ && \
 	rm -rf /usr/share/man
 
-RUN go install gotest.tools/gotestsum@latest
+RUN go install gotest.tools/gotestsum@v1.10.1
 
 RUN mkdir -p $APP_DIR $TEST_RESULTS_DIR
 
@@ -36,9 +36,6 @@ WORKDIR $APP_DIR
 COPY go.mod go.sum $APP_DIR/
 RUN go mod download
 
-# Install code generators.
-RUN go install google.golang.org/protobuf/cmd/[email protected]
-
 # Copy source code for generation.
 COPY ./pkg/beacon/dkg/result/gen $APP_DIR/pkg/beacon/dkg/result/gen
 COPY ./pkg/beacon/entry/gen $APP_DIR/pkg/beacon/entry/gen
@@ -57,6 +54,10 @@ COPY ./pkg/tecdsa/gen $APP_DIR/pkg/tecdsa/gen
 COPY ./pkg/protocol/announcer/gen $APP_DIR/pkg/protocol/announcer/gen
 COPY ./pkg/protocol/inactivity/gen $APP_DIR/pkg/protocol/inactivity/gen
 
+
+# Install code generators.
+RUN go install google.golang.org/protobuf/cmd/[email protected]
+
 # Environment is to download published and tagged NPM packages versions.
 ARG ENVIRONMENT
 
@@ -69,6 +70,9 @@ RUN make generate environment=$ENVIRONMENT
 
 COPY ./ $APP_DIR/
 
+# Update go.sum with any missing dependencies
+RUN go mod tidy && go mod download
+
 #
 # Build Docker Image
 #
@@ -84,12 +88,15 @@ RUN GOOS=linux make build \
 	version=$VERSION \
 	revision=$REVISION
 
-FROM alpine:3.19 as runtime-docker
+FROM alpine:3.21 as runtime-docker
 
 ENV APP_NAME=keep-client \
 	APP_DIR=/go/src/github.com/keep-network/keep-core \
 	BIN_PATH=/usr/local/bin
 
+# Update Alpine packages to get latest security patches
+RUN apk update && apk upgrade && rm -rf /var/cache/apk/*
+
 COPY --from=build-docker $APP_DIR/$APP_NAME $BIN_PATH
 
 # ENTRYPOINT cant handle ENV variables.
@@ -101,7 +108,7 @@ CMD []
 #
 # Build Binaries
 #
-FROM golang:1.20.13-bullseye AS build-bins
+FROM golang:1.24-bullseye AS build-bins
 
 ENV APP_DIR=/go/src/github.com/keep-network/keep-core
 

Makefile

@@ -107,7 +107,7 @@ define go_build_cmd
 	$(eval arch := $(4))
 
 	GOOS=$(os) GOARCH=$(arch) go build \
-		-ldflags "-X github.com/keep-network/keep-core/build.Version=$(version) -X github.com/keep-network/keep-core/build.Revision=$(revision)" \
+		-ldflags "-X github.com/keep-network/keep-core/build.Version=$(version) -X github.com/keep-network/keep-core/build.Revision=$(revision) -checklinkname=0" \
 		-o $(out_dir)/$(file_name) \
 		-a \
 		.