diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 623a1d2921c5..7e7066a6cd64 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -36,7 +36,7 @@ jobs: uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: v2.1.0 + version: v2.5.0 # Give the job more time to execute. # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but, diff --git a/.go-version b/.go-version index 59b054466064..e6a6e7cd3e99 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.13 +1.25.8 diff --git a/NOTICE.txt b/NOTICE.txt index 2d085b071194..46d244d8f08b 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -16532,11 +16532,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.9.3/ -------------------------------------------------------------------------------- Dependency : github.com/google/cel-go -Version: v0.25.0 +Version: v0.26.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.25.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.1/LICENSE: Apache License diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index dfa5f485f313..adb8ab4884aa 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.8-bookworm RUN \ apt-get update \ diff --git a/changelog/fragments/1760385532-bump-golang-1.25.8.yaml b/changelog/fragments/1760385532-bump-golang-1.25.8.yaml new file mode 100644 index 000000000000..6862cfc662f3 --- /dev/null +++ b/changelog/fragments/1760385532-bump-golang-1.25.8.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: other + +# Change summary; a 80ish characters long description of the change. +summary: Update Go to 1.25.8 + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: all + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +#pr: https://github.com/owner/repo/1234 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/dev-tools/kubernetes/filebeat/Dockerfile.debug b/dev-tools/kubernetes/filebeat/Dockerfile.debug index 70a0ecf534f6..1408b21c340d 100644 --- a/dev-tools/kubernetes/filebeat/Dockerfile.debug +++ b/dev-tools/kubernetes/filebeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm as builder +FROM golang:1.25.8-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/kubernetes/heartbeat/Dockerfile.debug b/dev-tools/kubernetes/heartbeat/Dockerfile.debug index 454032afb38f..77af6c8330fa 100644 --- a/dev-tools/kubernetes/heartbeat/Dockerfile.debug +++ b/dev-tools/kubernetes/heartbeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm as builder +FROM golang:1.25.8-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/kubernetes/metricbeat/Dockerfile.debug b/dev-tools/kubernetes/metricbeat/Dockerfile.debug index 4b51753e891c..afaba393f59a 100644 --- a/dev-tools/kubernetes/metricbeat/Dockerfile.debug +++ b/dev-tools/kubernetes/metricbeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm as builder +FROM golang:1.25.8-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/mage/fips-settings.yaml b/dev-tools/mage/fips-settings.yaml index 212a3fb4b7b0..e851ec699f2c 100644 --- a/dev-tools/mage/fips-settings.yaml +++ b/dev-tools/mage/fips-settings.yaml @@ -10,7 +10,6 @@ compile: MS_GOTOOLCHAIN_TELEMETRY_ENABLED: "0" tags: - requirefips - - ms_tls13kdf platforms: # If the platform list changes, update the platforms for FIPS packaging in CI pipelines '.buildkite/**/pipeline..yml' and '.buildkite/packaging-pipeline.yml' - linux/amd64 diff --git a/dev-tools/mage/gotest.go b/dev-tools/mage/gotest.go index 720b57cd6a9e..301e3045e904 100644 --- a/dev-tools/mage/gotest.go +++ b/dev-tools/mage/gotest.go @@ -127,7 +127,7 @@ func fetchGoPackages(module string) ([]string, error) { // testTagsFromEnv gets a list of comma-separated tags from the TEST_TAGS // environment variables, e.g: TEST_TAGS=aws,azure. -// If the FIPS env var is set to true, the requirefips and ms_tls13kdf tags are injected. +// If the FIPS env var is set to true, the requirefips tag is injected. func testTagsFromEnv() []string { testTags := strings.Trim(os.Getenv("TEST_TAGS"), ", ") var tags []string @@ -135,7 +135,7 @@ func testTagsFromEnv() []string { tags = strings.Split(testTags, ",") } if FIPSBuild { - tags = append(tags, "requirefips", "ms_tls13kdf") + tags = append(tags, "requirefips") } return tags } @@ -148,7 +148,13 @@ func DefaultGoTestUnitArgs() GoTestArgs { return makeGoTestArgs("Unit") } // fips140=only unit tests. func DefaultGoFIPSOnlyTestArgs() GoTestArgs { args := makeGoTestArgs("Unit-FIPS-only") - args.Env["GODEBUG"] = "fips140=only" + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + args.Env["GODEBUG"] = "fips140=only,tlsmlkem=0" return args } @@ -211,7 +217,13 @@ func FIPSOnlyGoTestIntegrationFromHostArgs(ctx context.Context) GoTestArgs { args := DefaultGoTestIntegrationArgs(ctx) args.Tags = append(args.Tags, "requirefips") args.Env = WithGoIntegTestHostEnv(args.Env) - args.Env["GODEBUG"] = "fips140=only" + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + args.Env["GODEBUG"] = "fips140=only,tlsmlkem=0" return args } diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index 3473dfeb84c6..fb9cb0f167ec 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -842,7 +842,6 @@ func checkFIPS(t *testing.T, beatName, path string) { case "-tags": foundTags = true require.Contains(t, setting.Value, "requirefips") - require.Contains(t, setting.Value, "ms_tls13kdf") continue case "GOEXPERIMENT": foundExperiment = true diff --git a/filebeat/magefile.go b/filebeat/magefile.go index fe7ec93a5dba..8317b4e1bc3a 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -25,6 +25,7 @@ import ( "time" "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/build" @@ -202,6 +203,16 @@ func GoIntegTest(ctx context.Context) error { // GoFIPSOnlyIntegTest starts the docker containers and executes the Go integration tests with GODEBUG=fips140=only set. func GoFIPSOnlyIntegTest(ctx context.Context) error { mg.Deps(BuildSystemTestBinary) + + // We pre-cache go module dependencies before running the unit tests with + // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests + // will try to download the dependencies and could fail because the TLS + // negotiation with the Go module proxy could use a non-FIPS compliant + // key exchange protocol, e.g. X25519. + if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { + return err + } + return devtools.GoIntegTestFromHost(ctx, devtools.FIPSOnlyGoTestIntegrationFromHostArgs(ctx)) } diff --git a/go.mod b/go.mod index fa184a955363..0ed44e3c0300 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/beats/v7 -go 1.24.13 +go 1.25.8 require ( cloud.google.com/go/bigquery v1.69.0 @@ -188,7 +188,7 @@ require ( github.com/go-resty/resty/v2 v2.17.1 github.com/gofrs/uuid/v5 v5.3.2 github.com/golang-jwt/jwt/v5 v5.3.0 - github.com/google/cel-go v0.25.0 + github.com/google/cel-go v0.26.1 github.com/googleapis/gax-go/v2 v2.15.0 github.com/gorilla/handlers v1.5.1 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 diff --git a/go.sum b/go.sum index 1217cf00f746..b696f4ae4b55 100644 --- a/go.sum +++ b/go.sum @@ -604,8 +604,8 @@ github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs= github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.9.3 h1:dNPSXeXv6HCq2jdyWfjgmhBdqnR6PRO3m/G05nvpPC8= github.com/gomodule/redigo v1.9.3/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw= -github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY= -github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI= +github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= +github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q= github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 5307b48d604c..939174cc2f74 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.8-bookworm RUN \ apt-get update \ diff --git a/heartbeat/hbtest/hbtestutil.go b/heartbeat/hbtest/hbtestutil.go index 74cc99648140..50588a7aac86 100644 --- a/heartbeat/hbtest/hbtestutil.go +++ b/heartbeat/hbtest/hbtestutil.go @@ -212,7 +212,7 @@ func ResolveChecks(ip string) validator.Validator { func SimpleURLChecks(t *testing.T, scheme string, host string, port uint16) validator.Validator { hostPort := host if port != 0 { - hostPort = fmt.Sprintf("%s:%d", host, port) + hostPort = net.JoinHostPort(host, strconv.Itoa(int(port))) } u, err := url.Parse(fmt.Sprintf("%s://%s", scheme, hostPort)) diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index de786fba2862..460acf35f4f2 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -32,6 +32,7 @@ import ( "os" "path" "reflect" + "strconv" "sync" "testing" "time" @@ -620,7 +621,7 @@ func TestConnRefusedJob(t *testing.T) { lookslike.Strict(lookslike.Compose( hbtest.BaseChecks(ip, "down", "http"), hbtest.SummaryStateChecks(0, 1), - hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, fmt.Sprintf("%s:%d", ip, port)), + hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, net.JoinHostPort(ip, strconv.Itoa(int(port)))), urlChecks(url), )), event.Fields, @@ -642,7 +643,7 @@ func TestUnreachableJob(t *testing.T) { lookslike.Strict(lookslike.Compose( hbtest.BaseChecks(ip, "down", "http"), hbtest.SummaryStateChecks(0, 1), - hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, fmt.Sprintf("%s:%d", ip, port)), + hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, net.JoinHostPort(ip, strconv.Itoa(int(port)))), urlChecks(url), )), event.Fields, diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 26fee6f23609..036a42a9b67e 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 9.3.0 :doc-branch: current -:go-version: 1.24.13 +:go-version: 1.25.8 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/libbeat/processors/add_kubernetes_metadata/indexers.go b/libbeat/processors/add_kubernetes_metadata/indexers.go index b3ab387b2068..a60ee2e21ea7 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers.go @@ -19,6 +19,8 @@ package add_kubernetes_metadata import ( "fmt" + "net" + "strconv" "github.com/elastic/elastic-agent-autodiscover/kubernetes" "github.com/elastic/elastic-agent-autodiscover/kubernetes/metadata" @@ -247,7 +249,7 @@ func (h *IPPortIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { if port.ContainerPort != 0 { m = append(m, MetadataIndex{ - Index: fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort), + Index: net.JoinHostPort(pod.Status.PodIP, strconv.Itoa(int(port.ContainerPort))), Data: h.metaGen.Generate( pod, metadata.WithFields("container.name", container.Name), @@ -279,7 +281,7 @@ func (h *IPPortIndexer) GetIndexes(pod *kubernetes.Pod) []string { for _, port := range ports { if port.ContainerPort != 0 { - hostPorts = append(hostPorts, fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort)) + hostPorts = append(hostPorts, net.JoinHostPort(pod.Status.PodIP, strconv.Itoa(int(port.ContainerPort)))) } } } diff --git a/libbeat/processors/add_kubernetes_metadata/indexers_test.go b/libbeat/processors/add_kubernetes_metadata/indexers_test.go index ab506f45a15a..26768fb9d2bc 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers_test.go @@ -19,6 +19,8 @@ package add_kubernetes_metadata import ( "fmt" + "net" + "strconv" "testing" "github.com/elastic/elastic-agent-autodiscover/kubernetes" @@ -468,12 +470,12 @@ func TestIpPortIndexer(t *testing.T) { indexers = ipIndexer.GetMetadata(&pod) assert.Len(t, indexers, 2) assert.Equal(t, ip, indexers[0].Index) - assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indexers[1].Index) + assert.Equal(t, net.JoinHostPort(ip, strconv.Itoa(int(port))), indexers[1].Index) indices = ipIndexer.GetIndexes(&pod) assert.Len(t, indices, 2) assert.Equal(t, ip, indices[0]) - assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indices[1]) + assert.Equal(t, net.JoinHostPort(ip, strconv.Itoa(int(port))), indices[1]) assert.Equal(t, expected.String(), indexers[0].Data.String()) expected.Put("kubernetes.container", diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index aef808d92b3d..12f15a24859e 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.8-bookworm COPY --from=docker:26.0.0-alpine3.19 /usr/local/bin/docker /usr/local/bin/ COPY --from=docker:26.0.0-alpine3.19 /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/lib/docker/cli-plugins/docker-compose diff --git a/metricbeat/helper/server/tcp/tcp_test.go b/metricbeat/helper/server/tcp/tcp_test.go index 07dcfea13f3c..80e0a51b1387 100644 --- a/metricbeat/helper/server/tcp/tcp_test.go +++ b/metricbeat/helper/server/tcp/tcp_test.go @@ -20,8 +20,8 @@ package tcp import ( - "fmt" "net" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -31,7 +31,7 @@ import ( ) func GetTestTcpServer(host string, port int) (server.Server, error) { - addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("%s:%d", host, port)) + addr, err := net.ResolveTCPAddr("tcp", net.JoinHostPort(host, strconv.Itoa(int(port)))) if err != nil { return nil, err @@ -80,7 +80,7 @@ func TestTcpServer(t *testing.T) { } func writeToServer(t *testing.T, message, host string, port int) { - servAddr := fmt.Sprintf("%s:%d", host, port) + servAddr := net.JoinHostPort(host, strconv.Itoa(int(port))) tcpAddr, err := net.ResolveTCPAddr("tcp", servAddr) if err != nil { t.Error(err) diff --git a/metricbeat/helper/server/udp/udp_test.go b/metricbeat/helper/server/udp/udp_test.go index 664c4dd23dca..47e5e4702fa3 100644 --- a/metricbeat/helper/server/udp/udp_test.go +++ b/metricbeat/helper/server/udp/udp_test.go @@ -31,7 +31,7 @@ import ( ) func GetTestUdpServer(host string, port int) (server.Server, error) { - addr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, strconv.Itoa(port))) + addr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, strconv.Itoa(int(port)))) if err != nil { return nil, err @@ -78,7 +78,8 @@ func TestUdpServer(t *testing.T) { } func writeToServer(t *testing.T, message, host string, port int) { - conn, err := net.Dial("udp", net.JoinHostPort(host, strconv.Itoa(port))) + servAddr := net.JoinHostPort(host, strconv.Itoa(int(port))) + conn, err := net.Dial("udp", servAddr) if err != nil { t.Error(err) t.FailNow() diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 36c1f9770c85..0193044b92d7 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -238,7 +238,13 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(Fields, Dashboards) } - os.Setenv("GODEBUG", "fips140=only") + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + os.Setenv("GODEBUG", "fips140=only,tlsmlkem=0") return devtools.GoTestIntegrationForModule(ctx) } diff --git a/metricbeat/module/apache/status/status_test.go b/metricbeat/module/apache/status/status_test.go index 192007baa334..34333033f23a 100644 --- a/metricbeat/module/apache/status/status_test.go +++ b/metricbeat/module/apache/status/status_test.go @@ -245,7 +245,7 @@ func TestHostParser(t *testing.T) { {"localhost/ServerStatus", "http://localhost/ServerStatus?auto=", ""}, {"127.0.0.1", "http://127.0.0.1/server-status?auto=", ""}, {"https://127.0.0.1", "https://127.0.0.1/server-status?auto=", ""}, - {"[2001:db8::1]:80", "http://[2001:db8::1]:80/server-status?auto=", ""}, + {"[2001:db8:0:1::]:80", "http://[2001:db8:0:1::]:80/server-status?auto=", ""}, {"https://admin:secret@127.0.0.1", "https://admin:secret@127.0.0.1/server-status?auto=", ""}, } diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index df34ec3b0853..06728dc25560 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.8-bookworm COPY test/main.go main.go diff --git a/metricbeat/module/vsphere/_meta/Dockerfile b/metricbeat/module/vsphere/_meta/Dockerfile index f18078fde01f..c8bd4e523344 100644 --- a/metricbeat/module/vsphere/_meta/Dockerfile +++ b/metricbeat/module/vsphere/_meta/Dockerfile @@ -1,5 +1,5 @@ ARG VSPHERE_GOLANG_VERSION -FROM golang:1.24.13-bookworm +FROM golang:1.25.8-bookworm RUN apt-get install curl git RUN go install github.com/vmware/govmomi/vcsim@v0.30.4 diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index bf2f3d97aa47..956fed1eef37 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.8-bookworm RUN \ apt-get update \ diff --git a/testing/go-ech/ech.go b/testing/go-ech/ech.go index c37bad5ac105..0ff40eb03129 100644 --- a/testing/go-ech/ech.go +++ b/testing/go-ech/ech.go @@ -61,7 +61,6 @@ func VerifyFIPSBinary(t *testing.T, binaryPath string) { case "-tags": foundTags = true assert.Contains(t, setting.Value, "requirefips") - assert.Contains(t, setting.Value, "ms_tls13kdf") continue case "GOEXPERIMENT": foundExperiment = true diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 82bda3e86691..b047e0063e32 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -267,7 +267,12 @@ func GoIntegTest(ctx context.Context) error { // Use TEST_TAGS=tag1,tag2 to add additional build tags. // Use MODULE=module to run only tests for `module`. func GoFIPSOnlyIntegTest(ctx context.Context) error { - os.Setenv("GODEBUG", "fips140=only") + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + os.Setenv("GODEBUG", "fips140=only,tlsmlkem=0") return GoIntegTest(ctx) } diff --git a/x-pack/metricbeat/module/airflow/statsd/data_test.go b/x-pack/metricbeat/module/airflow/statsd/data_test.go index da8ebc40f46d..d81f0b3fd880 100644 --- a/x-pack/metricbeat/module/airflow/statsd/data_test.go +++ b/x-pack/metricbeat/module/airflow/statsd/data_test.go @@ -8,6 +8,7 @@ import ( "fmt" "net" "runtime" + "strconv" "sync" "testing" @@ -43,7 +44,7 @@ func getConfig() map[string]interface{} { } func createEvent(data string, t *testing.T) { - udpAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", STATSD_HOST, STATSD_PORT)) + udpAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(STATSD_HOST, strconv.Itoa(int(STATSD_PORT)))) require.NoError(t, err) conn, err := net.DialUDP("udp", nil, udpAddr) diff --git a/x-pack/metricbeat/module/stan/_meta/Dockerfile b/x-pack/metricbeat/module/stan/_meta/Dockerfile index 66efaecbb10c..71d7fbf6467e 100644 --- a/x-pack/metricbeat/module/stan/_meta/Dockerfile +++ b/x-pack/metricbeat/module/stan/_meta/Dockerfile @@ -2,7 +2,7 @@ ARG STAN_VERSION=0.15.1 FROM nats-streaming:$STAN_VERSION # build stage -FROM golang:1.24.13-bookworm AS build-env +FROM golang:1.25.8-bookworm AS build-env RUN apt-get install git mercurial gcc RUN git clone https://github.com/nats-io/stan.go.git /stan-go RUN cd /stan-go/examples/stan-bench && git checkout tags/v0.5.2 && go build . diff --git a/x-pack/packetbeat/scripts/mage/pcap.go b/x-pack/packetbeat/scripts/mage/pcap.go index 25bddbc269d4..247241b9e987 100644 --- a/x-pack/packetbeat/scripts/mage/pcap.go +++ b/x-pack/packetbeat/scripts/mage/pcap.go @@ -22,7 +22,7 @@ import ( // the packetbeat executable. It is used to specify which npcap builder crossbuild // image to use and the installer to obtain from the cloud store for testing. const ( - NpcapVersion = "1.83" + NpcapVersion = "1.87" installer = "npcap-" + NpcapVersion + "-oem.exe" ) diff --git a/x-pack/packetbeat/tests/system/app_test.go b/x-pack/packetbeat/tests/system/app_test.go index 7f78d57e77f1..88207128e386 100644 --- a/x-pack/packetbeat/tests/system/app_test.go +++ b/x-pack/packetbeat/tests/system/app_test.go @@ -24,7 +24,7 @@ import ( ) // Keep in sync with NpcapVersion in magefile.go. -const NpcapVersion = "1.83" +const NpcapVersion = "1.87" func TestWindowsNpcapInstaller(t *testing.T) { if runtime.GOOS != "windows" {