* no-op commit
* Sgm/without envelope wireup (#15441)
* Changes needed to allow encryption/decryption with gcpckms in managed keys
* wip
* wip
* wip
* Normalize key purposes across implementations
* update kmse
* Update kms wrapper deps to those that support WithoutEnvelope
* crucially, supply the option in the wrapper managed key impl
* restore the kmse update
* no, thats done via the encryptWithManagedKey in Policy, not needed here
* changelog
* remove replace
* Update sdk's go-kms-wrapping
* mod tidy
* Switch to using the main wrapper even for testing.
* update test cluster usage
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* more go.sum update
* PR feedback
* GCPC KMS needed some more config massaging to work w/ encryption
---------
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* bumped crypto dep and ran go mod tidy
* bumped net and ran go mod tidy
* bumped net in api from 53 to 55 and ran go mod tidy
* added changelog
* bump deps for all go modules
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: kelly <69541941+kporter101@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-45173] go: bump several dependencies to resolve GHSA-j88v-2chj-qfwx
This PR has a set of fairly complex dependency bumps to resolve GHSA-j88v-2chj-qfwx. For the third time in about six weeks, we've had to deal with CVEs in old and unsupported versions of `jackc/pgx`. These changes are for us to rid ourselves of those transitive dependencies completely.
First, we get rid `jackc/pgx/v4` by bumping `cloud.google.com/go/cloudsqlconn` to `v1.21.0`, which pulls in `v5`.
Next, we have to get rid of `jackc/pgx v3`, which was brought in via chain of `hashicorp/go-discover` -> `joyent/triton-go` -> `jackc/pgx/v3`. First, we updated `go-discover` to pull in the v2 module of `triton-go` from the modern upstream ([0], [1]) and pin to it. Then we update our own manta support to pull in the v2 module. Finally, we replace the `TritonDataCenter/triton-go` module with a fork that removes an unnecessary dep on `pgx/v3`.[2]
[0]: https://github.com/hashicorp/go-discover/pull/326
[1]: https://github.com/hashicorp/go-discover/pull/332
[2]: https://github.com/TritonDataCenter/triton-go/pull/207
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift
`github.com/apache/thrift` is required for the snowflake plugin. I've
updated that upstream[0] so this change is only necessary to get past
the scanner until a new version of the snowflake plugin is released and
we've updated our pin.
Using v0.23.0 was actually not possible since there's an overflow on 32 bit
architectures. Instead, we use the first commit since the release that fixes
that issue.[1]
[0]:https://github.com/hashicorp/vault-plugin-database-snowflake/pull/181
[1]:https://github.com/apache/thrift/pull/3428
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* VAULT-44412: upgrade github.com/Azure/go-ntlmssp to resolve GHSA-pjcq-xvwq-hhpj
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* go: resolve GHSA-92mm-2pjq-r785 by upgrade github.com/hashicorp/go-getter (#13878)
* go: resolve GHSA-92mm-2pjq-r785 by upgrade github.com/hashicorp/go-getter
Signed-off-by: Ryan Cragun <me@ryan.ec>
* go mod tidy
NOTE: go-getter is only used in vault-enterprise. As such this change
only represents modified transient dependencies.
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
- Resolve GHSA-xmrv-pmrh-hhx2 by upgrading our AWS v2 modules.
- Add an exemption for GHSA-6jwv-w5xf-7j27 as it is not really an issue. See the note in the scanner config for more info.
- Resolve GO-2026-4870, GO-2026-4947, GO-2026-4866, GO-2026-4864, GO-2026-4869, GO-2026-4865, and GO-2026-4946 by upgrading to Go 1.26.2
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
go: resolve CVE-2026-34986 and CVE-2026-34986 by upgrading github.com/go-jose/go-jose
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
secrets-store-sync is an enterprise only dep but it changes shared transitive deps with CE which are included here.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Resolve GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9 in `vault` by replacing
`github.com/docker/docker` with `github.com/moby/moby/client` @ `v0.3.0` and
`github.com/moby/moby/api` @ `v1.54.0`. This is necessary as `docker/docker`
is no longer maintained and the fixes are not available in it.
Resolve GO-2026-4518, GHSA-x6gf-mpr2-68h6 and GHSA-jqcq-xjh3-6g23 by
upgrading to github.com/jackc/pgx/v5. This is necessary as v4 is not
longer maitained.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Update vault-plugin-database-snowflake to v0.16.0 (#13240)
* Update vault-plugin-database-snowflake to v0.16.0
* Add changelog
---------
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
* changes after go mod tidy to fix failing GitHub checks
---------
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Co-authored-by: Arjun K S <arjun.ks@hashicorp.com>
