Merge pull request juju#17794 from hpidcock/update-deps-2.9-20240723

juju#17794

Adds govulncheck linting to help with identifying vulnerable imported modules that are used.

Updates dependencies to fix: 
- [GO-2024-2958](https://pkg.go.dev/vuln/GO-2024-2958)
- [GO-2024-2918](https://pkg.go.dev/vuln/GO-2024-2918)
- [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

## QA steps

Build. Bootstrap. Deploy.

## Documentation changes

N/A

## Links

https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck

.github/workflows/static-analysis.yml

@@ -49,7 +49,8 @@ jobs:
         echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
         echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
 
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.54.2
+        go install golang.org/x/vuln/cmd/govulncheck@latest
+        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.59.1
         sudo curl -sSfL https://github.com/mvdan/sh/releases/download/v3.7.0/shfmt_v3.7.0_linux_$(go env GOARCH) -o /usr/bin/shfmt
         sudo chmod +x /usr/bin/shfmt
         sudo DEBIAN_FRONTEND=noninteractive apt install -y expect
@@ -58,27 +59,23 @@ jobs:
       run: go mod download
 
     - name: "Static Analysis: Copyright"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.go == 'true'
       run: |
         STATIC_ANALYSIS_JOB=test_copyright make static-analysis
       shell: bash
 
     - name: "Static Analysis: Shell Check"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.sh == 'true'
       run: |
         STATIC_ANALYSIS_JOB=test_static_analysis_shell make static-analysis
       shell: bash
 
     - name: "Static Analysis: Go Check"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.go == 'true'
       run: |
         # Explicitly set GOROOT to avoid golangci-lint/issues/3107
         export "GOROOT=$(go env GOROOT)"
         STATIC_ANALYSIS_JOB=test_static_analysis_go make static-analysis
       shell: bash
 
     - name: "Static Analysis: Python Check"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.python == 'true'
       run: |
         STATIC_ANALYSIS_JOB=test_static_analysis_python make static-analysis
       shell: bash

acceptancetests/jujupy/client.py

@@ -1868,7 +1868,7 @@ def backup(self):
             raise
         log.info('backup file {}'.format(output))
         backup_file_pattern = re.compile(
-            '(juju-backup-[0-9-]+\.(t|tar.)gz)'.encode('ascii'))
+            '(juju-backup-[0-9-]+\\.(t|tar.)gz)'.encode('ascii'))
         match = backup_file_pattern.search(output)
         if match is None:
             raise Exception("The backup file was not found in output: %s" %
@@ -2273,7 +2273,7 @@ def handle_openstack(self, child, cloud):
             child.expect(self.REGION_ENDPOINT_PROMPT)
             child.sendline(values['endpoint'])
             match = child.expect([
-                u"Enter another region\? \([yY]/[nN]\):",
+                u"Enter another region\\? \\([yY]/[nN]\\):",
                 u"Can't validate endpoint"
             ])
             if match == 1:
@@ -2285,7 +2285,7 @@ def handle_openstack(self, child, cloud):
 
     def handle_vsphere(self, child, cloud):
         match = child.expect([u"Enter a name for your .* cloud:",
-                              u'Enter the (vCenter address or URL|API endpoint url for the cloud \[\]):'])
+                              u'Enter the (vCenter address or URL|API endpoint url for the cloud \\[\\]):'])
         if match == 0:
             raise NameNotAccepted('Cloud name not accepted.')
         if match == 1:
@@ -2301,7 +2301,7 @@ def handle_vsphere(self, child, cloud):
                 raise InvalidEndpoint()
             child.sendline(name)
             child.expect(
-                u'Enter another (datacenter|region)\? \([yY]/[nN]\):')
+                u'Enter another (datacenter|region)\\? \\([yY]/[nN]\\):')
             if num + 1 < len(cloud['regions']):
                 child.sendline('y')
             else:
@@ -2410,7 +2410,7 @@ def register_user_interactively(client, token, controller_name):
         child.sendline(password)
         child.expect(u'Confirm password:')
         child.sendline(password)
-        child.expect(u'Enter a name for this controller( \[.*\])?:')
+        child.expect(u'Enter a name for this controller( \\[.*\\])?:')
         child.sendline(controller_name)
 
         def login_if_need(session):

acceptancetests/jujupy/tests/test_status.py

@@ -80,7 +80,7 @@ def test_to_exception_stuck_allocating(self):
                                      current='allocating', message='foo')
         with self.assertRaisesRegexp(
                 StuckAllocatingError,
-                "\('0', 'Stuck allocating.  Last message: foo'\)"):
+                "\\('0', 'Stuck allocating.  Last message: foo'\\)"):
             raise item.to_exception()
 
     def test_to_exception_allocating_unit(self):

acceptancetests/repository/trusty/haproxy/cm.py

@@ -32,7 +32,7 @@ def get_branch_config(config_file):
             line = line.split('#')[0].strip()
             bzr_match = re.match(r'(\S+)\s+'
                                  'lp:([^;]+)'
-                                 '(?:;revno=(\d+))?', line)
+                                 '(?:;revno=(\\d+))?', line)
             if bzr_match:
                 name, branch, revno = bzr_match.group(1, 2, 3)
                 if revno is None:
@@ -42,7 +42,7 @@ def get_branch_config(config_file):
                 branches[name] = (branch, revspec)
                 continue
             dir_match = re.match(r'(\S+)\s+'
-                                 '\(directory\)', line)
+                                 '\\(directory\\)', line)
             if dir_match:
                 name = dir_match.group(1)
                 branches[name] = None

acceptancetests/tests/test_jujucharm.py

@@ -118,7 +118,7 @@ def test_ensure_valid_name(self):
         self.assertIsNone(Charm.NAME_REGEX.match(charm.metadata['name']))
         self.assertRaisesRegexp(
             JujuAssertionError,
-            'Invalid Juju Charm Name, "BAD_NAME" does not match ".*"\.',
+            'Invalid Juju Charm Name, "BAD_NAME" does not match ".*"\\.',
             Charm, 'BAD_NAME', 'A charm with a checked bad name')
 
     def test_ensure_valid_name_anchoring(self):

go.mod

@@ -3,8 +3,8 @@ module github.com/juju/juju
 go 1.21
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v2 v2.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0
@@ -36,9 +36,9 @@ require (
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/google/gnostic-models v0.6.8
 	github.com/google/go-querystring v1.1.0
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.3.0
-	github.com/gorilla/schema v1.2.0
+	github.com/gorilla/schema v1.4.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/gosuri/uitable v0.0.1
 	github.com/hashicorp/go-hclog v0.9.1
@@ -133,10 +133,10 @@ require (
 
 require (
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect
@@ -163,7 +163,7 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -224,7 +224,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pkg/xattr v0.4.9 // indirect
@@ -234,12 +234,12 @@ require (
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rogpeppe/fastuuid v1.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/std-uritemplate/std-uritemplate/go v0.0.47 // indirect
-	github.com/stretchr/testify v1.8.4 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/xdg-go/stringprep v1.0.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -256,7 +256,7 @@ require (
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/errgo.v1 v1.0.1 // indirect
 	gopkg.in/gobwas/glob.v0 v0.2.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect