update to upstream Grafana 7.5.13, support go1.18

002-manpages.patch

@@ -4,7 +4,7 @@ index 0000000000..7ac2af882c
 --- /dev/null
 +++ b/docs/man/man1/grafana-cli.1
 @@ -0,0 +1,60 @@
-+.TH GRAFANA "1" "October 2021" "Grafana cli version 7.5.11" "User Commands"
++.TH GRAFANA "1" "January 2022" "Grafana cli version 7.5.13" "User Commands"
 +.SH NAME
 +grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor
 +.SH DESCRIPTION
@@ -70,7 +70,7 @@ index 0000000000..c616268b31
 --- /dev/null
 +++ b/docs/man/man1/grafana-server.1
 @@ -0,0 +1,72 @@
-+.TH VERSION "1" "October 2021" "Version 7.5.11" "User Commands"
++.TH VERSION "1" "January 2022" "Version 7.5.13" "User Commands"
 +.SH NAME
 +grafana-server \- back-end server for the Grafana metrics dashboard and graph editor
 +.SH DESCRIPTION

011-CVE-2021-43813.patch

@@ -1,52 +0,0 @@
-commit ea77415cfe2cefe46ffce233076a1409abaa8df7
-Author: Will Browne <wbrowne@users.noreply.github.com>
-Date:   Fri Dec 10 11:29:12 2021 +0000
-
-    apply fix (#42969)
-
-diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
-index e6370a29e7..c7199c716e 100644
---- a/pkg/plugins/plugins.go
-+++ b/pkg/plugins/plugins.go
-@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
- 	}
- 
- 	// nolint:gosec
--	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
--	// on plugin the folder structure on disk and not user input.
--	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
-+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
-+	// use this with a prefix of the plugin's directory, which is set during plugin loading
-+	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
- 	exists, err := fs.Exists(path)
- 	if err != nil {
- 		return nil, err
- 	}
- 	if !exists {
--		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
-+		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
- 	}
- 
- 	exists, err = fs.Exists(path)
-@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
- 	}
- 
- 	// nolint:gosec
--	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
--	// on plugin the folder structure on disk and not user input.
-+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
-+	// use this with a prefix of the plugin's directory, which is set during plugin loading
- 	data, err := ioutil.ReadFile(path)
- 	if err != nil {
- 		return nil, err
-@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
- 	return data, nil
- }
- 
-+func mdFilepath(mdFilename string) string {
-+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
-+}
-+
- // gets plugin filenames that require verification for plugin signing
- func collectPluginFilesWithin(rootDir string) ([]string, error) {
- 	var files []string

012-support-go1.18.patch

@@ -0,0 +1,28 @@
+# json-iterator/go supports go1.18 since v1.1.12
+# https://github.com/json-iterator/go/releases/tag/v1.1.12
+#
+# gonum.org/v1/gonum supports go1.18 since commit cccd8af5f6bd1539dd688c88102cb37e9117f96a
+# https://github.com/gonum/gonum/pull/1729
+
+diff --git a/go.mod b/go.mod
+index 67932fe072..2aa638fe9a 100644
+--- a/go.mod
++++ b/go.mod
+@@ -55,7 +55,7 @@ require (
+ 	github.com/jaegertracing/jaeger v1.22.1-0.20210304164023-2fff3ca58910
+ 	github.com/jmespath/go-jmespath v0.4.0
+ 	github.com/jonboulle/clockwork v0.2.2 // indirect
+-	github.com/json-iterator/go v1.1.10
++	github.com/json-iterator/go v1.1.12
+ 	github.com/lib/pq v1.9.0
+ 	github.com/linkedin/goavro/v2 v2.10.0
+ 	github.com/magefile/mage v1.11.0
+@@ -88,7 +88,7 @@ require (
+ 	golang.org/x/oauth2 v0.0.0-20210113205817-d3ed898aa8a3
+ 	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
+ 	golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e
+-	gonum.org/v1/gonum v0.8.2
++	gonum.org/v1/gonum v0.9.1-0.20220120213227-d4eca1bbc084
+ 	google.golang.org/api v0.40.0
+ 	google.golang.org/grpc v1.36.0
+ 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect

Makefile

@@ -13,11 +13,13 @@ WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz
 # - changes in Go module imports (which affect the vendored Go modules)
 PATCHES_PRE_VENDOR := \
 	005-remove-unused-dependencies.patch \
-	008-remove-unused-frontend-crypto.patch
+	008-remove-unused-frontend-crypto.patch \
+	012-support-go1.18.patch
 
 # patches which must be applied before creating the webpack, for example:
 # - changes in Node.js sources or vendored dependencies
-PATCHES_PRE_WEBPACK :=
+PATCHES_PRE_WEBPACK := \
+	008-remove-unused-frontend-crypto.patch
 
 
 all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR)

grafana.spec

@@ -29,8 +29,8 @@ end}
 %endif
 
 Name:             grafana
-Version:          7.5.11
+Version:          7.5.13
-Release:          4%{?dist}
+Release:          1%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -91,9 +91,9 @@ Patch9:           009-patch-unused-backend-crypto.patch
 # if FIPS mode is enabled.
 Patch10:          010-fips.patch
 
-Patch11:          011-CVE-2021-43813.patch
+Patch11:          011-use-hmac-sha-256-for-password-reset-tokens.patch
 
-Patch12:          012-use-hmac-sha-256-for-password-reset-tokens.patch
+Patch12:          012-support-go1.18.patch
 
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@@ -197,7 +197,7 @@ Provides: bundled(golang(github.com/inconshreveable/log15)) = 0.0.0-201808181646
 Provides: bundled(golang(github.com/influxdata/influxdb-client-go/v2)) = 2.2.0
 Provides: bundled(golang(github.com/jaegertracing/jaeger)) = 1.22.1-0.20210304164023.2fff3ca58910
 Provides: bundled(golang(github.com/jmespath/go-jmespath)) = 0.4.0
-Provides: bundled(golang(github.com/json-iterator/go)) = 1.1.10
+Provides: bundled(golang(github.com/json-iterator/go)) = 1.1.12
 Provides: bundled(golang(github.com/lib/pq)) = 1.9.0
 Provides: bundled(golang(github.com/linkedin/goavro/v2)) = 2.10.0
 Provides: bundled(golang(github.com/magefile/mage)) = 1.11.0
@@ -230,7 +230,7 @@ Provides: bundled(golang(golang.org/x/net)) = 0.0.0-20210119194325.5f4716e94777
 Provides: bundled(golang(golang.org/x/oauth2)) = 0.0.0-20210113205817.d3ed898aa8a3
 Provides: bundled(golang(golang.org/x/sync)) = 0.0.0-20201207232520.09787c993a3a
 Provides: bundled(golang(golang.org/x/time)) = 0.0.0-20200630173020.3af7569d3a1e
-Provides: bundled(golang(gonum.org/v1/gonum)) = 0.8.2
+Provides: bundled(golang(gonum.org/v1/gonum)) = 0.9.1-0.20220120213227.d4eca1bbc084
 Provides: bundled(golang(google.golang.org/api)) = 0.40.0
 Provides: bundled(golang(google.golang.org/grpc)) = 1.36.0
 Provides: bundled(golang(gopkg.in/ini.v1)) = 1.62.0
@@ -680,6 +680,10 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
 
 
 %changelog
+* Fri Jan 28 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.13-1
+- update to 7.5.13 tagged upstream community sources, see CHANGELOG
+- support Go 1.18
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.11-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 

sources

@@ -1,3 +1,3 @@
-SHA512 (grafana-7.5.11.tar.gz) = 355af8d8cff77b2222d18559add8d2a16b086f6354d92b188d2f26fc0b7ffa04b877e568ddcfbc61b8786bdfdc59263009b727ef00b56438ef3fa9bbe6d80583
+SHA512 (grafana-7.5.13.tar.gz) = 25ae342cce34b4b120d278036ff2e515da74b62eec2283bb4c6f49e096163afaf6ae3ed3365e55d5a2b15d89db102724951948efdd876b2358d93cf0aac9a148
-SHA512 (grafana-webpack-7.5.11-1.tar.gz) = da927873d5797849783b02126e3f30384fd02ded604c3e50667a27ba1d1c9f9fb6a646ec48f1ac141ffd261c4132b303ffb970d84418332dae60f375258268f6
+SHA512 (grafana-webpack-7.5.13-1.tar.gz) = 5c5c45b548bca1a784f9de0c49aff5fb43d12a63b8c4a49639c34438cdc9b58e6cb5a0f027219b2090de5ba0ecc6919c813569ee4941e1c921843b77733079a7
-SHA512 (grafana-vendor-7.5.11-1.tar.xz) = 37437f704ee51323d058072a63c3e8700268bf97dd58577a6f6c64b9c8f7ee35b120aa46ba8aea3854a088eddd6a59c24cee0232ecfa52de5b8c8cba5041a96e
+SHA512 (grafana-vendor-7.5.13-1.tar.xz) = 4418e4b4c2df70f1a13ef6f56b20e6afc12f10f57533877aa626313163de7e0766dc4f1b676d54e15c6063c6a4114e5360ecdce40be87561ff68e7f54bdc5da6