[OSS] security: update go to 1.20.1 (#16263)

* security: update go to 1.20.1
2023-02-17 15:04:12 -05:00 · 2023-02-17 15:04:12 -05:00 · 29497be7e8
parent 9027a9629d
commit 29497be7e8
29 changed files with 81 additions and 124 deletions
--- a/.changelog/16263.txt
+++ b/.changelog/16263.txt
@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.20.1. 
+This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
+```
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -21,7 +21,7 @@ references:
    GIT_COMMITTER_NAME: circleci-consul
    S3_ARTIFACT_BUCKET: consul-dev-artifacts-v2
    BASH_ENV: .circleci/bash_env.sh
-    GO_VERSION: 1.19.4
+    GO_VERSION: 1.20.1
  envoy-versions: &supported_envoy_versions
    - &default_envoy_version "1.22.7"
    - "1.23.4"
@ -39,7 +39,7 @@ references:
  images:
    # When updating the Go version, remember to also update the versions in the
    # workflows section for go-test-lib jobs.
-    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.19.4
+    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.20.1
    ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:14-browsers
    ubuntu: &UBUNTU_CI_IMAGE ubuntu-2004:202201-02
  cache:
@ -613,7 +613,7 @@ jobs:
      - run: *notify-slack-failure
  nomad-integration-test: &NOMAD_TESTS
    docker:
-      - image: docker.mirror.hashicorp.services/cimg/go:1.19
+      - image: docker.mirror.hashicorp.services/cimg/go:1.20
    parameters:
      nomad-version:
        type: enum
@ -1110,35 +1110,35 @@ workflows:
      - go-test-lib:
          name: "go-test-envoyextensions"
          path: envoyextensions
-          go-version: "1.19"
+          go-version: "1.20"
          requires: [dev-build]
          <<: *filter-ignore-non-go-branches
      - go-test-lib:
          name: "go-test-troubleshoot"
          path: troubleshoot
-          go-version: "1.19"
+          go-version: "1.20"
          requires: [dev-build]
          <<: *filter-ignore-non-go-branches
-      - go-test-lib:
-          name: "go-test-api go1.18"
-          path: api
-          go-version: "1.18"
-          requires: [dev-build]
      - go-test-lib:
          name: "go-test-api go1.19"
          path: api
          go-version: "1.19"
          requires: [dev-build]
      - go-test-lib:
-          name: "go-test-sdk go1.18"
-          path: sdk
-          go-version: "1.18"
-          <<: *filter-ignore-non-go-branches
+          name: "go-test-api go1.20"
+          path: api
+          go-version: "1.20"
+          requires: [dev-build]
      - go-test-lib:
          name: "go-test-sdk go1.19"
          path: sdk
          go-version: "1.19"
          <<: *filter-ignore-non-go-branches
+      - go-test-lib:
+          name: "go-test-sdk go1.20"
+          path: sdk
+          go-version: "1.20"
+          <<: *filter-ignore-non-go-branches
      - go-test-race: *filter-ignore-non-go-branches
      - go-test-32bit: *filter-ignore-non-go-branches
      - noop
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -79,15 +79,15 @@ jobs:
    strategy:
      matrix:
        include:
-          - {go: "1.19.4", goos: "linux", goarch: "386"}
-          - {go: "1.19.4", goos: "linux", goarch: "amd64"}
-          - {go: "1.19.4", goos: "linux", goarch: "arm"}
-          - {go: "1.19.4", goos: "linux", goarch: "arm64"}
-          - {go: "1.19.4", goos: "freebsd", goarch: "386"}
-          - {go: "1.19.4", goos: "freebsd", goarch: "amd64"}
-          - {go: "1.19.4", goos: "windows", goarch: "386"}
-          - {go: "1.19.4", goos: "windows", goarch: "amd64"}
-          - {go: "1.19.4", goos: "solaris", goarch: "amd64"}
+          - {go: "1.20.1", goos: "linux", goarch: "386"}
+          - {go: "1.20.1", goos: "linux", goarch: "amd64"}
+          - {go: "1.20.1", goos: "linux", goarch: "arm"}
+          - {go: "1.20.1", goos: "linux", goarch: "arm64"}
+          - {go: "1.20.1", goos: "freebsd", goarch: "386"}
+          - {go: "1.20.1", goos: "freebsd", goarch: "amd64"}
+          - {go: "1.20.1", goos: "windows", goarch: "386"}
+          - {go: "1.20.1", goos: "windows", goarch: "amd64"}
+          - {go: "1.20.1", goos: "solaris", goarch: "amd64"}
      fail-fast: true

    name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@ -176,7 +176,7 @@ jobs:
      matrix:
        goos: [ darwin ]
        goarch: [ "amd64", "arm64" ]
-        go: [ "1.19.4" ]
+        go: [ "1.20.1" ]
      fail-fast: true

    name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
--- a/6
+++ b/6
@ -7,11 +7,11 @@ SHELL = bash
 # These version variables can either be a valid string for "go install <module>@<version>"
 # or the string @DEV to imply use what is currently installed locally.
 ###
-GOLANGCI_LINT_VERSION='v1.50.1'
-MOCKERY_VERSION='v2.15.0'
+GOLANGCI_LINT_VERSION='v1.51.1'
+MOCKERY_VERSION='v2.20.0'
 BUF_VERSION='v1.4.0'
 PROTOC_GEN_GO_GRPC_VERSION="v1.2.0"
-MOG_VERSION='v0.3.0'
+MOG_VERSION='v0.4.0'
 PROTOC_GO_INJECT_TAG_VERSION='v1.3.0'
 PROTOC_GEN_GO_BINARY_VERSION="v0.1.0"
 DEEP_COPY_VERSION='bc3f5aa5735d8a54961580a3a24422c308c831c2'
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@ -4,12 +4,13 @@ import (
 	"bytes"
 	"context"
 	"crypto/md5"
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"math/rand"
+	mathrand "math/rand"
 	"net"
 	"net/http"
 	"net/http/httptest"
@ -752,7 +753,7 @@ func testAgent_AddServices_AliasUpdateCheckNotReverted(t *testing.T, extraHCL st

 func test_createAlias(t *testing.T, agent *TestAgent, chk *structs.CheckType, expectedResult string) func(r *retry.R) {
 	t.Helper()
-	serviceNum := rand.Int()
+	serviceNum := mathrand.Int()
 	srv := &structs.NodeService{
 		Service: fmt.Sprintf("serviceAlias-%d", serviceNum),
 		Tags:    []string{"tag1"},
--- a/agent/consul/auto_config_endpoint_test.go
+++ b/agent/consul/auto_config_endpoint_test.go
@ -3,12 +3,11 @@ package consul
 import (
 	"bytes"
 	"crypto"
-	crand "crypto/rand"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
-	"math/rand"
 	"net"
 	"net/url"
 	"os"
@ -884,7 +883,7 @@ func TestAutoConfig_parseAutoConfigCSR(t *testing.T) {
 	// customizations to allow for better unit testing.
 	createCSR := func(tmpl *x509.CertificateRequest, privateKey crypto.Signer) (string, error) {
 		connect.HackSANExtensionForCSR(tmpl)
-		bs, err := x509.CreateCertificateRequest(crand.Reader, tmpl, privateKey)
+		bs, err := x509.CreateCertificateRequest(rand.Reader, tmpl, privateKey)
 		require.NoError(t, err)
 		var csrBuf bytes.Buffer
 		err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})
--- a/agent/consul/internal_endpoint_test.go
+++ b/agent/consul/internal_endpoint_test.go
@ -1,9 +1,9 @@
 package consul

 import (
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
-	"math/rand"
 	"os"
 	"strings"
 	"testing"
--- a/agent/consul/leader_peering_test.go
+++ b/agent/consul/leader_peering_test.go
@ -478,7 +478,7 @@ func TestLeader_PeeringSync_FailsForTLSError(t *testing.T) {
 	t.Run("server-name-validation", func(t *testing.T) {
 		testLeader_PeeringSync_failsForTLSError(t, func(token *structs.PeeringToken) {
 			token.ServerName = "wrong.name"
-		}, `transport: authentication handshake failed: x509: certificate is valid for server.dc1.peering.11111111-2222-3333-4444-555555555555.consul, not wrong.name`)
+		}, `transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for server.dc1.peering.11111111-2222-3333-4444-555555555555.consul, not wrong.name`)
 	})
 	t.Run("bad-ca-roots", func(t *testing.T) {
 		wrongRoot, err := os.ReadFile("../../test/client_certs/rootca.crt")
@ -486,7 +486,7 @@ func TestLeader_PeeringSync_FailsForTLSError(t *testing.T) {

 		testLeader_PeeringSync_failsForTLSError(t, func(token *structs.PeeringToken) {
 			token.CA = []string{string(wrongRoot)}
-		}, `transport: authentication handshake failed: x509: certificate signed by unknown authority`)
+		}, `transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority`)
 	})
 }

--- a/agent/consul/state/acl_test.go
+++ b/agent/consul/state/acl_test.go
@ -13,7 +13,6 @@ import (

 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
-	"github.com/hashicorp/consul/lib"
 	"github.com/hashicorp/consul/proto/pbacl"
 )

@ -3570,7 +3569,6 @@ func TestStateStore_ACLPolicies_Snapshot_Restore(t *testing.T) {
 }

 func TestTokenPoliciesIndex(t *testing.T) {
-	lib.SeedMathRand()

 	idIndex := &memdb.IndexSchema{
 		Name:         "id",
--- a/agent/coordinate_endpoint_test.go
+++ b/agent/coordinate_endpoint_test.go
@ -40,9 +40,9 @@ func TestCoordinate_Disabled_Response(t *testing.T) {
 			req, _ := http.NewRequest("PUT", "/should/not/care", nil)
 			resp := httptest.NewRecorder()
 			obj, err := tt(resp, req)
-			if err, ok := err.(HTTPError); ok {
-				if err.StatusCode != 401 {
-					t.Fatalf("expected status 401 but got %d", err.StatusCode)
+			if httpErr, ok := err.(HTTPError); ok {
+				if httpErr.StatusCode != 401 {
+					t.Fatalf("expected status 401 but got %d", httpErr.StatusCode)
 				}
 			} else {
 				t.Fatalf("expected HTTP error but got %v", err)
--- a/agent/grpc-external/limiter/limiter_test.go
+++ b/agent/grpc-external/limiter/limiter_test.go
@ -8,12 +8,8 @@ import (
 	"time"

 	"github.com/stretchr/testify/require"
-
-	"github.com/hashicorp/consul/lib"
 )

-func init() { lib.SeedMathRand() }
-
 func TestSessionLimiter(t *testing.T) {
 	lim := NewSessionLimiter()

--- a/agent/prepared_query_endpoint_test.go
+++ b/agent/prepared_query_endpoint_test.go
@ -13,9 +13,10 @@ import (

 	"github.com/hashicorp/consul/testrpc"

+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/types"
-	"github.com/stretchr/testify/require"
 )

 // MockPreparedQuery is a fake endpoint that we inject into the Consul server
@ -628,9 +629,9 @@ func TestPreparedQuery_Execute(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/query/not-there/execute", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.PreparedQuerySpecific(resp, req)
-		if err, ok := err.(HTTPError); ok {
-			if err.StatusCode != 404 {
-				t.Fatalf("expected status 404 but got %d", err.StatusCode)
+		if httpErr, ok := err.(HTTPError); ok {
+			if httpErr.StatusCode != 404 {
+				t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
 			}
 		} else {
 			t.Fatalf("expected HTTP error but got %v", err)
@ -768,9 +769,9 @@ func TestPreparedQuery_Explain(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/query/not-there/explain", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.PreparedQuerySpecific(resp, req)
-		if err, ok := err.(HTTPError); ok {
-			if err.StatusCode != 404 {
-				t.Fatalf("expected status 404 but got %d", err.StatusCode)
+		if httpErr, ok := err.(HTTPError); ok {
+			if httpErr.StatusCode != 404 {
+				t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
 			}
 		} else {
 			t.Fatalf("expected HTTP error but got %v", err)
@ -862,9 +863,9 @@ func TestPreparedQuery_Get(t *testing.T) {
 		req, _ := http.NewRequest("GET", "/v1/query/f004177f-2c28-83b7-4229-eacc25fe55d1", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.PreparedQuerySpecific(resp, req)
-		if err, ok := err.(HTTPError); ok {
-			if err.StatusCode != 404 {
-				t.Fatalf("expected status 404 but got %d", err.StatusCode)
+		if httpErr, ok := err.(HTTPError); ok {
+			if httpErr.StatusCode != 404 {
+				t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
 			}
 		} else {
 			t.Fatalf("expected HTTP error but got %v", err)
--- a/agent/testagent.go
+++ b/agent/testagent.go
@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
-	"math/rand"
 	"net"
 	"net/http/httptest"
 	"path/filepath"
@ -32,10 +31,6 @@ import (
 	"github.com/hashicorp/consul/tlsutil"
 )

-func init() {
-	rand.Seed(time.Now().UnixNano()) // seed random number generator
-}
-
 // TestAgent encapsulates an Agent with a default configuration and
 // startup procedure suitable for testing. It panics if there are errors
 // during creation or startup instead of returning errors. It manages a
--- a/agent/txn_endpoint_test.go
+++ b/agent/txn_endpoint_test.go
@ -67,9 +67,9 @@ func TestTxnEndpoint_Bad_Size_Item(t *testing.T) {
 				t.Fatalf("err: %v", err)
 			}
 		} else {
-			if err, ok := err.(HTTPError); ok {
-				if err.StatusCode != 413 {
-					t.Fatalf("expected 413 but got %d", err.StatusCode)
+			if httpErr, ok := err.(HTTPError); ok {
+				if httpErr.StatusCode != 413 {
+					t.Fatalf("expected 413 but got %d", httpErr.StatusCode)
 				}
 			} else {
 				t.Fatalf("excected HTTP error but got %v", err)
@ -150,9 +150,9 @@ func TestTxnEndpoint_Bad_Size_Net(t *testing.T) {
 				t.Fatalf("err: %v", err)
 			}
 		} else {
-			if err, ok := err.(HTTPError); ok {
-				if err.StatusCode != 413 {
-					t.Fatalf("expected 413 but got %d", err.StatusCode)
+			if httpErr, ok := err.(HTTPError); ok {
+				if httpErr.StatusCode != 413 {
+					t.Fatalf("expected 413 but got %d", httpErr.StatusCode)
 				}
 			} else {
 				t.Fatalf("excected HTTP error but got %v", err)
@ -220,9 +220,9 @@ func TestTxnEndpoint_Bad_Size_Ops(t *testing.T) {
 	resp := httptest.NewRecorder()
 	_, err := a.srv.Txn(resp, req)

-	if err, ok := err.(HTTPError); ok {
-		if err.StatusCode != 413 {
-			t.Fatalf("expected 413 but got %d", err.StatusCode)
+	if httpErr, ok := err.(HTTPError); ok {
+		if httpErr.StatusCode != 413 {
+			t.Fatalf("expected 413 but got %d", httpErr.StatusCode)
 		}
 	} else {
 		t.Fatalf("expected HTTP error but got %v", err)
--- a/api/go.mod
+++ b/api/go.mod
@ -1,6 +1,6 @@
 module github.com/hashicorp/consul/api

-go 1.18
+go 1.20

 replace github.com/hashicorp/consul/sdk => ../sdk

--- a/build-support/docker/Build-Go.dockerfile
+++ b/build-support/docker/Build-Go.dockerfile
@ -1,4 +1,4 @@
-ARG GOLANG_VERSION=1.19.2
+ARG GOLANG_VERSION=1.20.1
 FROM golang:${GOLANG_VERSION}

 WORKDIR /consul
--- a/command/members/members_test.go
+++ b/command/members/members_test.go
@ -13,7 +13,6 @@ import (

 	"github.com/hashicorp/consul/agent"
 	consulapi "github.com/hashicorp/consul/api"
-	"github.com/hashicorp/consul/lib"
 )

 // TODO(partitions): split these tests
@ -206,8 +205,6 @@ func zip(t *testing.T, k, v []string) map[string]string {
 }

 func TestSortByMemberNamePartitionAndSegment(t *testing.T) {
-	lib.SeedMathRand()
-
 	// For the test data we'll give them names that would sort them backwards
 	// if we only sorted by name.
 	newData := func() []*consulapi.AgentMember {
--- a/envoyextensions/go.mod
+++ b/envoyextensions/go.mod
@ -1,6 +1,6 @@
 module github.com/hashicorp/consul/envoyextensions

-go 1.19
+go 1.20

 replace github.com/hashicorp/consul/api => ../api

--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/hashicorp/consul

-go 1.19
+go 1.20

 replace (
 	github.com/hashicorp/consul/api => ./api
--- a/lib/rand.go
+++ b/lib/rand.go
@ -1,34 +0,0 @@
-package lib
-
-import (
-	crand "crypto/rand"
-	"math"
-	"math/big"
-	"math/rand"
-	"sync"
-	"time"
-)
-
-var (
-	once sync.Once
-
-	// SeededSecurely is set to true if a cryptographically secure seed
-	// was used to initialize rand.  When false, the start time is used
-	// as a seed.
-	SeededSecurely bool
-)
-
-// SeedMathRand provides weak, but guaranteed seeding, which is better than
-// running with Go's default seed of 1.  A call to SeedMathRand() is expected
-// to be called via init(), but never a second time.
-func SeedMathRand() {
-	once.Do(func() {
-		n, err := crand.Int(crand.Reader, big.NewInt(math.MaxInt64))
-		if err != nil {
-			rand.Seed(time.Now().UTC().UnixNano())
-			return
-		}
-		rand.Seed(n.Int64())
-		SeededSecurely = true
-	})
-}
--- a/main.go
+++ b/main.go
@ -11,14 +11,9 @@ import (
 	"github.com/hashicorp/consul/command"
 	"github.com/hashicorp/consul/command/cli"
 	"github.com/hashicorp/consul/command/version"
-	"github.com/hashicorp/consul/lib"
 	_ "github.com/hashicorp/consul/service_os"
 )

-func init() {
-	lib.SeedMathRand()
-}
-
 func main() {
 	os.Exit(realMain())
 }
--- a/proto-public/pbdns/mock_DNSServiceClient.go
+++ b/proto-public/pbdns/mock_DNSServiceClient.go
@ -1,4 +1,4 @@
-// Code generated by mockery v2.15.0. DO NOT EDIT.
+// Code generated by mockery v2.20.0. DO NOT EDIT.

 package pbdns

@ -27,6 +27,10 @@ func (_m *MockDNSServiceClient) Query(ctx context.Context, in *QueryRequest, opt
 	ret := _m.Called(_ca...)

 	var r0 *QueryResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest, ...grpc.CallOption) (*QueryResponse, error)); ok {
+		return rf(ctx, in, opts...)
+	}
 	if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest, ...grpc.CallOption) *QueryResponse); ok {
 		r0 = rf(ctx, in, opts...)
 	} else {
@ -35,7 +39,6 @@ func (_m *MockDNSServiceClient) Query(ctx context.Context, in *QueryRequest, opt
 		}
 	}

-	var r1 error
 	if rf, ok := ret.Get(1).(func(context.Context, *QueryRequest, ...grpc.CallOption) error); ok {
 		r1 = rf(ctx, in, opts...)
 	} else {
--- a/proto-public/pbdns/mock_DNSServiceServer.go
+++ b/proto-public/pbdns/mock_DNSServiceServer.go
@ -1,4 +1,4 @@
-// Code generated by mockery v2.15.0. DO NOT EDIT.
+// Code generated by mockery v2.20.0. DO NOT EDIT.

 package pbdns

@ -18,6 +18,10 @@ func (_m *MockDNSServiceServer) Query(_a0 context.Context, _a1 *QueryRequest) (*
 	ret := _m.Called(_a0, _a1)

 	var r0 *QueryResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest) (*QueryResponse, error)); ok {
+		return rf(_a0, _a1)
+	}
 	if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest) *QueryResponse); ok {
 		r0 = rf(_a0, _a1)
 	} else {
@ -26,7 +30,6 @@ func (_m *MockDNSServiceServer) Query(_a0 context.Context, _a1 *QueryRequest) (*
 		}
 	}

-	var r1 error
 	if rf, ok := ret.Get(1).(func(context.Context, *QueryRequest) error); ok {
 		r1 = rf(_a0, _a1)
 	} else {
--- a/proto-public/pbdns/mock_UnsafeDNSServiceServer.go
+++ b/proto-public/pbdns/mock_UnsafeDNSServiceServer.go
@ -1,4 +1,4 @@
-// Code generated by mockery v2.15.0. DO NOT EDIT.
+// Code generated by mockery v2.20.0. DO NOT EDIT.

 package pbdns

--- a/sdk/freeport/freeport.go
+++ b/sdk/freeport/freeport.go
@ -114,7 +114,6 @@ func initialize() {
 		panic("freeport: block size too big or too many blocks requested")
 	}

-	rand.Seed(time.Now().UnixNano())
 	firstPort, lockLn = alloc()

 	condNotEmpty = sync.NewCond(&mu)
--- a/sdk/go.mod
+++ b/sdk/go.mod
@ -1,6 +1,6 @@
 module github.com/hashicorp/consul/sdk

-go 1.18
+go 1.20

 require (
 	github.com/hashicorp/go-cleanhttp v0.5.1
--- a/test/integration/consul-container/go.mod
+++ b/test/integration/consul-container/go.mod
@ -1,6 +1,6 @@
 module github.com/hashicorp/consul/test/integration/consul-container

-go 1.19
+go 1.20

 require (
 	github.com/avast/retry-go v3.0.0+incompatible
--- a/tlsutil/config_test.go
+++ b/tlsutil/config_test.go
@ -906,7 +906,7 @@ func TestConfigurator_outgoingWrapperALPN_serverHasNoNodeNameInSAN(t *testing.T)

 	_, err = wrap("dc1", "bob", "foo", client)
 	require.Error(t, err)
-	_, ok := err.(x509.HostnameError)
+	_, ok := err.(*tls.CertificateVerificationError)
 	require.True(t, ok)
 	client.Close()

--- a/troubleshoot/go.mod
+++ b/troubleshoot/go.mod
@ -1,6 +1,6 @@
 module github.com/hashicorp/consul/troubleshoot

-go 1.19
+go 1.20

 replace github.com/hashicorp/consul/api => ../api