fix release-2.45.3-gmp vulnerabilities; remove vendor

.github/workflows/presubmit.yml

@@ -19,7 +19,7 @@ jobs:
     name: Go & npm tests
     runs-on: ubuntu-latest
     container:
-      image: quay.io/prometheus/golang-builder:1.23-base
+      image: quay.io/prometheus/golang-builder:1.24-base
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
@@ -33,15 +33,22 @@ jobs:
     name: Ensure Google image builds (amd64)
     timeout-minutes: 30
     runs-on: ubuntu-latest
+    container:
+      # Use the same image Louhi will use.
+      image: gcr.io/cloud-builders/docker
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+    - name: Add vendoring
+      run: |
+        # Our dockerfile expects npm vendoring, yet this is done during the mirror stage.
+        # Do it on demand here, with exactly the same script that internal CI would use
+        # for both testing and later build purposes.
+        bash ./google_vendor.sh
     - name: Ensure forked image is buildable
       run: |
+        # The same commands we use for building internally.
         docker run --rm --privileged multiarch/qemu-user-static --reset --credential yes --persistent yes
         docker buildx create --name multi-arch-builder --use
-        docker buildx build -t ensure-it-builds:amd64 . --platform linux/amd64 --load
-        # TODO: One day we could enable this, but right now it's OOMing on free GH action.
-        # docker buildx build -t ensure-it-builds:arm64 . --platform linux/arm64 --load
+        DOCKER_BUILDKIT=1 docker buildx build -t gmp-prometheus:amd64 . -f ./Dockerfile.google --platform linux/amd64 --target=app --load
+        # TODO: One day we could enable linux/arm64, but right now it's OOMing on free GH action.

Dockerfile.google

@@ -1,29 +1,72 @@
-ARG IMAGE_BUILD_NODEJS=launcher.gcr.io/google/nodejs
-ARG IMAGE_BUILD_GO=google-go.pkg.dev/golang:1.24.9@sha256:17706709dd6f55af1efb33509fea7f09f54163a1209871224bed4cf297fb6bbb
+# This dockerfile is multi target. Use DOCKER_BUILDKIT=1 when building and reference the target:
+# --target=vendor with -o <host local path> to build image with the generated dependencies to copy and vendor on demand.
+# --target=app to build actual application image.
 
+# For the lack of the other official Google nodejs image, we use serverless project
+# images to build the Prometheus frontend (https://cloud.google.com/docs/buildpacks/base-images).
+ARG IMAGE_BUILD_NODEJS=us-central1-docker.pkg.dev/serverless-runtimes/google-22/runtimes/nodejs22:latest@sha256:9e88442205b4c956ca4996c2be626db6ef412043182cdd620e741d0d5e14b6a6
+ARG IMAGE_BUILD_GO=google-go.pkg.dev/golang:1.24.11@sha256:cafcfecdfc9ae0ab09e84613542f3a4da3f0b0eb4f61509f0d3614470a0e4b3c
 ARG IMAGE_BASE_DEBUG=gcr.io/distroless/base-nossl-debian12:debug
-ARG IMAGE_BASE=gke.gcr.io/gke-distroless/libc:gke_distroless_20251007.00_p0@sha256:06e60d7033d3b97a1be5aa0093b7c75312a8856fa413194e6d187b79d4b34f64
+ARG IMAGE_BASE=gke.gcr.io/gke-distroless/libc:gke_distroless_20251207.00_p0@sha256:43d5106aa4a3b743fde131c0446be322f398fa2964c819df19aafe4a475ae872
 
 FROM ${IMAGE_BUILD_GO} AS gobase
+WORKDIR /workspace
+# Verify early if we have all we need.
+RUN go version
 
-# Compile the UI assets.
-FROM ${IMAGE_BUILD_NODEJS} as assets
-# To build the UI we need a recent node version and the go toolchain.
-RUN install_node v17.9.0
+FROM ${IMAGE_BUILD_NODEJS} AS nodebase
+WORKDIR /workspace
+# Changed to root,as normally it's underprivileged www-data user.
+# For building stages it's fine to do it as root and have less complex scripts.
+USER root
+# Go, make, git, bzip2 are needed in Prometheus vendor and build steps, take Go
+# from the gobase, rest from apt.
 COPY --from=gobase /usr/local/go /usr/local/
 ENV PATH="/usr/local/go/bin:${PATH}"
-WORKDIR /app
+RUN apt-get update
+RUN apt-get -y install bzip2 make git
+# Verify early if we have all we need.
+RUN npm version
+RUN make -v
+RUN git --version
+RUN bzip2 --version
+RUN go version
+
+# --target=vendor
+FROM gobase AS govendor
+COPY . ./
+RUN go mod vendor
+
+FROM nodebase AS nodevendor
+COPY . ./
+# On the nodebase image, the NODE_ENV is set to production, causing npm install
+# to omit devDependencies. That would be normally preferred (much less packages
+# vendored, avoiding security vuln. for deps used for tests), but Prometheus uses
+# some devDependencies for normal build at the moment too e.g. @lezer/generator
+# (custom build script), rollup, tsc (TypeScript) and probably more.
+# Installing those manually later on is prone to errors, especially across
+# different Prometheus versions.
+# TODO(bwplotka): Consider moving those deps in upstream to non-dev lists.
+ENV NODE_ENV="development"
+RUN make ui-install
+
+FROM scratch AS vendor
+COPY --from=govendor /workspace/vendor vendor
+COPY --from=nodevendor /workspace/web/ui/node_modules web/ui/node_modules
+COPY --from=nodevendor /workspace/web/ui/react-app/node_modules web/ui/react-app/node_modules
+
+# --target=app
+# Compile the UI assets.
+FROM nodebase AS assets
 COPY . ./
-RUN pwd
-# Only build the UI but don't run ui-install as we vendor node_modules.
+# Only build the UI but don't run ui-install; deps should be installed in separate step (--target=vendor).
 RUN make ui-build
 RUN scripts/compress_assets.sh
 RUN make npm_licenses
 
 # Build the actual Go binary.
-FROM gobase as buildbase
-WORKDIR /app
-COPY --from=assets /app ./
+FROM gobase AS buildbase
+COPY --from=assets /workspace ./
 ENV GOEXPERIMENT=boringcrypto
 ENV CGO_ENABLED=1
 ENV GOFIPS140=off
@@ -34,33 +77,45 @@ RUN if [ "${TARGETARCH}" = "arm64" ] && [ "${BUILDARCH}" != "arm64" ]; then \
       apt install -y --no-install-recommends \
         gcc-aarch64-linux-gnu libc6-dev-arm64-cross; \
       CC=aarch64-linux-gnu-gcc; \
-    fi && \ 
+    fi && \
     go build \
     -tags builtinassets -mod=vendor \
     -ldflags="-X github.com/prometheus/common/version.Version=$(cat VERSION) \
     -X github.com/prometheus/common/version.BuildDate=$(date --iso-8601=seconds)" \
-    ./cmd/prometheus
+    ./cmd/prometheus && \
+    go build \
+    -mod=vendor \
+    -ldflags="-X github.com/prometheus/common/version.Version=$(cat VERSION) \
+    -X github.com/prometheus/common/version.BuildDate=$(date --iso-8601=seconds)" \
+    ./cmd/promtool && \
+    go build \
+    -mod=vendor \
+    -ldflags="-X github.com/prometheus/common/version.Version=$(cat VERSION) \
+    -X github.com/prometheus/common/version.BuildDate=$(date --iso-8601=seconds)" \
+    ./google/cmd/prw2gcm
 
 # Configure distroless base image like the upstream Prometheus image.
 # Since the directory and symlink setup needs shell access, we need yet another
 # intermediate stage.
-FROM ${IMAGE_BASE_DEBUG} as appbase
+FROM ${IMAGE_BASE_DEBUG} AS appbase
 
 COPY documentation/examples/prometheus.yml  /etc/prometheus/prometheus.yml
 COPY console_libraries/                     /usr/share/prometheus/console_libraries/
 COPY consoles/                              /usr/share/prometheus/consoles/
 RUN ["/busybox/sh", "-c", "ln -s /usr/share/prometheus/console_libraries /usr/share/prometheus/consoles/ /etc/prometheus/"]
 RUN ["/busybox/sh", "-c", "mkdir -p /prometheus"]
 
-FROM ${IMAGE_BASE}
+FROM ${IMAGE_BASE} AS app
 
-COPY --from=buildbase /app/prometheus /bin/prometheus
+COPY --from=buildbase /workspace/prometheus /bin/prometheus
+COPY --from=buildbase /workspace/promtool /bin/promtool
+COPY --from=buildbase /workspace/prw2gcm /bin/prw2gcm
 COPY --from=appbase --chown=nobody:nobody /etc/prometheus /etc/prometheus
 COPY --from=appbase --chown=nobody:nobody /prometheus /prometheus
 COPY --from=appbase /usr/share/prometheus /usr/share/prometheus
 COPY LICENSE /LICENSE
 COPY NOTICE /NOTICE
-COPY --from=assets /app/npm_licenses.tar.bz2 /npm_licenses.tar.bz2
+COPY --from=assets /workspace/npm_licenses.tar.bz2 /npm_licenses.tar.bz2
 
 USER       nobody
 EXPOSE     9090

go.mod

@@ -1,6 +1,6 @@
 module github.com/prometheus/prometheus
 
-go 1.23.0
+go 1.24.0
 
 toolchain go1.24.1
 
@@ -66,12 +66,12 @@ require (
 	go.uber.org/atomic v1.11.0
 	go.uber.org/automaxprocs v1.5.2
 	go.uber.org/goleak v1.3.0
-	golang.org/x/net v0.38.0
+	golang.org/x/net v0.47.0
 	golang.org/x/oauth2 v0.27.0
-	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.31.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/sys v0.38.0
 	golang.org/x/time v0.5.0
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
+	golang.org/x/tools v0.38.0
 	google.golang.org/api v0.162.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a
 	google.golang.org/grpc v1.71.0
@@ -112,6 +112,8 @@ require (
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
+	golang.org/x/tools/godoc v0.1.0-deprecated // indirect
 	google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
 )
@@ -190,11 +192,11 @@ require (
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gotest.tools/v3 v3.0.3 // indirect