Upgrade: Bump github.com/open-policy-agent/opa from 0.67.1 to 0.69.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.67.1 to 0.69.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.69.0

This release contains a mix of features, bugfixes and necessary tooling and test changes required to support the upcoming OPA 1.0 release.

Inter-Query Value Cache (#6908)

OPA now has a new inter-query value cache added to the SDK. It is intended to be used for values that are expensive to compute and can be reused across multiple queries. The cache can be leveraged by built-in functions to store values that otherwise aren't appropriate for the existing inter-query cache; for instance when the entry size isn't an appropriate or primary limiting factor for cache eviction.

The default size of the inter-query value cache is unbounded, but can be configured via the caching.inter_query_builtin_value_cache.max_num_entries configuration field. OPA will drop random items from the cache if this limit is exceeded.

The cache is used by the regex and glob built-in functions, which previously had individual, non-configurable caches with a max entry size of 100 each.

Currently, the cache is only exercised when running OPA in server mode (ie. opa run -s). Also this feature is unsupported for WASM.

Authored by @​ashutosh-narkar, reported by @​amirsalarsafaei

Topdown and Rego

• Future-proofing tests in the ast, topdown, rego etc. packages to be 1.0 compatible (authored by @​johanfylling)
• ast: Attach annotation to static part of rule ref (#7050) authored by @​anderseknert
• ast: Make Module.String() include if/contains for v1 modules (#6973) authored by @​johanfylling reported by @​nikpivkin
• topdown/http: Stop http.send latency timer when an error is encountered (#7007) authored by @​lukyer
• ast/compile: Refactor local variable replacement and replace declared variables in with's target (#6979) authored by @​srenatus reported by @​bluebrown
• ast: Update type checker to cache schema types (#6970) authored by @​nikpivkin
• test: Fix indentation in a YAML test case (#7039) authored by @​matajoh
• format: Bracketing keyword ref elements in formatter output (#7010) authored by @​johanfylling

Runtime, Tooling, SDK

• Future-proofing tests in the sdk, downlaod, server , cmd etc. packages to be 1.0 compatible (authored by @​johanfylling)
• cmd: Add --v0-compatible flag to make OPA behave as v0.x post v1.0 release (#7065) authored by @​johanfylling
• util: Strip UTF-8 BOM from input JSON when found (#6988) authored by @​anderseknert reported by @​adhilto
• plugins/rest: Support reading AWS token from the filesystem for the AWS container credential provider (#6997) authored by @​cmaddalozzo
• debug: Add RegoOption launch option to debugger for setting custom Rego options (#7045) authored by @​johanfylling
• debug: Always include Input and Data variable scopes to ease discoverability of the scopes (#7074) authored by @​johanfylling
• wasm: Fix arithmetic comparison for large numbers, caused by an integer overflow (#6991) authored by @​Ptroger

Docs, Website, Ecosystem

• Add Marsh McLennan to adopters (#7060) authored by @​anderseknert reported by @​pratimsc
• Add APIwiz to adopters (#7067) authored by @​anderseknert
• docs: Fix misnomer in OPA-Istio tutorial to document Istio's AuthorizationPolicy API (#6984) authored by @​tjons
• docs: Readme updates to highlight more up-to-date information about OPA (#7066) authored by @​charlieegan3

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.69.0

This release contains a mix of features, bugfixes and necessary tooling and test changes required to support the upcoming OPA 1.0 release.

Inter-Query Value Cache (#6908)

OPA now has a new inter-query value cache added to the SDK. It is intended to be used for values that are expensive to compute and can be reused across multiple queries. The cache can be leveraged by built-in functions to store values that otherwise aren't appropriate for the existing inter-query cache; for instance when the entry size isn't an appropriate or primary limiting factor for cache eviction.

The default size of the inter-query value cache is unbounded, but can be configured via the caching.inter_query_builtin_value_cache.max_num_entries configuration field. OPA will drop random items from the cache if this limit is exceeded.

The cache is used by the regex and glob built-in functions, which previously had individual, non-configurable caches with a max entry size of 100 each.

Currently, the cache is only exercised when running OPA in server mode (ie. opa run -s). Also this feature is unsupported for WASM.

Authored by @​ashutosh-narkar, reported by @​amirsalarsafaei

Topdown and Rego

• Future-proofing tests in the ast, topdown, rego etc. packages to be 1.0 compatible (authored by @​johanfylling)
• ast: Attach annotation to static part of rule ref (#7050) authored by @​anderseknert
• ast: Make Module.String() include if/contains for v1 modules (#6973) authored by @​johanfylling reported by @​nikpivkin
• topdown/http: Stop http.send latency timer when an error is encountered (#7007) authored by @​lukyer
• ast/compile: Refactor local variable replacement and replace declared variables in with's target (#6979) authored by @​srenatus reported by @​bluebrown
• ast: Update type checker to cache schema types (#6970) authored by @​nikpivkin
• test: Fix indentation in a YAML test case (#7039) authored by @​matajoh
• format: Bracketing keyword ref elements in formatter output (#7010) authored by @​johanfylling

Runtime, Tooling, SDK

• Future-proofing tests in the sdk, downlaod, server , cmd etc. packages to be 1.0 compatible (authored by @​johanfylling)
• cmd: Add --v0-compatible flag to make OPA behave as v0.x post v1.0 release (#7065) authored by @​johanfylling
• util: Strip UTF-8 BOM from input JSON when found (#6988) authored by @​anderseknert reported by @​adhilto
• plugins/rest: Support reading AWS token from the filesystem for the AWS container credential provider (#6997) authored by @​cmaddalozzo
• debug: Add RegoOption launch option to debugger for setting custom Rego options (#7045) authored by @​johanfylling
• debug: Always include Input and Data variable scopes to ease discoverability of the scopes (#7074) authored by @​johanfylling
• wasm: Fix arithmetic comparison for large numbers, caused by an integer overflow (#6991) authored by @​Ptroger

Docs, Website, Ecosystem

• Add Marsh McLennan to adopters (#7060) authored by @​anderseknert reported by @​pratimsc
• Add APIwiz to adopters (#7067) authored by @​anderseknert
• docs: Fix misnomer in OPA-Istio tutorial to document Istio's AuthorizationPolicy API (#6984) authored by @​tjons

... (truncated)

Commits

• 4a3fd1a Prepare v0.69.0 release (#7076)
• af8f915 Add mirror linter
• 71ab7ba debug: Always including Input and Data variable scopes
• e16f22a docs: Another minor update to README.md (#7072)
• 27dcd29 rego-v1: Future-proofing misc tests to be 1.0 compatible
• 0385717 build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#7069)
• 5cbc1e0 topdown: glob|regex code nitpicks (#7071)
• 4ba95d0 format: Bracketing keyword ref elements in formatter output (#7010)
• 6148b0b Add APIwiz to adopters (#7067)
• c487e39 docs: Update generated CLI docs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

This pull request primarily focuses on updating the versions of several dependencies used in the Go project, including github.com/open-policy-agent/opa, github.com/agnivade/levenshtein, github.com/golang/glog, and github.com/prometheus/client_golang, and it is important to review the changelogs and release notes for the new versions to ensure that there are no breaking changes or new features that could impact the application's functionality or security posture.

Expand for full summary

Summary:

The changes in this pull request primarily focus on updating the versions of several dependencies used in the Go project. The most notable changes are the updates to the github.com/open-policy-agent/opa, github.com/agnivade/levenshtein, github.com/golang/glog, and github.com/prometheus/client_golang dependencies.

From an application security perspective, these dependency updates generally do not introduce any obvious security concerns. However, it is important to review the changelogs and release notes for the new versions of these dependencies to understand the nature of the changes and ensure that there are no breaking changes or new features that could impact the application's functionality or security posture.

Additionally, it is recommended to thoroughly test the application after the dependency upgrades to ensure that everything is working as expected and that no new security vulnerabilities have been introduced.

Files Changed:

1. go.mod: This file has been updated to use version 0.69.0 of the github.com/open-policy-agent/opa dependency, which is likely a planned upgrade to take advantage of new features or bug fixes in the newer version of the OPA library.

2. go.sum: This file has been updated to reflect the changes in the dependencies used in the project. The most notable changes are:

   • Update to github.com/agnivade/levenshtein from version 1.1.1 to 1.2.0, which could potentially impact the security of any functionality in the application that relies on this library.
   • Update to github.com/golang/glog from version 1.2.1 to 1.2.2, which could potentially impact the ability to monitor and debug the application.
   • Update to github.com/open-policy-agent/opa from version 0.67.1 to 0.69.0, which could impact any security-related policies or rules defined in the application.
   • Update to github.com/prometheus/client_golang from version 1.19.1 to 1.20.4, which could impact the application's ability to report metrics and be monitored effectively.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.