Update boltdb dependency to the currently maintained bbolt fork

[amasover]

Hello, I noticed that Atlantis is depending on boltdb (for the atlantis.db file). The author of boltdb considers the project to be complete and stable, does not plan to continue work on it.

While boltdb may continue to work just fine, I think it'd be good to update to the fork maintained by CoreOS, bbolt. The most recent release of bbolt fixes some unsafe pointer conversions caught by Go 1.14 checkptr, which I think could have possible security implications, and at least seems to be required to upgrade Atlantis to Go 1.14.

The api of bbolt is backwards compatible with bolt, so hopefully it would be a drop-in replacement.

Edit: sorry I misspoke...I don't think bbolt is necessary to upgrade Atlantis to Go 1.14, rather the above change was necessary to upgrade bbolt to Go 1.14. I still think it'd be a good idea to switch over to a maintained dependency though.

[lkysow]

Hey, thanks for the issue.
If the current boltdb version is working fine I'm not sure what the benefit of switching would be. It seems likelier to cause issues and more work for no benefit. By no benefit I mean that Atlantis doesn't have any issues with boltdb right now and we don't need any new features to be developed for it.

[amasover]

The benefit that I see is mainly in getting timely security updates and bugfixes. I'm currently looking to install Atlantis in a security conscious environment. I think the above memory/type safety issue would be something we'd want to address.

I tried out dropping in bbolt and tests seem to run, and I didn't notice any problems with Atlantis.

[amasover]

Looks like I do see unsafe pointer conversions when I run tests with the -race flag with bolt dependency in place:

/usr/lib/go/src/runtime/panic.go:212 (0x47b529)
	panicmem: panic(memoryError)
/usr/lib/go/src/runtime/signal_unix.go:695 (0x47b378)
	sigpanic: panicmem()
/home/aaron/code/atlantis/server/events/db/boltdb.go:226 (0x9e1bf2)
	(*BoltDB).UpdatePullWithResults: err = b.db.Update(func(tx *bolt.Tx) error {
/home/aaron/code/atlantis/server/events/command_runner.go:476 (0x127976f)
	(*DefaultCommandRunner).updateDB: return c.DB.UpdatePullWithResults(pull, filtered)
/home/aaron/code/atlantis/server/events/command_runner.go:151 (0x1272b19)
	(*DefaultCommandRunner).RunAutoplanCommand: pullStatus, err := c.updateDB(ctx, ctx.Pull, result.ProjectResults)
/home/aaron/code/atlantis/server/events/command_runner_test.go:234 (0x12fd7db)
	TestRunAutoplanCommand_DeletePlans: ch.RunAutoplanCommand(fixtures.GithubRepo, fixtures.GithubRepo, fixtures.Pull, fixtures.User)
/usr/lib/go/src/testing/testing.go:992 (0x5c0adb)
	tRunner: fn(t)
/usr/lib/go/src/runtime/asm_amd64.s:1373 (0x497480)
	goexit: BYTE	$0x90	// NOP

fatal error: checkptr: unsafe pointer conversion

Don't see those errors with bbolt dependency in place.

[lkysow]

Okay thanks for looking into it. Sounds like it makes sense to switch then.