Skip to content

fix(security): clear 20 HIGH image CVEs — x/crypto 0.52.0 + Go 1.25.11 builder#88

Merged
devonartis merged 1 commit into
developfrom
fix/image-cve-bump
Jul 5, 2026
Merged

fix(security): clear 20 HIGH image CVEs — x/crypto 0.52.0 + Go 1.25.11 builder#88
devonartis merged 1 commit into
developfrom
fix/image-cve-bump

Conversation

@devonartis

Copy link
Copy Markdown
Owner

What

Clears all 20 HIGH CVEs that a trivy scan of the built broker image reported in the Go binary. Zero findings remain after this change (verified: trivy --severity HIGH,CRITICAL reports Total: 0 on the rebuilt image).

CVE groups and fixes

1. golang.org/x/crypto v0.48.0 → v0.52.0 — 8 HIGH, all in x/crypto/ssh:
CVE-2026-39827, -39828, -39829, -39830, -39832, -39835, CVE-2026-42508, CVE-2026-46595, -46597.
Pulls x/sys v0.41.0 → v0.45.0; raises the go.mod go directive 1.24.0 → 1.25.0 (x/crypto's minimum).

2. Dockerfile builder golang:1.24-alpinegolang:1.25-alpine (digest-pinned per project convention; the new digest ships Go 1.25.11) — 12 HIGH Go stdlib CVEs across net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, mime:
CVE-2026-25679, -27145, -32280, -32281, -32283, -33811, -33814, -39820, -39836, -42499, -42504.

Root cause worth knowing

Official golang Docker images set GOTOOLCHAIN=local, so the toolchain go1.25.11 directive in go.mod (bumped 2026-06-29) was silently ignored inside Docker builds — the shipped binary was still built against the image's Go 1.24.13 stdlib. The builder tag must track the toolchain directive; a Dockerfile comment now documents the trap.

Surfaced by the new container-scan (trivy) gate on the private GitLab CI — GitHub CI has no image-level CVE gate, so these accumulated unseen.

Verification

  • go build ./cmd/broker ./cmd/awrit — OK
  • go test -short -count=1 ./... — all packages ok
  • gofmt -l . — clean
  • Rebuilt image trivy scan: Total: 0 HIGH/CRITICAL (alpine layer and gobinary)

Note

The public Docker Hub image only refreshes on the next release merge (develop → main) — this PR fixes develop; the shipped image stays on the old stdlib until the owner calls a release.

….25 — clears 20 HIGH image CVEs

A trivy scan of the built broker image (new container-scan gate on the
private GitLab CI; GitHub CI has no image-level CVE gate) found 20 HIGH
CVEs in the Go binary. All 20 had upstream fixes published — we bump
them ourselves rather than wait.

Two CVE groups, two fixes:

1. golang.org/x/crypto v0.48.0 -> v0.52.0 (8 HIGH, all in x/crypto/ssh:
   CVE-2026-39827/-39828/-39829/-39830/-39832/-39835, CVE-2026-42508,
   CVE-2026-46595/-46597). Pulls x/sys v0.41.0 -> v0.45.0 and raises
   the go.mod 'go' directive 1.24.0 -> 1.25.0 (x/crypto's minimum).

2. Dockerfile builder golang:1.24-alpine -> golang:1.25-alpine,
   digest-pinned per project convention (new digest ships Go 1.25.11).
   Clears 12 HIGH stdlib CVEs (net/url, crypto/x509, crypto/tls, net,
   HTTP/2, net/mail, mime: CVE-2026-25679, -27145, -32280/-32281/-32283,
   -33811/-33814, -39820, -39836, -42499, -42504).

   Root cause of the stdlib exposure: official golang images set
   GOTOOLCHAIN=local, so go.mod's 'toolchain go1.25.11' directive
   (bumped 2026-06-29) was silently ignored inside Docker builds — the
   shipped binary was still built against the image's Go 1.24.13
   stdlib. The builder tag must track the toolchain directive; a
   Dockerfile comment now documents the trap.

Local acceptance before push: go build ./cmd/broker ./cmd/awrit OK,
go test -short -count=1 ./... all packages ok, gofmt clean.

The public Docker Hub image refreshes on the next release merge.

Co-authored-by: Claude <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

go.mod

PackageVersionLicenseIssue Type
golang.org/x/crypto0.52.0NullUnknown License
golang.org/x/sys0.45.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
gomod/golang.org/x/crypto 0.52.0 UnknownUnknown
gomod/golang.org/x/sys 0.45.0 UnknownUnknown

Scanned Files

  • go.mod

@devonartis devonartis merged commit 4920f10 into develop Jul 5, 2026
21 checks passed
@devonartis devonartis deleted the fix/image-cve-bump branch July 5, 2026 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant