fix(security): clear 20 HIGH image CVEs — x/crypto 0.52.0 + Go 1.25.11 builder#88
Merged
Conversation
….25 — clears 20 HIGH image CVEs A trivy scan of the built broker image (new container-scan gate on the private GitLab CI; GitHub CI has no image-level CVE gate) found 20 HIGH CVEs in the Go binary. All 20 had upstream fixes published — we bump them ourselves rather than wait. Two CVE groups, two fixes: 1. golang.org/x/crypto v0.48.0 -> v0.52.0 (8 HIGH, all in x/crypto/ssh: CVE-2026-39827/-39828/-39829/-39830/-39832/-39835, CVE-2026-42508, CVE-2026-46595/-46597). Pulls x/sys v0.41.0 -> v0.45.0 and raises the go.mod 'go' directive 1.24.0 -> 1.25.0 (x/crypto's minimum). 2. Dockerfile builder golang:1.24-alpine -> golang:1.25-alpine, digest-pinned per project convention (new digest ships Go 1.25.11). Clears 12 HIGH stdlib CVEs (net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, mime: CVE-2026-25679, -27145, -32280/-32281/-32283, -33811/-33814, -39820, -39836, -42499, -42504). Root cause of the stdlib exposure: official golang images set GOTOOLCHAIN=local, so go.mod's 'toolchain go1.25.11' directive (bumped 2026-06-29) was silently ignored inside Docker builds — the shipped binary was still built against the image's Go 1.24.13 stdlib. The builder tag must track the toolchain directive; a Dockerfile comment now documents the trap. Local acceptance before push: go build ./cmd/broker ./cmd/awrit OK, go test -short -count=1 ./... all packages ok, gofmt clean. The public Docker Hub image refreshes on the next release merge. Co-authored-by: Claude <noreply@anthropic.com>
Dependency ReviewThe following issues were found:
License Issuesgo.mod
OpenSSF Scorecard
Scanned Files
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Clears all 20 HIGH CVEs that a trivy scan of the built broker image reported in the Go binary. Zero findings remain after this change (verified: trivy
--severity HIGH,CRITICALreports Total: 0 on the rebuilt image).CVE groups and fixes
1.
golang.org/x/cryptov0.48.0 → v0.52.0 — 8 HIGH, all inx/crypto/ssh:CVE-2026-39827, -39828, -39829, -39830, -39832, -39835, CVE-2026-42508, CVE-2026-46595, -46597.
Pulls
x/sysv0.41.0 → v0.45.0; raises thego.modgodirective 1.24.0 → 1.25.0 (x/crypto's minimum).2. Dockerfile builder
golang:1.24-alpine→golang:1.25-alpine(digest-pinned per project convention; the new digest ships Go 1.25.11) — 12 HIGH Go stdlib CVEs across net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, mime:CVE-2026-25679, -27145, -32280, -32281, -32283, -33811, -33814, -39820, -39836, -42499, -42504.
Root cause worth knowing
Official golang Docker images set
GOTOOLCHAIN=local, so thetoolchain go1.25.11directive ingo.mod(bumped 2026-06-29) was silently ignored inside Docker builds — the shipped binary was still built against the image's Go 1.24.13 stdlib. The builder tag must track the toolchain directive; a Dockerfile comment now documents the trap.Surfaced by the new container-scan (trivy) gate on the private GitLab CI — GitHub CI has no image-level CVE gate, so these accumulated unseen.
Verification
go build ./cmd/broker ./cmd/awrit— OKgo test -short -count=1 ./...— all packages okgofmt -l .— cleanNote
The public Docker Hub image only refreshes on the next release merge (
develop → main) — this PR fixes develop; the shipped image stays on the old stdlib until the owner calls a release.