diff --git a/CHANGELOG.md b/CHANGELOG.md index a6c954b..dafae11 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Security — x/crypto + builder-image Go bump clears 20 HIGH image CVEs (2026-07-04) + +- Bumped `golang.org/x/crypto` `v0.48.0` → `v0.52.0` (pulls `golang.org/x/sys` `v0.41.0` → `v0.45.0`; `go.mod` `go` directive `1.24.0` → `1.25.0` per x/crypto's minimum), clearing 8 HIGH CVEs in `x/crypto/ssh` (CVE-2026-39827/-39828/-39829/-39830/-39832/-39835, CVE-2026-42508, CVE-2026-46595/-46597). +- Bumped the Dockerfile builder base image `golang:1.24-alpine` → `golang:1.25-alpine` (digest-pinned, ships Go 1.25.11), clearing 12 HIGH Go stdlib CVEs across net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, and mime (CVE-2026-25679, -27145, -32280/-32281/-32283, -33811/-33814, -39820, -39836, -42499, -42504). Root cause: official golang images set `GOTOOLCHAIN=local`, so the `toolchain go1.25.11` directive in `go.mod` (bumped 2026-06-29) was silently ignored inside Docker builds — the shipped binary was still built against the image's Go 1.24.13 stdlib. The builder tag must track the toolchain directive; a Dockerfile comment now documents the trap. +- Surfaced by a trivy image scan in CI (this pipeline has no image-level CVE gate, so these accumulated unseen). All 20 findings had upstream fixes published. The public Docker Hub image refreshes on the next release merge. + ### Documentation — accuracy audit fixes (2026-06-29) - Corrected shipped docs against current code and the live Python SDK. The Python SDK ([`agentwrit`](https://pypi.org/project/agentwrit/) v0.3.0) and both demo apps (MedAssist, Support Tickets — published Docker images) are **live**; removed all "coming soon" banners and a fabricated SDK API from `docs/demos.md` and `docs/python-sdk.md`. diff --git a/Dockerfile b/Dockerfile index 893b462..c6a785d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,11 @@ # Stage 1: Build broker binary -# Pinned by digest (Dependabot docker ecosystem rotates weekly). Tag: golang:1.24-alpine -FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder +# Pinned by digest (Dependabot docker ecosystem rotates weekly). Tag: golang:1.25-alpine +# NOTE: official golang images set GOTOOLCHAIN=local, so the go.mod `toolchain` +# directive is ignored in this build — the image's own Go version (1.25.11 at this +# digest) is what the binary's stdlib comes from. Keep this tag in lockstep with +# go.mod's toolchain directive or container scans will flag stdlib CVEs that the +# toolchain directive appears (wrongly) to have already fixed. +FROM golang:1.25-alpine@sha256:523c3effe300580ed375e43f43b1c9b091b68e935a7c3a92bfcc4e7ed55b18c2 AS builder WORKDIR /app diff --git a/go.mod b/go.mod index c7066a5..e1ee41c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/devonartis/agentwrit -go 1.24.0 +go 1.25.0 toolchain go1.25.11 @@ -8,7 +8,7 @@ require ( github.com/prometheus/client_golang v1.23.2 github.com/spf13/cobra v1.10.2 github.com/spiffe/go-spiffe/v2 v2.6.0 - golang.org/x/crypto v0.48.0 + golang.org/x/crypto v0.52.0 modernc.org/sqlite v1.46.1 ) @@ -29,7 +29,7 @@ require ( github.com/spf13/pflag v1.0.9 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect - golang.org/x/sys v0.41.0 // indirect + golang.org/x/sys v0.45.0 // indirect google.golang.org/protobuf v1.36.8 // indirect modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect diff --git a/go.sum b/go.sum index 40396b4..0c7b04b 100644 --- a/go.sum +++ b/go.sum @@ -60,8 +60,8 @@ go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= -golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= -golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= +golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988= +golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc= golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY= golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= @@ -69,8 +69,8 @@ golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= -golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY= +golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=