Skip to content

fix: bump Go dependencies to address CVEs #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kezhenxu94 merged 6 commits into from
Mar 20, 2026
Merged

fix: bump Go dependencies to address CVEs #183

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
44b8ce3
fix: bump Go dependencies to address CVEs
kezhenxu94 Mar 20, 2026
d614c9a
fix: fix CI failures after grpc/Go upgrade
kezhenxu94 Mar 20, 2026
e59aa41
fix: upgrade cert-manager from v1.8.0 to v1.11.5 in e2e tests
kezhenxu94 Mar 20, 2026
1dbfdce
fix(e2e): use explicit :latest tag for operator image in CI
kezhenxu94 Mar 20, 2026
b593888
ci: upload e2e logs as artifacts on failure
kezhenxu94 Mar 20, 2026
ccbc3f5
fix(e2e): update kube-rbac-proxy from gcr.io to quay.io
kezhenxu94 Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205 # always prefer to use a revision instead of `main`.
with:
e2e-file: test/e2e/oap-ui-agent/e2e.yaml # need to run E2E file path
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: oap-ui-agent-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
swagent-e2e-tests:
name: e2e tests(oap+ui+swagent)
runs-on: ubuntu-latest
Expand All @@ -97,6 +103,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-ui-swagent/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: oap-ui-swagent-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
swagent-configmap-e2e-tests:
name: e2e tests(oap+ui+swagent+configmap)
runs-on: ubuntu-latest
Expand All @@ -112,6 +124,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-ui-swagent-configmap/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: oap-ui-swagent-configmap-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
internel-storage-e2e-tests:
name: e2e tests(oap+ui+agent+internel-storage)
runs-on: ubuntu-latest
Expand Down Expand Up @@ -148,6 +166,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-ui-agent-external-storage/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: external-storage-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
banyandb-e2e-tests:
name: e2e tests(oap+ui+agent+banyandb)
runs-on: ubuntu-latest
Expand All @@ -163,6 +187,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/banyandb/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: banyandb-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
adapter-hpa-e2e-tests:
name: e2e tests(oap+agent+adapter+hpa)
runs-on: ubuntu-latest
Expand All @@ -178,6 +208,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-agent-adapter-hpa/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: adapter-hpa-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
e2e-tests-with-satellite:
name: e2e tests(oap+ui+agent+satellite)
runs-on: ubuntu-latest
Expand All @@ -193,6 +229,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-ui-agent-satellite/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: oap-ui-agent-satellite-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
adapter-satellite-hpa-e2e-tests:
name: e2e tests(oap+agent+satellite+adapter+hpa)
runs-on: ubuntu-latest
Expand All @@ -208,6 +250,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-satellite-adapter-hpa/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: adapter-satellite-hpa-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
oapserver-configuration-e2e-tests:
name: e2e tests(oap+ui+agent+oapserverconfig+oapserverdynamicconfig)
runs-on: ubuntu-latest
Expand All @@ -223,6 +271,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-ui-agent-oapserverconfig-oapserverdynamicconfig/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: oapserver-configuration-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
oapserver-eventexporter-e2e-tests:
name: e2e tests(oap+eventexporter)
runs-on: ubuntu-latest
Expand All @@ -238,6 +292,12 @@ jobs:
uses: apache/skywalking-infra-e2e@996ed8902e941e2883fcf0ac5b3090364942d205
with:
e2e-file: test/e2e/oap-eventexporter/e2e.yaml
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
name: Upload Logs
with:
name: oapserver-eventexporter-logs
path: ${{ env.SW_INFRA_E2E_LOG_DIR }}
checks:
name: build
runs-on: ubuntu-latest
Expand Down
47 changes: 25 additions & 22 deletions adapter/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
module github.com/apache/skywalking-swck/adapter

Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR updates the Go version directive in adapter/go.mod to 1.25.8 to address stdlib CVEs, but the repo still has another module pinned to 1.25.5 (operator/go.mod). If the patch-level Go bump is required for the CVE remediation, please bump the Go version consistently across all Go modules (or document why only the adapter module needs it).

Suggested change
// This module explicitly targets Go 1.25.8 to pick up stdlib CVE fixes.
// Other modules in this repo (e.g., operator) may remain on 1.25.5 if they
// do not build binaries or exercise the affected stdlib code paths.

Copilot uses AI. Check for mistakes.
go 1.25.5
go 1.25

toolchain go1.25.8

require (
github.com/apache/skywalking-cli v0.0.0-20210209032327-04a0ce08990f
Expand All @@ -22,7 +24,7 @@ require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/coreos/go-semver v0.3.1 // indirect
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
Expand All @@ -31,17 +33,17 @@ require (
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/swag v0.22.9 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/cel-go v0.16.1 // indirect
github.com/google/gnostic v0.6.9 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
Expand Down Expand Up @@ -69,33 +71,34 @@ require (
go.etcd.io/etcd/api/v3 v3.5.12 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.12 // indirect
go.etcd.io/etcd/client/v3 v3.5.12 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect
go.opentelemetry.io/otel v1.22.0 // indirect
go.opentelemetry.io/otel v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0 // indirect
go.opentelemetry.io/otel/metric v1.22.0 // indirect
go.opentelemetry.io/otel/sdk v1.22.0 // indirect
go.opentelemetry.io/otel/trace v1.22.0 // indirect
go.opentelemetry.io/otel/metric v1.40.0 // indirect
go.opentelemetry.io/otel/sdk v1.40.0 // indirect
go.opentelemetry.io/otel/trace v1.40.0 // indirect
go.opentelemetry.io/proto/otlp v1.1.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.45.0 // indirect
golang.org/x/crypto v0.46.0 // indirect
golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
golang.org/x/mod v0.29.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/oauth2 v0.27.0 // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/term v0.37.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/mod v0.30.0 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/oauth2 v0.34.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/term v0.38.0 // indirect
golang.org/x/text v0.32.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.38.0 // indirect
golang.org/x/tools v0.39.0 // indirect
google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect
google.golang.org/grpc v1.61.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/grpc v1.79.3 // indirect
google.golang.org/protobuf v1.36.10 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down
Loading
Loading