Skip to content

fix(security): remediate CVE vulnerabilities#177

Merged
sergenyalcin merged 2 commits intocrossplane-contrib:release-0.6from
upbound-bot:fix/cve-remediation-release-0.6-20260226-225204
Feb 27, 2026
Merged

fix(security): remediate CVE vulnerabilities#177
sergenyalcin merged 2 commits intocrossplane-contrib:release-0.6from
upbound-bot:fix/cve-remediation-release-0.6-20260226-225204

Conversation

@upbound-bot
Copy link
Copy Markdown

@upbound-bot upbound-bot commented Feb 26, 2026
edited
Loading

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-68121 Critical stdlib go1.24.13
CVE-2025-61726 High stdlib go1.24.13
CVE-2025-61731 High stdlib go1.24.13
CVE-2025-61732 High stdlib go1.24.13
CVE-2025-61728 Medium stdlib go1.24.13
CVE-2025-61730 Medium stdlib go1.24.13

Changes Made

  • Update Go version from 1.24.11 to 1.24.13 in go.mod

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
36d196c 
- Update Go version to 1.24.13 (fixes CVE-2025-68121, CVE-2025-61726,
  CVE-2025-61731, CVE-2025-61732, CVE-2025-61728, CVE-2025-61730)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Feb 26, 2026

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-02-26T22:58:00Z

Summary

The Docker build step failed because the CI workflow is using Go 1.24.11 while go.mod now requires Go 1.24.13.

Root Cause

The CI workflow (.github/workflows/ci.yml) defines GO_VERSION: '1.24.11' on line 17. This version is passed as a build argument to Docker during the "Build Runtime" step. However, the go.mod file was updated to require Go 1.24.13 as part of CVE remediation.

When Docker runs go mod download, it fails with:

go: go.mod requires go >= 1.24.13 (running go 1.24.11; GOTOOLCHAIN=local)

Error Details

#15 [base 4/4] RUN --mount=type=cache,target=/go/pkg/mod go mod download
#15 0.057 go: go.mod requires go >= 1.24.13 (running go 1.24.11; GOTOOLCHAIN=local)
#15 ERROR: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1

Recommendation

Update the GO_VERSION environment variable in .github/workflows/ci.yml from '1.24.11' to '1.24.13' to match the Go version required by go.mod. This is a CI configuration fix, not a code issue. Do not downgrade go.mod - the Go version was updated for CVE remediation.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update Go version to match go.mod requirements
23722d3 
- Update GO_VERSION from 1.24.11 to 1.24.13 in CI workflow

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@sergenyalcin sergenyalcin merged commit 1c7c9e1 into crossplane-contrib:release-0.6 Feb 27, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

@sergenyalcin sergenyalcin sergenyalcin approved these changes

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @ulucinar @sergenyalcin