Skip to content

fix(security): remediate CVE vulnerabilities#553

Merged
ulucinar merged 5 commits intorelease-0.11from
fix/cve-remediation-release-0.11-20260316-223551
Mar 17, 2026
Merged

fix(security): remediate CVE vulnerabilities#553
ulucinar merged 5 commits intorelease-0.11from
fix/cve-remediation-release-0.11-20260316-223551

Conversation

@upbound-bot
Copy link
Copy Markdown

@upbound-bot upbound-bot commented Mar 16, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2026-25679 High stdlib go1.25.8
CVE-2026-27142 High stdlib go1.25.8
CVE-2026-27139 Low stdlib go1.25.8

Changes Made

  • Updated Go version from 1.24.13 to 1.25.8 in go.mod
  • Updated GO_VERSION in .github/workflows/ci.yml to 1.25.8
  • Updated GOLANGCI_VERSION from v1.64.8 to v2.1.6 for Go 1.25 compatibility
  • Added .golangci.yml with v2 format configuration

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
f684eba 
- Update Go version to 1.25.8 (fixes CVE-2026-25679, CVE-2026-27142,
  CVE-2026-27139)
- Update golangci-lint to v2.1.6 for Go 1.25 compatibility
- Add .golangci.yml with v2 format configuration

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 16, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-16T19:40:00Z

Summary

The lint check failed because golangci-lint-action v6 does not support golangci-lint v2.x.

Root Cause

The CI workflow is using golangci/golangci-lint-action@v6 but specifying GOLANGCI_VERSION: 'v2.1.6'. The golangci-lint-action v6 only supports golangci-lint v1.x versions. To use golangci-lint v2.x, the workflow must be updated to use golangci/golangci-lint-action@v7.

Error Details

##[error]Failed to run: Error: invalid version string 'v2.1.6', golangci-lint v2 is not supported by golangci-lint-action v6, you must update to golangci-lint-action v7.

Recommendation

Update .github/workflows/ci.yml to use golangci/golangci-lint-action@v7 instead of @v6. This is required for compatibility with golangci-lint v2.x.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update golangci-lint-action to v7
690b973 
- Update golangci-lint-action from v6 to v7 for golangci-lint v2.x
  compatibility

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 16, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-16T19:52:00Z

Summary

The lint check failed because golangci-lint v2.1.6 was built with Go 1.24, but the project targets Go 1.25.8.

Root Cause

golangci-lint requires the linter binary to be built with a Go version equal to or greater than the target Go version specified in go.mod. The golangci-lint v2.1.6 binary was compiled with Go 1.24, but go.mod specifies go 1.25.8.

Error Details

Error: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)

Recommendation

Update GOLANGCI_VERSION in .github/workflows/ci.yml from v2.1.6 to v2.2.0 (or later), which is built with Go 1.25+.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update golangci-lint to v2.2.0 for Go 1.25 compatibility
3ce8544 
- Update GOLANGCI_VERSION from v2.1.6 to v2.2.0 to fix linter
  incompatibility with Go 1.25.8

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 16, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-16T20:14:29Z

Summary

The lint check failed because golangci-lint v2.2.0 was built with Go 1.24, but the project targets Go 1.25.8.

Root Cause

golangci-lint requires the linter binary to be built with a Go version equal to or greater than the target Go version specified in go.mod. Go 1.25 support was added in golangci-lint v2.4.0, so v2.2.0 (built with Go 1.24) cannot lint Go 1.25.x projects.

Error Details

Error: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)

Recommendation

Update GOLANGCI_VERSION in .github/workflows/ci.yml from v2.2.0 to v2.11.3 (current stable), which is built with Go 1.25+.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update golangci-lint to v2.11.3 for Go 1.25 support
e788e93 
- Update GOLANGCI_VERSION from v2.2.0 to v2.11.3 (Go 1.25 support
  requires golangci-lint v2.4.0+)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 16, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-16T20:26:30Z

Summary

The lint check found 3 staticcheck QF1008 warnings in claimconditions.go.

Root Cause

golangci-lint v2.11.3 with stricter staticcheck rules detected that embedded struct fields are being accessed with redundant selector prefixes. The TargetedCondition struct embeds xpv1.Condition, so its fields can be accessed directly without the .Condition prefix.

Error Details

claimconditions.go:46:21: QF1008: could remove embedded field "Condition" from selector
claimconditions.go:47:21: QF1008: could remove embedded field "Condition" from selector
claimconditions.go:51:12: QF1008: could remove embedded field "Condition" from selector

Recommendation

Simplify embedded field access in transformCondition function:

  • tc.Condition.Typetc.Type
  • tc.Condition.Reasontc.Reason
  • tc.Condition.Statustc.Status

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(lint): simplify embedded field access in claimconditions.go
dee144f 
- Remove redundant .Condition prefix when accessing embedded struct
  fields (fixes staticcheck QF1008)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar
Copy link
Copy Markdown
Collaborator

ulucinar commented Mar 17, 2026

Thank you @bobh66.

@ulucinar ulucinar merged commit 1323c47 into release-0.11 Mar 17, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobh66 bobh66 bobh66 approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @ulucinar @bobh66