@@ -67,22 +67,23 @@ jobs:
6767 # GO-2026-4887, GO-2026-4883
6868 #
6969 # Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
70- # Reachable via docker/docker (archive/tar) or crypto/tls (EmailSendConnector) in go < 1.25.9:
71- # GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives)
72- # GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock)
73- # GO-2026-4946 (crypto/x509: policy-validation DoS)
74- # GO-2026-4947 (crypto/x509: certificate chain-building DoS)
75- # Remove these four exclusions once CI upgrades to go >= 1.25.9.
70+ # Reachable in go < 1.25.9 via the listed call chains:
71+ # GO-2026-4865 (html/template: XSS via JS template literals) — grpc→net/trace→html/template
72+ # GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives) — docker/docker→archive/tar
73+ # GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock) — EmailSendConnector→crypto/tls
74+ # GO-2026-4946 (crypto/x509: policy-validation DoS) — EmailSendConnector→crypto/tls→crypto/x509
75+ # GO-2026-4947 (crypto/x509: certificate chain-building DoS) — EmailSendConnector→crypto/tls→crypto/x509
76+ # Remove these five exclusions once CI upgrades to go >= 1.25.9.
7677 OUTPUT=$(govulncheck ./... 2>&1 || true)
7778 echo "$OUTPUT"
7879 # Emit each actionable vulnerability ID as a GHA error annotation for visibility.
7980 ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
8081 echo "govulncheck IDs found: ${ALL_IDS:-none}"
81- ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
82+ ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026- 4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
8283 for ID in $ACTIONABLE_IDS; do
8384 echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
8485 done
85- ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
86+ ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026- 4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
8687 if [ -n "$ACTIONABLE" ]; then
8788 exit 1
8889 fi
0 commit comments