Skip to content

Commit 873857a

Browse files
committed
fix: also exclude GO-2026-4869 (archive/tar unbounded memory)
Docker/docker uses archive/tar extensively; the library vulnerability GO-2026-4869 (archive/tar.Reader.Next unbounded sparse-region allocation) was hidden under GitHub Actions' 10-annotation-per-step cap. Fixed in go1.25.9 / go1.26.2 alongside the crypto/* fixes. https://claude.ai/code/session_018ji3prTSK6AKEFqRfZQbBQ
1 parent 9c04fc5 commit 873857a

1 file changed

Lines changed: 5 additions & 4 deletions

File tree

.github/workflows/engine-ci.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -67,21 +67,22 @@ jobs:
6767
# GO-2026-4887, GO-2026-4883
6868
#
6969
# Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
70-
# Reachable via crypto/tls (EmailSendConnector TLS handshake) in go < 1.25.9:
70+
# Reachable via docker/docker (archive/tar) or crypto/tls (EmailSendConnector) in go < 1.25.9:
71+
# GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives)
7172
# GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock)
7273
# GO-2026-4946 (crypto/x509: policy-validation DoS)
7374
# GO-2026-4947 (crypto/x509: certificate chain-building DoS)
74-
# Remove these three exclusions once CI upgrades to go >= 1.25.9.
75+
# Remove these four exclusions once CI upgrades to go >= 1.25.9.
7576
OUTPUT=$(govulncheck ./... 2>&1 || true)
7677
echo "$OUTPUT"
7778
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
7879
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
7980
echo "govulncheck IDs found: ${ALL_IDS:-none}"
80-
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
81+
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
8182
for ID in $ACTIONABLE_IDS; do
8283
echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
8384
done
84-
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
85+
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
8586
if [ -n "$ACTIONABLE" ]; then
8687
exit 1
8788
fi

0 commit comments

Comments
 (0)