@@ -67,21 +67,22 @@ jobs:
6767 # GO-2026-4887, GO-2026-4883
6868 #
6969 # Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
70- # Reachable via crypto/tls (EmailSendConnector TLS handshake) in go < 1.25.9:
70+ # Reachable via docker/docker (archive/tar) or crypto/tls (EmailSendConnector) in go < 1.25.9:
71+ # GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives)
7172 # GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock)
7273 # GO-2026-4946 (crypto/x509: policy-validation DoS)
7374 # GO-2026-4947 (crypto/x509: certificate chain-building DoS)
74- # Remove these three exclusions once CI upgrades to go >= 1.25.9.
75+ # Remove these four exclusions once CI upgrades to go >= 1.25.9.
7576 OUTPUT=$(govulncheck ./... 2>&1 || true)
7677 echo "$OUTPUT"
7778 # Emit each actionable vulnerability ID as a GHA error annotation for visibility.
7879 ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
7980 echo "govulncheck IDs found: ${ALL_IDS:-none}"
80- ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
81+ ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026- 4870|GO-2026-4946|GO-2026-4947)$' || true)
8182 for ID in $ACTIONABLE_IDS; do
8283 echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
8384 done
84- ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
85+ ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026- 4870|GO-2026-4946|GO-2026-4947' || true)
8586 if [ -n "$ACTIONABLE" ]; then
8687 exit 1
8788 fi
0 commit comments