fix(deps): bump Go from 1.26.3 to 1.26.4 to fix CVE-2026-42504 in seed and generator containers (#16232)

* fix(deps): bump Go from 1.26.3 to 1.26.4 to fix CVE-2026-42504 in seed and generator containers

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore: simplify Dockerfile comments — remove verbose CVE listings

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: davidkonigsberg

docker/seed/Dockerfile.go

@@ -5,31 +5,22 @@ RUN apk add --no-cache curl && \
     curl -sL "https://github.com/google/go-containerregistry/releases/download/v0.21.2/go-containerregistry_Linux_${ARCH}.tar.gz" | tar xz -C /usr/local/bin crane && \
     crane pull wiremock/wiremock:3.9.1 /wiremock.tar
 
-# Stage 2: Rebuild containerd v2.3.1 + runc v1.3.5 + moby (dockerd, docker-proxy)
-# + docker CLI from source with go1.26.3 and golang.org/x/net v0.53.0.
-# Upstream `docker:29.5.2-dind-alpine3.23` ships dockerd / docker / docker-proxy
-# built with go1.26.2, which grype flags for the unpatched go/stdlib 1.26.2
-# CVEs (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836,
-# CVE-2026-42499). Rebuilding under GOTOOLCHAIN=go1.26.3 swaps the embedded
-# stdlib without changing functionality. The containerd/runc rebuild also
-# picks up the grpc / otel / go-jose bumps from the v2.3.x release line.
-FROM golang:1.26.3-alpine3.23 AS overlay-binaries
+# Stage 2: Rebuild containerd + runc + moby + docker CLI from source with
+# go1.26.4 so the embedded stdlib clears vulnerability scanners. The
+# containerd/runc rebuild also picks up dependency bumps from the v2.3.x line.
+FROM golang:1.26.4-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.1
 ARG RUNC_VERSION=1.3.5
-# moby v29.5.2 includes fixes for CVE-2026-33997, CVE-2026-34040,
-# CVE-2026-41567, CVE-2026-41568, CVE-2026-42306 and later patches.
 ARG MOBY_VERSION=29.5.2
 ARG DOCKER_CLI_VERSION=29.5.2
 ARG XNET_VERSION=0.55.0
 ARG XCRYPTO_VERSION=0.52.0
 ARG XSYS_VERSION=0.45.0
 ARG OTEL_SDK_VERSION=1.43.0
 ARG IN_TOTO_VERSION=0.11.0
-ENV GOTOOLCHAIN=go1.26.3
+ENV GOTOOLCHAIN=go1.26.4
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
-# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
-# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
@@ -59,9 +50,6 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force patched x/net (CVE-2026-33814), containerd (GHSA-fqw6-gf59-qr4w),
-    # otel SDK + OTLP HTTP exporters (CVE-2026-39882, CVE-2026-39883)
-    # before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            golang.org/x/crypto@v${XCRYPTO_VERSION} \
            golang.org/x/sys@v${XSYS_VERSION} \
@@ -85,8 +73,6 @@ RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby
 RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docker/cli.git /src/docker-cli && \
     cd /src/docker-cli && \
     cp vendor.mod go.mod && cp vendor.sum go.sum && \
-    # docker CLI's vendor.mod pins x/net <0.53; bump it (and re-vendor)
-    # so the built /usr/local/bin/docker also clears CVE-2026-33814.
     go get golang.org/x/net@v${XNET_VERSION} \
            golang.org/x/crypto@v${XCRYPTO_VERSION} \
            golang.org/x/sys@v${XSYS_VERSION} && \
@@ -115,7 +101,7 @@ COPY --from=wiremock-pull /wiremock.tar /wiremock.tar
 RUN apk update && apk upgrade --no-cache --available
 
 # Install Go (multi-arch: supports both amd64 and arm64)
-ENV GO_VERSION=1.26.3
+ENV GO_VERSION=1.26.4
 RUN set -eux; \
     ARCH="$(uname -m)"; \
     case "${ARCH}" in \
@@ -127,11 +113,8 @@ RUN set -eux; \
     && tar -C /usr/local -xzf "go${GO_VERSION}.linux-${GOARCH}.tar.gz" \
     && rm "go${GO_VERSION}.linux-${GOARCH}.tar.gz"
 
-# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
-# still pins old pseudo-versions of x/net and x/crypto, and an old x/sys.
-# Bump the SBOM files so grype no longer flags them.
-# Patch both src/go.mod (stdlib) and src/cmd/go.mod (toolchain commands)
-# so scanners like grype and AWS Inspector stop reporting CVE-2026-39824.
+# Patch src/go.mod and src/cmd/go.mod to bump declared x/net, x/crypto,
+# x/sys versions so SBOM scanners no longer flag stale pseudo-versions.
 RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.55.0|' \
         /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
     sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum && \
@@ -152,8 +135,8 @@ ENV PATH="/usr/local/go/bin:${PATH}" \
 RUN mkdir -p "${GOPATH}/src" "${GOPATH}/bin"
 
 # Build golangci-lint via a temporary wrapper module so we can bump
-# golang.org/x/sys to v0.45.0 (CVE-2026-39824) while still fetching all
-# modules through the Go proxy + checksum database (sum.golang.org).
+# golang.org/x/sys while still fetching all modules through the Go proxy
+# + checksum database (sum.golang.org).
 ENV GOLANGCI_LINT_VERSION=v2.12.2
 RUN mkdir /tmp/glw && cd /tmp/glw && \
     go mod init golangci-wrapper && \

docker/seed/Dockerfile.php

@@ -5,19 +5,12 @@
     curl -sL "https://github.com/google/go-containerregistry/releases/download/v0.21.2/go-containerregistry_Linux_${ARCH}.tar.gz" | tar xz -C /usr/local/bin crane && \
     crane pull wiremock/wiremock:3.9.1 /wiremock.tar
 
-# Stage 2: Rebuild containerd v2.3.0 + runc v1.3.5 + moby (dockerd, docker-proxy)
-# + docker CLI from source with go1.26.3 and golang.org/x/net v0.53.0.
-# Upstream `docker:29.5.2-dind-alpine3.23` ships dockerd / docker / docker-proxy
-# built with go1.26.2, which grype flags for the unpatched go/stdlib 1.26.2
-# CVEs (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836,
-# CVE-2026-42499). Rebuilding under GOTOOLCHAIN=go1.26.3 swaps the embedded
-# stdlib without changing functionality. The containerd/runc rebuild also
-# picks up the grpc / otel / go-jose bumps from the v2.3.x release line.
-FROM golang:1.26.3-alpine3.23 AS overlay-binaries
+# Stage 2: Rebuild containerd + runc + moby + docker CLI from source with
+# go1.26.4 so the embedded stdlib clears vulnerability scanners. The
+# containerd/runc rebuild also picks up dependency bumps from the v2.3.x line.
+FROM golang:1.26.4-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.1
 ARG RUNC_VERSION=1.3.5
-# moby v29.5.2 includes fixes for CVE-2026-33997, CVE-2026-34040,
-# CVE-2026-41567, CVE-2026-41568, CVE-2026-42306 and later patches.
 ARG MOBY_VERSION=29.5.2
 ARG DOCKER_CLI_VERSION=29.5.2
 ARG COMPOSE_VERSION=5.1.4
@@ -26,11 +19,9 @@
 ARG XSYS_VERSION=0.45.0
 ARG OTEL_SDK_VERSION=1.43.0
 ARG IN_TOTO_VERSION=0.11.0
-ENV GOTOOLCHAIN=go1.26.3
+ENV GOTOOLCHAIN=go1.26.4
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates binutils && \
     mkdir -p /overlay/usr/local/bin
-# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
-# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
@@ -60,9 +51,6 @@
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force patched x/net (CVE-2026-33814), containerd (GHSA-fqw6-gf59-qr4w),
-    # otel SDK + OTLP HTTP exporters (CVE-2026-39882, CVE-2026-39883)
-    # before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            golang.org/x/crypto@v${XCRYPTO_VERSION} \
            golang.org/x/sys@v${XSYS_VERSION} \
@@ -86,8 +74,6 @@
 RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docker/cli.git /src/docker-cli && \
     cd /src/docker-cli && \
     cp vendor.mod go.mod && cp vendor.sum go.sum && \
-    # docker CLI's vendor.mod pins x/net <0.53; bump it (and re-vendor)
-    # so the built /usr/local/bin/docker also clears CVE-2026-33814.
     go get golang.org/x/net@v${XNET_VERSION} \
            golang.org/x/crypto@v${XCRYPTO_VERSION} \
            golang.org/x/sys@v${XSYS_VERSION} && \
@@ -97,11 +83,8 @@
       -tags "osusergo netgo static_build pkcs11" \
       -trimpath -ldflags "-s -w" \
       -o /overlay/usr/local/bin/docker ./cmd/docker
-# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0
-# (CVE-2026-39882), and in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r).
-# Strip .go.buildinfo afterward so grype does not flag the transitive
-# github.com/docker/docker v28.x dep (CVE-2026-33997/34040 are fixed in
-# the moby/dockerd rebuild; v29.3.1 has no Go module tag on that path).
+# Rebuild docker-compose with bumped dependencies and strip .go.buildinfo
+# so scanners do not flag transitive deps that are already patched above.
 RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \
     git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \
     cd /src/compose && \

docker/seed/Dockerfile.python

@@ -5,19 +5,12 @@ RUN apk add --no-cache curl && \
     curl -sL "https://github.com/google/go-containerregistry/releases/download/v0.21.2/go-containerregistry_Linux_${ARCH}.tar.gz" | tar xz -C /usr/local/bin crane && \
     crane pull wiremock/wiremock:3.9.1 /wiremock.tar
 
-# Stage 2: Rebuild containerd v2.3.0 + runc v1.3.5 + moby (dockerd, docker-proxy)
-# + docker CLI from source with go1.26.3 and golang.org/x/net v0.53.0.
-# Upstream `docker:29.5.2-dind-alpine3.23` ships dockerd / docker / docker-proxy
-# built with go1.26.2, which grype flags for the unpatched go/stdlib 1.26.2
-# CVEs (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836,
-# CVE-2026-42499). Rebuilding under GOTOOLCHAIN=go1.26.3 swaps the embedded
-# stdlib without changing functionality. The containerd/runc rebuild also
-# picks up the grpc / otel / go-jose bumps from the v2.3.x release line.
-FROM golang:1.26.3-alpine3.23 AS overlay-binaries
+# Stage 2: Rebuild containerd + runc + moby + docker CLI from source with
+# go1.26.4 so the embedded stdlib clears vulnerability scanners. The
+# containerd/runc rebuild also picks up dependency bumps from the v2.3.x line.
+FROM golang:1.26.4-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.1
 ARG RUNC_VERSION=1.3.5
-# moby v29.5.2 includes fixes for CVE-2026-33997, CVE-2026-34040,
-# CVE-2026-41567, CVE-2026-41568, CVE-2026-42306 and later patches.
 ARG MOBY_VERSION=29.5.2
 ARG DOCKER_CLI_VERSION=29.5.2
 ARG COMPOSE_VERSION=5.1.4
@@ -26,11 +19,9 @@ ARG XCRYPTO_VERSION=0.52.0
 ARG XSYS_VERSION=0.45.0
 ARG OTEL_SDK_VERSION=1.43.0
 ARG IN_TOTO_VERSION=0.11.0
-ENV GOTOOLCHAIN=go1.26.3
+ENV GOTOOLCHAIN=go1.26.4
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates binutils && \
     mkdir -p /overlay/usr/local/bin
-# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
-# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
@@ -60,9 +51,6 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force patched x/net (CVE-2026-33814), containerd (GHSA-fqw6-gf59-qr4w),
-    # otel SDK + OTLP HTTP exporters (CVE-2026-39882, CVE-2026-39883)
-    # before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            golang.org/x/crypto@v${XCRYPTO_VERSION} \
            golang.org/x/sys@v${XSYS_VERSION} \
@@ -86,8 +74,6 @@ RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby
 RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docker/cli.git /src/docker-cli && \
     cd /src/docker-cli && \
     cp vendor.mod go.mod && cp vendor.sum go.sum && \
-    # docker CLI's vendor.mod pins x/net <0.53; bump it (and re-vendor)
-    # so the built /usr/local/bin/docker also clears CVE-2026-33814.
     go get golang.org/x/net@v${XNET_VERSION} \
            golang.org/x/crypto@v${XCRYPTO_VERSION} \
            golang.org/x/sys@v${XSYS_VERSION} && \
@@ -97,11 +83,8 @@ RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docke
       -tags "osusergo netgo static_build pkcs11" \
       -trimpath -ldflags "-s -w" \
       -o /overlay/usr/local/bin/docker ./cmd/docker
-# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0
-# (CVE-2026-39882), and in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r).
-# Strip .go.buildinfo afterward so grype does not flag the transitive
-# github.com/docker/docker v28.x dep (CVE-2026-33997/34040 are fixed in
-# the moby/dockerd rebuild; v29.3.1 has no Go module tag on that path).
+# Rebuild docker-compose with bumped dependencies and strip .go.buildinfo
+# so scanners do not flag transitive deps that are already patched above.
 RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \
     git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \
     cd /src/compose && \

docker/seed/Dockerfile.ts

@@ -1,11 +1,9 @@
-# Stage 1: Rebuild oxlint-tsgolint from source under go1.26.3 so the embedded
-# go/stdlib clears the go1.26.2 CVEs (CVE-2026-33811, CVE-2026-33814,
-# CVE-2026-39820, CVE-2026-39836, CVE-2026-42499). The published
-# @oxlint-tsgolint/linux-{x64,arm64} binaries are still compiled with the
-# upstream go1.26.2 toolchain.
-FROM golang:1.26.3-trixie AS tsgolint-rebuild
+# Stage 1: Rebuild oxlint-tsgolint from source under go1.26.4 so the embedded
+# go/stdlib clears vulnerability scanners. The published binaries are still
+# compiled with an older upstream Go toolchain.
+FROM golang:1.26.4-trixie AS tsgolint-rebuild
 ARG TSGOLINT_VERSION=0.22.1
-ENV GOTOOLCHAIN=go1.26.3
+ENV GOTOOLCHAIN=go1.26.4
 RUN apt-get update && apt-get install -y --no-install-recommends git ca-certificates && rm -rf /var/lib/apt/lists/*
 RUN git config --global user.email "build@example.com" && \
     git config --global user.name "Build" && \
@@ -42,7 +40,7 @@ RUN apt-get update \
   && apt-get -y autoremove \
   && rm -rf /var/lib/apt/lists/*
 
-# Update perl-base to fix CVE-2026-48959, CVE-2026-48961, CVE-2026-9538, CVE-2026-48962, CVE-2026-42497
+# Update perl-base from sid to pick up security patches.
 RUN echo "Types: deb" > /etc/apt/sources.list.d/sid.sources \
     && echo "URIs: http://deb.debian.org/debian" >> /etc/apt/sources.list.d/sid.sources \
     && echo "Suites: sid" >> /etc/apt/sources.list.d/sid.sources \
@@ -55,12 +53,8 @@ RUN echo "Types: deb" > /etc/apt/sources.list.d/sid.sources \
     && rm -f /etc/apt/sources.list.d/sid.sources /etc/apt/preferences.d/sid-low \
     && rm -rf /var/lib/apt/lists/*
 
-# Upgrade bundled npm to 11.14.1 to pick up patched transitive dependencies
-# (picomatch 4.0.4, minimatch 10.2.5, tar 7.5.13).
-# node:24.16.0 ships npm 11.12.1 which still vendors picomatch 4.0.3 and
-# brace-expansion 5.0.4. Replace ip-address with 10.1.1 to fix
-# GHSA-v2v4-37r5-5v8g (still bundled at 10.1.0 even in npm 11.14.1).
-# Patch brace-expansion to 5.0.6 (GHSA-jxxr-4gwj-5jf2; npm 11.14.1 vendors 5.0.5).
+# Upgrade bundled npm and patch vendored dependencies (ip-address,
+# brace-expansion) to versions that clear vulnerability scanners.
 RUN npm install -g npm@11.14.1 --force && \
     cd /usr/local/lib/node_modules/npm/node_modules && \
     npm pack ip-address@10.1.1 && \
@@ -91,8 +85,7 @@ RUN pnpm add -g typescript@~5.7.2 \
   vitest@^4.1.1
 
 # Replace the prebuilt @oxlint-tsgolint/linux-* binary with the locally
-# rebuilt one (go1.26.3). pnpm installs the platform-specific binary at
-# {pnpm-global-store}/.pnpm/@oxlint-tsgolint+linux-{arch}@.../node_modules/@oxlint-tsgolint/linux-{arch}/tsgolint.
+# rebuilt one so it embeds the patched Go stdlib.
 COPY --from=tsgolint-rebuild /out/tsgolint /tmp/tsgolint-rebuilt
 RUN chmod +x /tmp/tsgolint-rebuilt && \
     set -eux; \

generators/go/model/Dockerfile

@@ -1,9 +1,9 @@
 FROM node:24.16-alpine3.23 AS node
 
-FROM golang:1.26.3-alpine3.23
+FROM golang:1.26.4-alpine3.23
 
-# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
-# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+# Patch src/go.mod to bump x/net so SBOM scanners no longer flag a stale
+# pseudo-version.
 RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
         /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
     sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
@@ -27,9 +27,8 @@ COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
 RUN ln -s ../lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm \
     && ln -s ../lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx
 
-# Patch npm's bundled picomatch@4.0.3 -> 4.0.4 (GHSA-c2c7-rcm5-vvqj,
-# GHSA-3v7f-55p6-f55p) and brace-expansion@5.0.4 -> 5.0.6
-# (GHSA-jxxr-4gwj-5jf2) copied from the node stage.
+# Patch npm's bundled picomatch and brace-expansion to versions that clear
+# vulnerability scanners.
 RUN for dir in \
       /usr/local/lib/node_modules/npm/node_modules/picomatch \
       /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch; do \