fix: remediate vulnerabilities in harnesssecure/test-analysis (CI-23221)#8
Draft
vinayakharness2026 wants to merge 1 commit into
Conversation
…de to 1.0.1 Build with Go 1.25.11 toolchain, pin alpine to 3.23.5, bump logrus to v1.9.3. Multi-stage Dockerfile so the binary is built reproducibly in the image itself instead of being copied in from a prior CI step. Resolves CI-23221.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation: harnesssecure/test-analysis
Team: ci (Harness CI Platform)
Tickets: CI-23221
Test image:
vinayakharness/test-analysis-test:test-analysis-1.0.1--debugOnDemand scanner runs (Harness https://harness0.harness.io/):
Summary
Both scanners completed and agree the image is materially cleaner. Trivy goes from 97 → 0 vulnerabilities (3 Critical, 31 High, 41 Medium, 22 Low all eliminated). Harness OnDemand (Prisma) goes from 18 → 2 (2 Critical and 7 High eliminated; the residual 1 Medium + 1 Info are policy/info entries, not the targeted CVEs). All targeted CVEs from the ticket — Alpine OS packages (libcrypto3/libssl3, libxml2, musl, zlib, xz), Go stdlib pre-1.25.11, and
github.com/sirupsen/logrusv1.9.0 — are resolved. The Go toolchain crossed a major boundary (1.22 → 1.25) and the build was restructured into a multi-stage Dockerfile that compiles the binary in-image, so QA should run the standard parse-test-reports plugin sanity tests before merge. Recommendation: SHIP — no new CRITICAL/HIGH CVEs introduced.CVE Delta — Trivy (local scan)
CVE Delta — Harness OnDemand (Prisma Cloud)
Per-Ticket CVE Status
CI-23221 — P2: Security Vulnerability Fixes - harnesssecure/test-analysis
The ticket lists severity counts (3C / 26H / 14M / 5L) without enumerating individual CVEs. The actual finding set was discovered by scanning the baseline; per-CVE results below are the union of Trivy and OnDemand findings on
plugins/test-analysis:latest(the public mirror ofharnesssecure/test-analysis:latest, built from the same source repo).(Status legend: OK = Resolved, PARTIAL = improved but below fix threshold, BLOCKED = no upstream fix available.)
Changes Made
docker/Dockerfilegolang:1.25.11-alpine3.23builder →alpine:3.23.5runtime. Builds the binary inside the image (CGO disabled, trimpath,-ldflags=-s -w) instead ofCOPY parse-test-reportsfrom a pre-built artifact. Pinning replacesalpine:latest.go.modgithub.com/sirupsen/logrusv1.9.0 → v1.9.3 (CVE-2025-65637);go mod tidypromoted Go directive 1.19 → 1.25 and re-resolved transitive deps.go.sumVersion selection rationale:
alpine:latestresolved to 3.23.3 in the baseline, 3.23.5 is the current 3.23 release and ships the fixed openssl/musl/zlib/libxml2/xz packages. Stays on the existing minor.Breaking-Change Warnings
Newly Introduced CVEs
None at CRITICAL or HIGH severity. The OnDemand after-scan reports one residual MEDIUM and one INFO item; both are policy/aggregate entries, not new vulnerabilities (Trivy reports zero findings at any severity for the test image).
🤖 Generated with Claude Code