Skip to content

fix: remediate vulnerabilities in harnesssecure/test-analysis (CI-23221)#8

Draft
vinayakharness2026 wants to merge 1 commit into
harness-community:mainfrom
vinayakharness2026:fix/vuln-remediation-CI-23221-20260624-035531
Draft

fix: remediate vulnerabilities in harnesssecure/test-analysis (CI-23221)#8
vinayakharness2026 wants to merge 1 commit into
harness-community:mainfrom
vinayakharness2026:fix/vuln-remediation-CI-23221-20260624-035531

Conversation

@vinayakharness2026

@vinayakharness2026 vinayakharness2026 commented Jun 24, 2026

Copy link
Copy Markdown

Vulnerability Remediation: harnesssecure/test-analysis

Team: ci (Harness CI Platform)
Tickets: CI-23221
Test image: vinayakharness/test-analysis-test:test-analysis-1.0.1--debug

OnDemand scanner runs (Harness https://harness0.harness.io/):


Summary

Both scanners completed and agree the image is materially cleaner. Trivy goes from 97 → 0 vulnerabilities (3 Critical, 31 High, 41 Medium, 22 Low all eliminated). Harness OnDemand (Prisma) goes from 18 → 2 (2 Critical and 7 High eliminated; the residual 1 Medium + 1 Info are policy/info entries, not the targeted CVEs). All targeted CVEs from the ticket — Alpine OS packages (libcrypto3/libssl3, libxml2, musl, zlib, xz), Go stdlib pre-1.25.11, and github.com/sirupsen/logrus v1.9.0 — are resolved. The Go toolchain crossed a major boundary (1.22 → 1.25) and the build was restructured into a multi-stage Dockerfile that compiles the binary in-image, so QA should run the standard parse-test-reports plugin sanity tests before merge. Recommendation: SHIP — no new CRITICAL/HIGH CVEs introduced.


CVE Delta — Trivy (local scan)

Severity Before After Change
Critical 3 0 -3
High 31 0 -31
Medium 41 0 -41
Low 22 0 -22
Total 97 0 -97

CVE Delta — Harness OnDemand (Prisma Cloud)

Severity Before After Change
Critical 2 0 -2
High 7 0 -7
Medium 4 1 -3
Low 2 0 -2
Info 3 1 -2
Total 18 2 -16

Per-Ticket CVE Status

CI-23221 — P2: Security Vulnerability Fixes - harnesssecure/test-analysis

The ticket lists severity counts (3C / 26H / 14M / 5L) without enumerating individual CVEs. The actual finding set was discovered by scanning the baseline; per-CVE results below are the union of Trivy and OnDemand findings on plugins/test-analysis:latest (the public mirror of harnesssecure/test-analysis:latest, built from the same source repo).

CVE Package Before After Required Status Reason
CVE-2025-68121 Go stdlib 1.22.12 1.25.11 1.24.13 / 1.25.7 / 1.26.0-rc.3 OK Built with Go 1.25.11 toolchain
CVE-2026-31789 libcrypto3 / libssl3 3.5.5-r0 3.5.7-r1 3.5.6-r0 OK Pinned alpine 3.23.5 ships fixed openssl
CVE-2025-65637 github.com/sirupsen/logrus v1.9.0 v1.9.3 v1.9.3 OK Bumped via go get + go mod tidy
CVE-2025-61723..-61730, -22870..-22873, -47906..-47912, -58183..-58189, -4673, -0913, -47907 Go stdlib 1.22.12 1.25.11 various ≥1.23–1.25 OK Built with Go 1.25.11 (covers all listed fix versions)
CVE-2026-25679, -27145, -32280..-32283, -32288..-32289, -33811, -33814, -39820, -39823, -39825, -39826, -39836, -42499, -42504, -42507, -27139, -27142 Go stdlib 1.22.12 1.25.11 up to 1.25.11 OK Built with Go 1.25.11
CVE-2026-28387..-28390, -45447, -2673, -31790, -34182..-34183, -42764, -45445, -34180..-34181, -42766..-42770, -45446, -7383, -9076 libcrypto3 / libssl3 3.5.5-r0 3.5.7-r1 3.5.6-r0 / 3.5.7-r0 OK alpine 3.23.5 ships openssl 3.5.7-r1
CVE-2026-6732 libxml2 / libxml2-utils 2.13.9-r0 2.13.9-r1 2.13.9-r1 OK Reinstalled from alpine 3.23.5
CVE-2026-40200, -6042 musl / musl-utils 1.2.5-r21 1.2.5-r23 1.2.5-r22+ OK alpine 3.23.5
CVE-2026-22184, -27171 zlib 1.3.1-r2 1.3.2-r0 1.3.2-r0 OK alpine 3.23.5
CVE-2026-34743 xz-libs 5.8.2-r0 5.8.3-r0 5.8.3-r0 OK alpine 3.23.5

(Status legend: OK = Resolved, PARTIAL = improved but below fix threshold, BLOCKED = no upstream fix available.)


Changes Made

File Change
docker/Dockerfile Multi-stage build: golang:1.25.11-alpine3.23 builder → alpine:3.23.5 runtime. Builds the binary inside the image (CGO disabled, trimpath, -ldflags=-s -w) instead of COPY parse-test-reports from a pre-built artifact. Pinning replaces alpine:latest.
go.mod Bumped github.com/sirupsen/logrus v1.9.0 → v1.9.3 (CVE-2025-65637); go mod tidy promoted Go directive 1.19 → 1.25 and re-resolved transitive deps.
go.sum Updated to match new module graph.

Version selection rationale:

  • Go toolchain → 1.25.11: chosen because the highest required stdlib fix version observed in the baseline is 1.25.11 (CVE-2026-42504 / CVE-2026-27145). 1.25.11 is the latest 1.25.x patch and covers every listed fix in a single bump. Crossing 1.22→1.25 is a major-line jump and is flagged below.
  • alpine → 3.23.5: minimum bump within the same minor line — alpine:latest resolved to 3.23.3 in the baseline, 3.23.5 is the current 3.23 release and ships the fixed openssl/musl/zlib/libxml2/xz packages. Stays on the existing minor.
  • logrus → 1.9.3: minimum-safe version per the upstream advisory for CVE-2025-65637 (fixed in 1.8.3 / 1.9.1 / 1.9.3).

Breaking-Change Warnings

The following components crossed a major version boundary:

  • Go toolchain: 1.22.12 → 1.25.11 (line jump 1.22 → 1.25)

Before merging, please:

  1. Deploy to QA / staging
  2. Run the parse-test-reports plugin sanity suite against representative JUnit/XML inputs
  3. Verify quarantine-list parsing / gojunit ingest still produces identical TestStats counts as the previous binary
  4. Skim the Go 1.23 / 1.24 / 1.25 release notes for behaviour changes affecting os/exec, net/http, or XML decoding (none were observed in this codepath, but the API surface is large)

Newly Introduced CVEs

None at CRITICAL or HIGH severity. The OnDemand after-scan reports one residual MEDIUM and one INFO item; both are policy/aggregate entries, not new vulnerabilities (Trivy reports zero findings at any severity for the test image).


🤖 Generated with Claude Code

…de to 1.0.1

Build with Go 1.25.11 toolchain, pin alpine to 3.23.5, bump logrus to v1.9.3.
Multi-stage Dockerfile so the binary is built reproducibly in the image
itself instead of being copied in from a prior CI step.

Resolves CI-23221.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant