Skip to content

Security: Update Go to 1.25.8 and vulnerable dependencies#489

Open
clcollins wants to merge 1 commit intoopenshift:masterfrom
clcollins:security/update-go-1.25.8
Open

Security: Update Go to 1.25.8 and vulnerable dependencies#489
clcollins wants to merge 1 commit intoopenshift:masterfrom
clcollins:security/update-go-1.25.8

Conversation

@clcollins
Copy link
Member

@clcollins clcollins commented Mar 13, 2026

Summary

Updates Go toolchain and dependencies to resolve critical security vulnerabilities in the ocm-container Go code.

Changes

  • Go 1.25.7 → 1.25.8 (fixes 3 critical stdlib CVEs: GO-2026-4601, GO-2026-4602, GO-2026-4603)
  • golang.org/x/crypto v0.48.0 → v0.49.0 (fixes 4 crypto vulnerabilities)
  • golang.org/x/net v0.50.0 → v0.52.0 (fixes 3 network vulnerabilities)
  • golang.org/x/oauth2 v0.35.0 → v0.36.0
  • All transitive dependencies updated via go get -u && go mod tidy

Verification

✅ All unit tests pass (make test)
✅ Binary builds successfully (make build-binary)
✅ Binary executes correctly

Important Note

This PR only updates the ocm-container Go code. The container images will still show vulnerabilities from third-party binaries (oc, ocm, rosa, osdctl, etc.) installed by backplane-tools. Those vulnerabilities are in upstream projects and require updates from those teams.

Detailed vulnerability analysis and CVE reporting guide available upon request.

Test Plan

  • Unit tests pass
  • Binary builds
  • Linter runs (pre-existing code quality issues unrelated to security)

🤖 Generated with Claude Code

@clcollins @claude
build: update Go toolchain and dependencies for security fixes
caf0d1d 
- Update Go version from 1.25.7 to 1.25.8 (fixes GO-2026-4601/4602/4603)
- Update golang.org/x/crypto to v0.49.0 (fixes GO-2025-4135, GO-2025-4134, GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)
- Update golang.org/x/net to v0.52.0 (fixes GO-2026-4559, GO-2026-4440, GO-2026-4441)
- Update golang.org/x/oauth2 to v0.36.0
- Update transitive dependencies for additional security fixes

All tests pass and binary builds successfully.

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clcollins

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samanthajayasinghe samanthajayasinghe Awaiting requested review from samanthajayasinghe

@smarthall smarthall Awaiting requested review from smarthall

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clcollins