Description
Trivy reports CVE-2025-68121 in the Docker image. The vulnerability affects Go crypto/tls in binaries built with vulnerable Go versions before 1.25.7.
The project currently builds and packages the zenbpm Go binary into the Docker image, so the image must be rebuilt with a patched Go toolchain.
Update all build and release paths to use Go 1.25.7 or newer, including local Docker builds, CI tests, and GoReleaser release builds. Then publish a new Docker image and verify that Trivy no longer reports CVE-2025-68121.
Acceptance Criteria
go.mod requires Go 1.25.7 or newer.
Local Docker builder image uses golang:1.25.7 or newer.
CI test workflow uses Go 1.25.7 or newer.
Release workflow/GoReleaser build uses Go 1.25.7 or newer.
Published Docker image is rebuilt from the patched toolchain.
go version -m on the built zenbpm binary reports Go 1.25.7 or newer.
Trivy image scan no longer reports CVE-2025-68121.
References
https://avd.aquasec.com/nvd/2025/cve-2025-68121/
https://pkg.go.dev/vuln/GO-2026-4337
Description
Trivy reports CVE-2025-68121 in the Docker image. The vulnerability affects Go crypto/tls in binaries built with vulnerable Go versions before 1.25.7.
The project currently builds and packages the zenbpm Go binary into the Docker image, so the image must be rebuilt with a patched Go toolchain.
Update all build and release paths to use Go 1.25.7 or newer, including local Docker builds, CI tests, and GoReleaser release builds. Then publish a new Docker image and verify that Trivy no longer reports CVE-2025-68121.
Acceptance Criteria
go.mod requires Go 1.25.7 or newer.
Local Docker builder image uses golang:1.25.7 or newer.
CI test workflow uses Go 1.25.7 or newer.
Release workflow/GoReleaser build uses Go 1.25.7 or newer.
Published Docker image is rebuilt from the patched toolchain.
go version -m on the built zenbpm binary reports Go 1.25.7 or newer.
Trivy image scan no longer reports CVE-2025-68121.
References
https://avd.aquasec.com/nvd/2025/cve-2025-68121/
https://pkg.go.dev/vuln/GO-2026-4337