Skip to content

fix(security): remediate CVE vulnerabilities#132

Merged
ulucinar merged 5 commits intorelease-1.1from
fix/cve-remediation-release-1.1-20260324-214240
Mar 26, 2026
Merged

fix(security): remediate CVE vulnerabilities#132
ulucinar merged 5 commits intorelease-1.1from
fix/cve-remediation-release-1.1-20260324-214240

Conversation

@upbound-bot
Copy link
Copy Markdown

@upbound-bot upbound-bot commented Mar 24, 2026
edited by ulucinar
Loading

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
GHSA-p77j-4mvh-x3m3 Critical google.golang.org/grpc v1.79.3
CVE-2026-25679 High stdlib go1.25.8
CVE-2026-27142 Medium stdlib go1.25.8
CVE-2026-27139 Low stdlib go1.25.8

Changes Made

  • Updated Go version from 1.24.13 to 1.25.8 in go.mod
  • Updated google.golang.org/grpc from v1.68.1 to v1.79.3 in go.mod
  • Ran go mod tidy to update dependency checksums
  • Updated CI workflow Go version from 1.24 to 1.25 in .github/workflows/ci.yml

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
4b15b86 
- Update Go version to 1.25.8 (fixes CVE-2026-25679, CVE-2026-27142, CVE-2026-27139)
- Update google.golang.org/grpc to v1.79.3 (fixes GHSA-p77j-4mvh-x3m3)
- Update CI workflow Go version to 1.25

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 24, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-24T21:50:00Z

Summary

The lint check failed due to a Go version mismatch between go.mod (1.25.8) and Makefile (1.24).

Root Cause

The GO_REQUIRED_VERSION variable in the root Makefile is set to 1.24, but go.mod declares Go version 1.25.8. The golangci-lint tool is built using the Go version specified by GO_REQUIRED_VERSION, so it was built with Go 1.24. When it tries to lint code that targets Go 1.25.8, it fails with the error: "the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)".

This commonly occurs when bumping the Go version for CVE fixes without updating the corresponding Makefile variable.

Error Details

Error: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)
Failed executing command with error: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)
make[1]: *** [build/makelib/golang.mk:131: go.lint] Error 1
make: *** [build/makelib/common.mk:372: lint] Error 2

Recommendation

Update the GO_REQUIRED_VERSION in the Makefile from 1.24 to 1.25 to match the major.minor version in go.mod. This will ensure golangci-lint is built with a compatible Go version.

Fix:

GO_REQUIRED_VERSION ?= 1.25

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): resolve lint check failure
d4d9bc3 
- Update GO_REQUIRED_VERSION from 1.24 to 1.25 in Makefile to match go.mod

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 24, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-24T22:20:00Z

Summary

The lint check failed because golangci-lint v2.1.2 was built with Go 1.24 and cannot lint code targeting Go 1.25.8.

Root Cause

While we correctly updated GO_REQUIRED_VERSION to 1.25, the GOLANGCILINT_VERSION is still set to 2.1.2 in the Makefile. This version of golangci-lint was pre-compiled with Go 1.24, making it incompatible with linting code that targets Go 1.25.8.

The golangci-lint binary version is independent of the GO_REQUIRED_VERSION environment variable - it's a pre-built binary that was compiled with a specific Go version when the golangci-lint release was made.

Error Details

Error: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)
Failed executing command with error: can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.8)
make[1]: *** [build/makelib/golang.mk:131: go.lint] Error 1
make: *** [build/makelib/common.mk:372: lint] Error 2

Recommendation

Update the GOLANGCILINT_VERSION in the Makefile from 2.1.2 to a newer version (e.g., 2.11.4) that was built with Go 1.25 or higher.

Fix:

GOLANGCILINT_VERSION = 2.11.4

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update golangci-lint to v2.11.4 for Go 1.25 compatibility
b6c9f48 
- Update GOLANGCILINT_VERSION from 2.1.2 to 2.11.4 in Makefile

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 24, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-03-24 23:00:00 UTC

Summary

The lint check failed with 12 noctx violations in internal/opentofu/opentofu.go. The linter requires using exec.CommandContext instead of exec.Command for all external command executions.

Root Cause

The noctx linter enforces a best practice that all command executions should accept a context parameter. This allows commands to be properly cancelled when their context is cancelled, preventing resource leaks and improving graceful shutdown behavior. The codebase currently uses exec.Command in 12 locations, which doesn't support context cancellation.

Error Details

internal/opentofu/opentofu.go:177:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:206:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:241:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:255:20: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:272:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:292:20: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:315:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:402:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:462:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:548:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:593:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)
internal/opentofu/opentofu.go:638:21: os/exec.Command must not be called. use os/exec.CommandContext (noctx)

Recommendation

Code changes are required to fix this issue. All affected methods in internal/opentofu/opentofu.go need to be updated to:

  1. Accept a context.Context parameter
  2. Use exec.CommandContext instead of exec.Command
  3. Update all callers to pass an appropriate context

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(lint): use exec.CommandContext instead of exec.Command
e16bca0 
Replace all instances of exec.Command with exec.CommandContext to
satisfy the noctx linter. All affected functions already receive a
context.Context parameter, so this change ensures proper context
propagation for command cancellation and lifecycle management.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 25, 2026

/test-examples="examples/cluster/workspace-inline-aws.yaml"

@ulucinar
fix(ci): Ping Go version to 1.25.8 in ci.yml workflow definition & Ma…
5c62a34 
…kefile

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Mar 26, 2026

/test-examples="examples/cluster/workspace-inline-aws.yaml"

@ulucinar ulucinar merged commit 7ce27fe into release-1.1 Mar 26, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergenyalcin sergenyalcin sergenyalcin approved these changes

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@ulucinar ulucinar Awaiting requested review from ulucinar ulucinar is a code owner

@erhancagirici erhancagirici Awaiting requested review from erhancagirici erhancagirici is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @sergenyalcin @ulucinar