Skip to content

fix(security): remediate CVE vulnerabilities#289

Merged
sergenyalcin merged 2 commits intocrossplane-contrib:release-0.10from
upbound-bot:fix/cve-remediation-release-0.10-20260227-000414
Feb 27, 2026
Merged

fix(security): remediate CVE vulnerabilities#289
sergenyalcin merged 2 commits intocrossplane-contrib:release-0.10from
upbound-bot:fix/cve-remediation-release-0.10-20260227-000414

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Feb 26, 2026
edited
Loading

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-68121 Critical stdlib go1.24.13
CVE-2025-61726 High stdlib go1.24.13
CVE-2025-61731 High stdlib go1.24.13
CVE-2025-61732 High stdlib go1.24.13
CVE-2025-61728 Medium stdlib go1.24.13
CVE-2025-61730 Medium stdlib go1.24.13

Changes Made

  • Update Go version from 1.24.11 to 1.24.13 in go.mod

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
452010e 
- Update Go version to 1.24.13 (fixes CVE-2025-68121, CVE-2025-61726,
  CVE-2025-61731, CVE-2025-61732, CVE-2025-61728, CVE-2025-61730)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Feb 26, 2026

Build Failure Analysis

Check: unit-test
Status: Failed
Analyzed: 2026-02-27T00:04:00Z

Summary

The unit-test job failed because Go 1.24.11 cannot build a module that requires Go 1.24.13.

Root Cause

The CI workflow is configured to use Go 1.24.11 (GO_VERSION env variable), but go.mod was updated to require Go 1.24.13 as part of CVE remediation. The GOTOOLCHAIN=local setting in the workflow prevents automatic toolchain upgrade.

Error Details

go: go.mod requires go >= 1.24.13 (running go 1.24.11; GOTOOLCHAIN=local)

Recommendation

Update GO_VERSION in .github/workflows/ci.yml from 1.24.11 to 1.24.13 to match the go.mod requirement.

This analysis was generated by the build-failure-analyze skill.

@upbound-bot
Copy link
Author

upbound-bot commented Feb 26, 2026

Build Failure Analysis

Check: lint
Status: Failed
Analyzed: 2026-02-27T00:04:00Z

Summary

The lint job failed because Go 1.24.11 cannot run go mod tidy on a module that requires Go 1.24.13.

Root Cause

The CI workflow is configured to use Go 1.24.11 (GO_VERSION env variable), but go.mod was updated to require Go 1.24.13 as part of CVE remediation. The GOTOOLCHAIN=local setting in the workflow prevents automatic toolchain upgrade.

Error Details

go: go.mod requires go >= 1.24.13 (running go 1.24.11; GOTOOLCHAIN=local)

Recommendation

Update GO_VERSION in .github/workflows/ci.yml from 1.24.11 to 1.24.13 to match the go.mod requirement.

This analysis was generated by the build-failure-analyze skill.

@upbound-bot
Copy link
Author

upbound-bot commented Feb 26, 2026

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-02-27T00:04:00Z

Summary

The Docker build failed because the golang:1.24.11 base image cannot build a module that requires Go 1.24.13.

Root Cause

The CI workflow passes GO_VERSION=1.24.11 as a Docker build arg, which selects the golang:1.24.11 base image. However, go.mod was updated to require Go 1.24.13 as part of CVE remediation. The GOTOOLCHAIN=local setting in the container prevents automatic toolchain upgrade.

Error Details

#15 0.056 go: go.mod requires go >= 1.24.13 (running go 1.24.11; GOTOOLCHAIN=local)
ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1

Recommendation

Update GO_VERSION in .github/workflows/ci.yml from 1.24.11 to 1.24.13 to match the go.mod requirement.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
ci: update Go version to 1.24.13
ae0c93f 
Update GO_VERSION in CI workflow to match go.mod requirement
after CVE remediation.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@sergenyalcin sergenyalcin merged commit 7c0a1d1 into crossplane-contrib:release-0.10 Feb 27, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergenyalcin sergenyalcin sergenyalcin approved these changes

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

@phisco phisco Awaiting requested review from phisco phisco is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @sergenyalcin @ulucinar