From 01cb4dfd16e3d0423eae0c891300dc679631c81c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Mon, 13 Apr 2026 18:46:22 -0400 Subject: [PATCH 1/6] fix: correct .snyk license ignore IDs to use colon-separated format The Snyk policy file used slashes in license vuln IDs (e.g. github.com/hashicorp/hcl/v2) but Snyk matches against colon-separated IDs (github.com:hashicorp:hcl:v2). This caused all four HashiCorp MPL-2.0 license ignores to silently fail. Co-Authored-By: Claude Opus 4.6 --- .snyk | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.snyk b/.snyk index 560b862..3d08a94 100644 --- a/.snyk +++ b/.snyk @@ -1,19 +1,19 @@ version: v1.5.0 ignore: # --- License issues (MPL-2.0 from HashiCorp transitive deps) --- - snyk:lic:golang:github.com/hashicorp/go-multierror:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0: - '*': reason: Generated code dependency from entgo.io/contrib entgql templates; cannot remove without forking created: 2026-03-20T00:00:00.000Z - snyk:lic:golang:github.com/hashicorp/errwrap:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0: - '*': reason: Transitive dependency of go-multierror; cannot remove without forking created: 2026-03-20T00:00:00.000Z - snyk:lic:golang:github.com/hashicorp/hcl/v2:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0: - '*': reason: Transitive dependency of ariga.io/atlas used by ent; cannot remove created: 2026-03-20T00:00:00.000Z - snyk:lic:golang:github.com/hashicorp/golang-lru/v2:MPL-2.0: + snyk:lic:golang:github.com:hashicorp:golang-lru:v2:MPL-2.0: - '*': reason: Transitive dependency of entgo.io/contrib and github.com/99designs/gqlgen; cannot remove without forking created: 2026-03-25T00:00:00.000Z From fc06cf6b6bf0db463d5c915c36cd5e9b72db9a48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Mon, 13 Apr 2026 18:46:54 -0400 Subject: [PATCH 2/6] fix: upgrade Go 1.26.1 to 1.26.2 to fix stdlib archive/tar vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes SNYK-GOLANG-STDARCHIVETAR-15928858 (CVE Allocation of Resources Without Limits, CWE-770, CVSS 6.9). The vulnerability in std/archive/tar is resolved in Go 1.26.2. go mod tidy dropped go-jose/v4 and golang.org/x/crypto pins as they are not direct dependencies of the root module — existing .snyk safety-net ignores cover these. Co-Authored-By: Claude Opus 4.6 --- _examples/go.mod | 2 +- go.mod | 4 +--- go.sum | 4 ---- go.work | 2 +- 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/_examples/go.mod b/_examples/go.mod index 86bcd11..2f509ab 100644 --- a/_examples/go.mod +++ b/_examples/go.mod @@ -1,6 +1,6 @@ module _examples -go 1.26.1 +go 1.26.2 require ( entgo.io/contrib v0.7.0 diff --git a/go.mod b/go.mod index 653f023..fc222cd 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/flume/enthistory -go 1.26.1 +go 1.26.2 require ( entgo.io/contrib v0.7.0 @@ -24,7 +24,6 @@ require ( github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/bmatcuk/doublestar v1.3.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/goccy/go-yaml v1.19.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/go-cmp v0.7.0 // indirect @@ -41,7 +40,6 @@ require ( github.com/zclconf/go-cty v1.18.0 // indirect github.com/zclconf/go-cty-yaml v1.2.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.49.0 // indirect golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect golang.org/x/mod v0.35.0 // indirect golang.org/x/text v0.36.0 // indirect diff --git a/go.sum b/go.sum index db3423d..9e47e70 100644 --- a/go.sum +++ b/go.sum @@ -26,8 +26,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo= github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= -github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= -github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-openapi/inflect v0.21.5 h1:M2RCq6PPS3YbIaL7CXosGL3BbzAcmfBAT0nC3YfesZA= github.com/go-openapi/inflect v0.21.5/go.mod h1:GypUyi6bU880NYurWaEH2CmH84zFDNd+EhhmzroHmB4= github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= @@ -88,8 +86,6 @@ github.com/zclconf/go-cty-yaml v1.2.0 h1:GDyL4+e/Qe/S0B7YaecMLbVvAR/Mp21CXMOSiCT github.com/zclconf/go-cty-yaml v1.2.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= -golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM= golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80= golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= diff --git a/go.work b/go.work index 8906da3..d906165 100644 --- a/go.work +++ b/go.work @@ -1,4 +1,4 @@ -go 1.26.1 +go 1.26.2 use ( . From 4baad82f9d88c3f94cdbe9dfb277811b53096c52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Mon, 13 Apr 2026 18:47:46 -0400 Subject: [PATCH 3/6] chore: bump google.golang.org/genproto indirect dependency Updates genproto/googleapis/rpc from 20260401 to 20260413 snapshot in both root and _examples modules. Co-Authored-By: Claude Opus 4.6 --- _examples/go.mod | 2 +- _examples/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/_examples/go.mod b/_examples/go.mod index 2f509ab..9219972 100644 --- a/_examples/go.mod +++ b/_examples/go.mod @@ -43,7 +43,7 @@ require ( golang.org/x/sync v0.20.0 // indirect golang.org/x/text v0.36.0 // indirect golang.org/x/tools v0.44.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/_examples/go.sum b/_examples/go.sum index 586f4eb..12f1828 100644 --- a/_examples/go.sum +++ b/_examples/go.sum @@ -105,8 +105,8 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 h1:C5I8ORrv1qJ5kwJifN/cE/QIi0gTr1x6y/7l42/epIg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= diff --git a/go.mod b/go.mod index fc222cd..f46bb99 100644 --- a/go.mod +++ b/go.mod @@ -43,6 +43,6 @@ require ( golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect golang.org/x/mod v0.35.0 // indirect golang.org/x/text v0.36.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 9e47e70..354aafc 100644 --- a/go.sum +++ b/go.sum @@ -100,8 +100,8 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756 h1:C5I8ORrv1qJ5kwJifN/cE/QIi0gTr1x6y/7l42/epIg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260413220744-3e5c5a5a0756/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= From a70998a45daed8d87544015b70c7398ccc271f47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Mon, 13 Apr 2026 19:14:39 -0400 Subject: [PATCH 4/6] fix: correct OTel exporter Snyk IDs for CVE-2026-39882 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The two CVE-2026-39882 ignore entries had typos that caused them to silently fail: - Missing 'O' in package path: IOTEL → IOOTEL (go.opentelemetry.io/otel produces IO + OTEL = IOOTEL) - Wrong ID number on trace entry: 15954195 → 15954196 Co-Authored-By: Claude Opus 4.6 --- .snyk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.snyk b/.snyk index 3d08a94..7509c77 100644 --- a/.snyk +++ b/.snyk @@ -88,7 +88,7 @@ ignore: created: 2026-04-09T00:00:00.000Z # --- OpenTelemetry CVE-2026-39882: Memory Allocation with Excessive Size (CWE-789) --- # Affects otel/exporters/otlp/otlpmetric/otlpmetrichttp and otlptrace/otlptracehttp. - SNYK-GOLANG-GOOPENTELEMETRYIOTELEXPORTERSOTLPOTLPMETRICOTLPMETRICHTTP-15954197: + SNYK-GOLANG-GOOPENTELEMETRYIOOTELEXPORTERSOTLPOTLPMETRICOTLPMETRICHTTP-15954197: - '*': reason: >- CVE-2026-39882 Memory Allocation with Excessive Size Value (CWE-789, CVSS High). @@ -97,7 +97,7 @@ ignore: imported by this project. Not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z - SNYK-GOLANG-GOOPENTELEMETRYIOTELEXPORTERSOTLPOTLPTRACEOTLPTRACEHTTP-15954195: + SNYK-GOLANG-GOOPENTELEMETRYIOOTELEXPORTERSOTLPOTLPTRACEOTLPTRACEHTTP-15954196: - '*': reason: >- CVE-2026-39882 Memory Allocation with Excessive Size Value (CWE-789, CVSS High). From d4a0ad8751217f198beee49b2005ac20b8b8c115 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Mon, 13 Apr 2026 19:17:18 -0400 Subject: [PATCH 5/6] fix: update .snyk ignore reasons for go-jose and x/crypto The go.mod pins for go-jose/v4 and golang.org/x/crypto were dropped by go mod tidy during the Go 1.26.2 upgrade. Update the ignore reason text to accurately reflect these are transitive ghost deps not listed in go.mod, rather than claiming they are "fixed via go.mod pin". Co-Authored-By: Claude Opus 4.6 --- .snyk | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/.snyk b/.snyk index 7509c77..16fc4d7 100644 --- a/.snyk +++ b/.snyk @@ -116,57 +116,53 @@ ignore: Not compiled into any binary. (Separate CVE from existing ignore -15182758.) expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z - # --- go-jose vulnerabilities (fixed via go.mod pin; ignores retained as safety net) --- - # go mod tidy drops the pin because grpc only requires v4.1.3. + # --- go-jose vulnerabilities (transitive ghost dep via grpc; not in go.mod) --- SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSE-15875219: - '*': reason: >- Improper Verification of Cryptographic Signature (CVSS 8.0). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require - v4.1.3, and lazy module loading does not track the override in go.mod. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-07T00:00:00.000Z created: 2026-04-07T00:00:00.000Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-15875221: - '*': reason: >- CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSECIPHER-15875222: - '*': reason: >- CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4CIPHER-15875234: - '*': reason: >- CVE-2026-34986 Uncaught Exception (CWE-248, CVSS 8.7). - Fixed via go.mod pin to go-jose/v4 v4.1.4. Ignore retained as safety net — - go mod tidy reverts this pin because upstream deps (grpc) only require v4.1.3. + Transitive dependency of google.golang.org/grpc (requires v4.1.3); + not listed in go.mod and not compiled into any binary. expires: 2026-10-09T00:00:00.000Z created: 2026-04-09T00:00:00.000Z - # --- golang.org/x/crypto vulnerabilities (fixed via go.mod pin; ignore retained as safety net) --- + # --- golang.org/x/crypto vulnerabilities (transitive ghost dep; not in go.mod) --- SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056: - '*': reason: >- CVE-2025-22869 Allocation of Resources Without Limits (CWE-770, CVSS 6.9). - Fixed via go.mod pin to golang.org/x/crypto v0.49.0. Ignore retained as safety - net — go mod tidy reverts this pin because upstream deps (hashicorp/hcl v2.24.0) - only require v0.38.0, and lazy module loading does not track the override in go.mod. + Transitive dependency of hashicorp/hcl v2.24.0 (requires x/crypto v0.38.0); + not listed in go.mod and not compiled into any binary. expires: 2026-10-07T00:00:00.000Z created: 2026-04-07T00:00:00.000Z SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-12668891: - '*': reason: >- CVE-2025-47913 Improper Handling of Unexpected Data Type (CWE-241, CVSS 7.1). - Fixed via go.mod pin to golang.org/x/crypto v0.49.0. Ignore retained as safety - net — go mod tidy reverts this pin because upstream deps constrain resolution to - v0.38.0, and lazy module loading does not track the override in go.mod. + Transitive dependency of hashicorp/hcl v2.24.0 (requires x/crypto v0.38.0); + not listed in go.mod and not compiled into any binary. expires: 2026-10-07T00:00:00.000Z created: 2026-04-07T00:00:00.000Z From 46c35dce2c14e03e08c8b10f825c47f404fe247e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?= Date: Tue, 14 Apr 2026 09:51:29 -0400 Subject: [PATCH 6/6] empty