Skip to content

fix(security): remediate CVE vulnerabilities #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
upbound-bot wants to merge 2 commits into from
Closed

fix(security): remediate CVE vulnerabilities #20

upbound-bot wants to merge 2 commits into from

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Jan 22, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-61723 High stdlib go1.24.11
CVE-2025-61725 High stdlib go1.24.11
CVE-2025-61729 High stdlib go1.24.11
CVE-2025-58187 High stdlib go1.24.11
CVE-2025-58188 High stdlib go1.24.11
CVE-2025-58185 Medium stdlib go1.24.11
CVE-2025-47912 Medium stdlib go1.24.11
CVE-2025-58186 Medium stdlib go1.24.11
CVE-2025-61724 Medium stdlib go1.24.11
CVE-2025-58189 Medium stdlib go1.24.11
CVE-2025-58183 Medium stdlib go1.24.11
CVE-2025-61727 Medium stdlib go1.24.11
GHSA-j5w8-q4qc-rx2x Medium golang.org/x/crypto v0.45.0
GHSA-f6x5-jh6r-wrfv Medium golang.org/x/crypto v0.45.0

Changes Made

  • Updated Go toolchain from go1.24.4 to go1.24.11
  • Updated golang.org/x/crypto from v0.39.0 to v0.45.0
  • Ran go mod tidy to update transitive dependencies

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
17c1068 
- Update Go toolchain to go1.24.11 (fixes CVE-2025-61723, CVE-2025-61725,
  CVE-2025-61729, CVE-2025-58187, CVE-2025-58188, CVE-2025-58185,
  CVE-2025-47912, CVE-2025-58186, CVE-2025-61724, CVE-2025-58189,
  CVE-2025-58183, CVE-2025-61727)
- Update golang.org/x/crypto to v0.45.0 (fixes GHSA-j5w8-q4qc-rx2x,
  GHSA-f6x5-jh6r-wrfv)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T09:15:00Z

Summary

The push check failed when trying to download the up CLI. The actual package push to the registry succeeded.

Root Cause

The workflow is configured to use upbound/action-up@v1 with a specific pre-release version (v0.39.0-384.g0a0c8634) from the main channel. This version is no longer available at the download endpoint (https://cli.upbound.io), resulting in a 404 Not Found error.

Error Details

##[error]Unexpected HTTP response: 404

The step that failed:

- uses: upbound/action-up@v1
  with:
    skip-login: true
    channel: main
    version: v0.39.0-384.g0a0c8634

Recommendation

This is a CI workflow configuration issue, not a code issue. The fix requires updating .github/workflows/ci.yaml to use an available version of the up CLI. Options:

  1. Update to the latest stable version
  2. Remove the explicit version to use the default
  3. Update to a newer available pre-release version

A retry will NOT help - the workflow configuration needs to be updated.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update up CLI to use stable channel
6ed0ae8 
The specific pre-release version v0.39.0-384.g0a0c8634 is no longer
available for download, causing the push job to fail with a 404 error.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T09:25:00Z

Summary

The push check failed during composition tests due to an invalid OpenAI API key. The package build and push to registry succeeded.

Root Cause

The OPENAI_API_KEY_B64 repository secret contains an invalid or expired API key. The composition tests (up test run tests/*) require a valid OpenAI API key, but the current key returns a 401 Unauthorized error from the OpenAI API.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = API returned unexpected status code: 401: Incorrect API key provided

Recommendation

This cannot be fixed by code changes. The repository secret needs to be updated by a repository administrator:

  1. Generate a new OpenAI API key at https://platform.openai.com/account/api-keys
  2. Base64 encode the key and update the OPENAI_API_KEY_B64 repository secret
  3. Re-run the CI workflow

Note: The CVE fix changes are valid - the package builds and pushes successfully. Only the composition tests fail due to this infrastructure issue.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
Copy link

ulucinar commented Jan 22, 2026

Updated the repo secret OPENAI_API_KEY_B64. Will retrigger the build pipeline...

@ulucinar ulucinar closed this Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @ulucinar