Skip to content

fix(security): remediate CVE vulnerabilities #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ulucinar merged 3 commits into from
Jan 22, 2026
Merged

fix(security): remediate CVE vulnerabilities #21

ulucinar merged 3 commits into from
Jan 22, 2026

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Jan 22, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-61723 High stdlib go1.24.8
CVE-2025-61725 High stdlib go1.24.8
CVE-2025-61729 High stdlib go1.24.11
CVE-2025-58187 High stdlib go1.24.9
CVE-2025-58188 High stdlib go1.24.8
CVE-2025-58185 Medium stdlib go1.24.8
CVE-2025-47912 Medium stdlib go1.24.8
CVE-2025-58186 Medium stdlib go1.24.8
CVE-2025-61724 Medium stdlib go1.24.8
CVE-2025-58189 Medium stdlib go1.24.8
CVE-2025-58183 Medium stdlib go1.24.8
CVE-2025-61727 Medium stdlib go1.24.11
GHSA-j5w8-q4qc-rx2x Medium golang.org/x/crypto v0.45.0
GHSA-f6x5-jh6r-wrfv Medium golang.org/x/crypto v0.45.0

Changes Made

  • Updated Go version from 1.24 to 1.24.11 in go.mod (fixes 12 stdlib CVEs)
  • Updated golang.org/x/crypto from v0.39.0 to v0.45.0 (fixes 2 GHSAs)
  • Ran go mod tidy to update dependencies

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
76178c2 
- Update Go version from 1.24 to 1.24.11 (fixes CVE-2025-61723, CVE-2025-61725,
  CVE-2025-61729, CVE-2025-58187, CVE-2025-58188, CVE-2025-58185, CVE-2025-47912,
  CVE-2025-58186, CVE-2025-61724, CVE-2025-58189, CVE-2025-58183, CVE-2025-61727)
- Update golang.org/x/crypto from v0.39.0 to v0.45.0 (fixes GHSA-j5w8-q4qc-rx2x,
  GHSA-f6x5-jh6r-wrfv)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-01-22T16:50:00Z

Summary

The Docker build failed due to a Go version mismatch between the CI workflow configuration and the go.mod requirements.

Root Cause

The go.mod file requires go >= 1.24.11 (updated as part of CVE remediation), but the CI workflow (.github/workflows/ci.yml) specifies GO_VERSION: '1.24.4'. When Docker builds the image using golang:1.24.4, the go mod download command fails because Go 1.24.4 cannot satisfy the go.mod requirement.

Error Details

go: go.mod requires go >= 1.24.11 (running go 1.24.4; GOTOOLCHAIN=local)

Recommendation

Update the GO_VERSION in .github/workflows/ci.yml from '1.24.4' to '1.24.11' to match the go.mod requirement. This is a necessary change to complete the CVE remediation.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update Go version to match go.mod requirements
6e90564 
- Update GO_VERSION from 1.24.4 to 1.24.11 in CI workflow to match
  go.mod requirement introduced by CVE remediation

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T16:57:00Z

Summary

The push job failed when trying to install a specific development version of the up CLI that is no longer available.

Root Cause

The CI workflow references up CLI version v0.39.0-384.g0a0c8634 which returns a 404 error from the download endpoint. This specific dev version is no longer available.

Error Details

##[group]Run upbound/action-up@v1
with:
  skip-login: true
  channel: main
  version: v0.39.0-384.g0a0c8634
...
##[error]Unexpected HTTP response: 404

Recommendation

All core checks passed (build amd64/arm64, lint, unit-test). The package was successfully pushed to the registry.

For CVE fix PRs, this failure in the composition tests setup is not critical. Options:

  1. Update the workflow to use a stable up CLI version
  2. Merge the PR with human approval since core checks passed

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): use stable channel for up CLI
6869c9c 
- Switch from unavailable dev version v0.39.0-384.g0a0c8634 to stable channel
  for the up CLI installation in the push job

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T17:05:00Z

Summary

The push job failed in the composition test step. All core CI checks passed and the package was successfully pushed to the registry.

Root Cause

The composition test failed with:

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

This error indicates the OpenAI function exceeded its maximum iteration limit during the test. This is a test-specific issue unrelated to CVE fixes.

Passing Checks

  • lint - Code passes linting
  • unit-test - Unit tests pass
  • build (amd64) - Package builds successfully
  • build (arm64) - Package builds successfully
  • ✅ Package pushed to xpkg.upbound.io/upbound/function-openai:v0.0.0-20260122135925-69a835d502e6

Recommendation

Human approval recommended - All security-critical checks passed. The CVE fixes (Go 1.24.11, golang.org/x/crypto v0.45.0) are validated by the passing build/test steps. The composition test failure should be investigated separately.

This analysis was generated by the build-failure-analyze skill.

@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T14:05:00Z

Summary

The push check failed during composition test execution (up test run tests/*). The OpenAI-based function did not complete within the configured maximum iterations.

Root Cause

The test invokes a pipeline step "make-gpt-do-it" that uses the OpenAI function. The error "agent not finished before max iterations" indicates the function's agent loop exceeded its iteration budget before completing the task.

This is an application-level test failure, not related to CVE remediation or infrastructure issues.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

Tests Summary:
Total Tests Executed: 1
Passed tests:         0
Failed tests:         1

Recommendation

Human review required. This failure cannot be resolved through automated CVE remediation. Possible actions:

  • Review and adjust the function's iteration limit configuration
  • Optimize the function's agent logic to complete within fewer iterations
  • Modify the test case to be less complex
  • Investigate if this is an intermittent failure due to OpenAI API response variability

This analysis was generated by the build-failure-analyze skill.

@ulucinar
Copy link

ulucinar commented Jan 22, 2026

Build Failure Analysis

Check: push Status: Failed Analyzed: 2026-01-22T14:05:00Z

Summary

The push check failed during composition test execution (up test run tests/*). The OpenAI-based function did not complete within the configured maximum iterations.

Root Cause

The test invokes a pipeline step "make-gpt-do-it" that uses the OpenAI function. The error "agent not finished before max iterations" indicates the function's agent loop exceeded its iteration budget before completing the task.

This is an application-level test failure, not related to CVE remediation or infrastructure issues.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

Tests Summary:
Total Tests Executed: 1
Passed tests:         0
Failed tests:         1

Recommendation

Human review required. This failure cannot be resolved through automated CVE remediation. Possible actions:

  • Review and adjust the function's iteration limit configuration
  • Optimize the function's agent logic to complete within fewer iterations
  • Modify the test case to be less complex
  • Investigate if this is an intermittent failure due to OpenAI API response variability

This analysis was generated by the build-failure-analyze skill.

Retrying solved the issue. Probably the model could not converge in the previous run, a sporadic.

@ulucinar ulucinar merged commit e2fcdf2 into release-0.1 Jan 22, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @ulucinar