Skip to content

fix(security): remediate CVE vulnerabilities #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ulucinar merged 3 commits into from
Jan 22, 2026
Merged

fix(security): remediate CVE vulnerabilities #22

ulucinar merged 3 commits into from
Jan 22, 2026

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Jan 22, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-61723 High stdlib go1.24.11
CVE-2025-61725 High stdlib go1.24.11
CVE-2025-58188 High stdlib go1.24.11
CVE-2025-61729 High stdlib go1.24.11
CVE-2025-58187 High stdlib go1.24.11
CVE-2025-58185 Medium stdlib go1.24.11
CVE-2025-47912 Medium stdlib go1.24.11
CVE-2025-58186 Medium stdlib go1.24.11
CVE-2025-61724 Medium stdlib go1.24.11
CVE-2025-58189 Medium stdlib go1.24.11
CVE-2025-58183 Medium stdlib go1.24.11
CVE-2025-61727 Medium stdlib go1.24.11
GHSA-j5w8-q4qc-rx2x Medium golang.org/x/crypto v0.45.0
GHSA-f6x5-jh6r-wrfv Medium golang.org/x/crypto v0.45.0

Changes Made

  • Updated go directive in go.mod from 1.24 to 1.24.11
  • Updated golang.org/x/crypto from v0.39.0 to v0.45.0
  • Ran go mod tidy to update dependencies

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
05ef2d9 
- Update Go version to 1.24.11 (fixes CVE-2025-61723, CVE-2025-61725,
  CVE-2025-58188, CVE-2025-61729, CVE-2025-58187, CVE-2025-58185,
  CVE-2025-47912, CVE-2025-58186, CVE-2025-61724, CVE-2025-58189,
  CVE-2025-58183, CVE-2025-61727)
- Update golang.org/x/crypto to v0.45.0 (fixes GHSA-j5w8-q4qc-rx2x,
  GHSA-f6x5-jh6r-wrfv)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-01-22T20:15:00Z

Summary

The Docker build failed because the Go version in CI (1.24.4) is lower than what go.mod requires (1.24.11).

Root Cause

The CVE remediation updated go.mod to require Go 1.24.11 to fix security vulnerabilities. However, the CI workflow (.github/workflows/ci.yml) is still configured with GO_VERSION: '1.24.4'. When Docker builds the image using Go 1.24.4, it fails because go.mod requires a higher version.

Error Details

go: go.mod requires go >= 1.24.11 (running go 1.24.4; GOTOOLCHAIN=local)

Recommendation

Update GO_VERSION in .github/workflows/ci.yml from '1.24.4' to '1.24.11' to match the go.mod requirement. This is a required fix - retry will not help.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update Go version to 1.24.11
8b6e1b6 
- Update GO_VERSION in CI workflow to match go.mod requirement

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T17:30:00Z

Summary

The push check failed with HTTP 404 when trying to install the up CLI version v0.39.0-384.g0a0c8634.

Root Cause

The workflow file .github/workflows/ci.yml specifies a commit-based pseudo-version v0.39.0-384.g0a0c8634 for the up CLI. This version is not available at the download endpoint, resulting in a 404 error.

Error Details

##[error]Unexpected HTTP response: 404

The error occurred during the "Install up" step at line 188-193 of the workflow file.

Recommendation

A fix is needed. Update the workflow to use the stable channel instead of specifying an unavailable commit-based version. Remove the version parameter and change channel from main to stable.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): use stable channel for up CLI instead of unavailable version
719556b 
The commit-based version v0.39.0-384.g0a0c8634 is no longer available,
causing a 404 error during CI. Switch to the stable channel to use the
latest stable release automatically.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Jan 22, 2026

Build Failure Analysis

Check: push
Status: Failed
Analyzed: 2026-01-22T18:05:00Z

Summary

The composition tests failed because the OpenAI agent did not complete within the allowed maximum iterations.

Root Cause

The push check failed during up test run tests/*. The OpenAI function's composition test invokes the OpenAI API through the "make-gpt-do-it" pipeline step. The agent did not reach a final answer within the iteration limit, causing the test to fail.

This is an external API behavior issue - the OpenAI API response pattern did not lead to completion within the max iterations threshold. This is unrelated to the CVE fix changes in this PR.

Error Details

cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations
up: error: unable to execute composition tests: cannot render composite resource: cannot run pipeline step "make-gpt-do-it": rpc error: code = Unknown desc = agent not finished before max iterations

Recommendation

This failure requires human review. The composition test depends on OpenAI API behavior which is outside the scope of CVE remediation. Options:

  1. Retry the workflow - the OpenAI API may succeed on subsequent attempts
  2. Skip or adjust the composition test for the CVE fix PR
  3. Investigate if the test needs updated iteration limits or prompts

This analysis was generated by the build-failure-analyze skill.

@ulucinar ulucinar merged commit 55bfe9d into release-0.2 Jan 22, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @ulucinar