Skip to content

fix(cve): bump go toolchain and x/net, x/sys to close trivy findings#77

Merged
sarat-k merged 1 commit into
ROCm:mainfrom
spraveenio:fix/cve-golang-x-net-x-sys-toolchain-bump
Jul 10, 2026
Merged

fix(cve): bump go toolchain and x/net, x/sys to close trivy findings#77
sarat-k merged 1 commit into
ROCm:mainfrom
spraveenio:fix/cve-golang-x-net-x-sys-toolchain-bump

Conversation

@spraveenio

Copy link
Copy Markdown
Contributor

Summary

Trivy scan of gpuctl (sw/nic/build/x86_64/sim/bin/gpuctl) reported 10 vulnerabilities (4 HIGH, 3 MEDIUM, 3 UNKNOWN). This closes all of them via toolchain/dependency bumps, no code changes.

Fix From To CVEs closed
Go toolchain 1.25.11 1.25.12 CVE-2026-39822, CVE-2026-42505
golang.org/x/net (replace) v0.48.0 v0.55.0 CVE-2026-25681, CVE-2026-27136, CVE-2026-33814, CVE-2026-39821, CVE-2026-25680, CVE-2026-42502, CVE-2026-42506
golang.org/x/sys (replace) v0.39.0 v0.44.0 CVE-2026-39824

Changes

  • sw/nic/gpuagent/go.mod / go.sum: go directive bump + new replace directives
  • sw/nic/gpuagent/Makefile (mod: target): pin updated, new replace lines added alongside existing CVE-2024-24790/CVE-2026-33186 entries
  • tools/build-container/Dokerfile.rhel9 / Dokerfile.ubu2204: Go download bumped to 1.25.12

Test plan

  • Rebuilt both builder container images (make -C tools/build-container all)
  • make -C sw/nic/gpuagent mod inside container to regenerate go.sum/vendor/
  • make gpuagent — full build succeeds, gpuctl produced with go1.25.12
  • trivy rootfs --scanners vuln sw/nic/build/x86_64/sim/bin/gpuctl — 0 findings (down from 10)

- go.mod: go 1.25.11 -> 1.25.12 (CVE-2026-39822, CVE-2026-42505)
- replace golang.org/x/net v0.48.0 => v0.55.0 (CVE-2026-25681, CVE-2026-27136,
  CVE-2026-33814, CVE-2026-39821, CVE-2026-25680, CVE-2026-42502, CVE-2026-42506)
- replace golang.org/x/sys v0.39.0 => v0.44.0 (CVE-2026-39824)
- update both build-container Dockerfiles (rhel9, ubu2204) to go1.25.12
- go.sum and Makefile mod target updated accordingly
@sarat-k sarat-k merged commit ad0f7f1 into ROCm:main Jul 10, 2026
1 check passed
spraveenio added a commit to ROCm/device-metrics-exporter that referenced this pull request Jul 10, 2026
… upstreamed abseil patch (#553)

* [NO-JIRA] chore(gpuagent): bump to main HEAD ad0f7f10, drop upstreamed abseil patch (#1447)

* chore(gpuagent): bump to main HEAD ad0f7f10, drop upstreamed abseil patch

Advance GPUAGENT_COMMIT from 9af0bf5b → ad0f7f10 (2026-07-10).
Commits pulled in:
  22ec8211 — abseil --start-group/--end-group linker fix (ROCm/gpu-agent#74)
  ad0f7f10 — CVE fix: go 1.25.11→1.25.12, x/net v0.55.0, x/sys v0.44.0 (ROCm/gpu-agent#77)

Remove patch/gpuagent/0001-abseil-link-start-group.patch — merged
upstream in ROCm/gpu-agent#74. 0002-gpuop-907-clock-freq-oob.patch
stays (PR #75 still open).

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: add plan file for gpuagent bump to ad0f7f10

Satisfies the per-PR plan-file CI gate for #1447.

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
(cherry picked from commit 6c587757f14987ac70ec3ecc9aac457a5641e948)

* Delete docs-internal/knowledge/plans/2026-07-09-gpuagent-bump-ad0f7f10.md

---------

Co-authored-by: Praveen Kumar Shanmugam <58961022+spraveenio@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants