Skip to content

security: bump toolchain/x-net for CVEs and tighten CI gates #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jeremy wants to merge 1 commit into
base: security/05-perms-and-exec-args
Choose a base branch
from
+25 −7
Open

security: bump toolchain/x-net for CVEs and tighten CI gates #483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,16 @@ jobs:
persist-credentials: false

- name: Install gitleaks
env:
GITLEAKS_VERSION: 8.21.2
# SHA-256 of gitleaks_8.21.2_linux_x64.tar.gz (from the release
# checksums.txt). Pinning the artifact hash prevents a tampered or
# swapped release tarball from running in CI (supply-chain guard).
GITLEAKS_SHA256: 5bc41815076e6ed6ef8fbecc9d9b75bcae31f39029ceb55da08086315316e3ba
run: |
curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz | tar -xz
curl -sSfL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
echo "${GITLEAKS_SHA256} gitleaks.tar.gz" | sha256sum -c -
tar -xzf gitleaks.tar.gz gitleaks
sudo mv gitleaks /usr/local/bin/

- name: Run gitleaks
Expand Down Expand Up @@ -85,6 +93,14 @@ jobs:
- name: Run gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@v2.25.0
# Advisory scan: full SARIF uploaded to the Security tab for visibility
# (-no-fail). The enforcing gosec gate is golangci-lint (make lint),
# which honors the repo's //nolint:gosec suppressions per-site; the
# standalone binary can't read those, so making it hard-fail would
# require either re-annotating every accepted site or excluding rule
# IDs globally — and a global exclude (e.g. G101/G204) would create
# real blind spots for new hard-coded creds / unsafe exec, including in
# release scans. Keep the full advisory scan instead.
gosec -tags dev -no-fail -fmt sarif -out gosec-results.sarif ./...
Comment thread
jeremy marked this conversation as resolved.
Comment thread
jeremy marked this conversation as resolved.

- name: Upload gosec scan results to GitHub Security tab
Expand Down
6 changes: 4 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/basecamp/basecamp-cli

go 1.26

toolchain go1.26.3
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin the Nix compiler to the patched Go toolchain

For Nix builds, this toolchain directive does not update the compiler selected by nix/package.nix: that derivation explicitly overrides buildGoModule with go_1_26, and the locked nixpkgs rev in flake.lock currently defines that package as Go 1.26.0. After the already-noted vendorHash issue is fixed, nix build/release nix-verify will still produce a binary with the pre-1.26.3 standard library, so the toolchain CVE fix in this PR does not apply to the Nix package unless the flake/toolchain override is updated too.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Member Author

@jeremy jeremy May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagged for human review — correct catch: the go_1_26 override pins a nixpkgs rev predating Go 1.26.3, so the toolchain CVE fix doesn't reach nix build/nix-verify. Fixing it requires nix flake update nixpkgs (to a rev shipping Go 1.26.3) plus a nix build verification — which needs a nix toolchain that isn't available in this environment. Leaving this for a maintainer with nix, together with the stale vendorHash refresh.


require (
charm.land/bubbles/v2 v2.1.0
charm.land/bubbletea/v2 v2.0.6
Expand Down Expand Up @@ -72,7 +74,7 @@ require (
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
github.com/yuin/goldmark-emoji v1.0.6 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/net v0.55.0 // indirect
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Update Nix vendor hash with dependency bump

Because this dependency bump changes the module graph, the fixed-output vendorHash in nix/package.nix also needs to be regenerated; it is still the pre-bump hash. In the contexts that build the flake (nix build, including the release workflow's nix-verify step), buildGoModule will reject the vendored dependency hash until scripts/update-nix-flake.sh/make update-nix-hash updates that value.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Member Author

@jeremy jeremy May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagged for human review — the vendorHash in nix/package.nix is indeed stale after the x/net + x/term bump and needs updating, but recomputing it requires a nix toolchain, which is not available in this environment. A maintainer with nix should run scripts/update-nix-flake.sh (or set vendorHash = lib.fakeHash and nix build, then paste the corrected hash). Leaving this thread open until then.

golang.org/x/sync v0.20.0 // indirect
golang.org/x/term v0.38.0 // indirect
golang.org/x/term v0.43.0 // indirect
)
8 changes: 4 additions & 4 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,16 +165,16 @@ golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM
golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
Expand Down
Loading