Skip to content

Bump golang to fix CVEs and golangci-lint fixes#579

Merged
devanshuVmware merged 1 commit intocarvel-dev:developfrom
CodesbyUnnati:bump-golang-1.25.5
Jan 30, 2026
Merged

Bump golang to fix CVEs and golangci-lint fixes#579
devanshuVmware merged 1 commit intocarvel-dev:developfrom
CodesbyUnnati:bump-golang-1.25.5

Conversation

@CodesbyUnnati
Copy link
Contributor

@CodesbyUnnati CodesbyUnnati commented Jan 18, 2026
edited
Loading

Bumping Golang to 1.25.6 in order to fix the following CVEs:

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-61729 │ HIGH     │ fixed  │ v1.25.4           │ 1.24.11, 1.25.5 │ crypto/x509: Excessive resource consumption when printing   │
│         │                │          │        │                   │                 │ error string for host certificate validation...             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-61729                  │
│         ├────────────────┼──────────┤        │                   │                 ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61727 │ MEDIUM   │        │                   │                 │ golang: crypto/x509: excluded subdomain constraint does not │
│         │                │          │        │                   │                 │ restrict wildcard SANs                                      │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-61727                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

@CodesbyUnnati CodesbyUnnati changed the base branch from bump-golang-1.25.5 to develop January 18, 2026 10:13
@CodesbyUnnati
Copy link
Contributor Author

CodesbyUnnati commented Jan 29, 2026
edited
Loading

kbld is having the expected snyk failures, however, we can ignore them, as the vulnerabilities mentioned in the snyk portal has been addressed in this PR.
Please refer these lines- https://github.com/carvel-dev/kbld/pull/579/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R6-R51

Local testing has passed with 0 vulnerabilities. Refer below.

➜  kbld git:(bump-golang-1.25.5) trivy rootfs kbld
2026-01-29T12:29:48+05:30       INFO    [vulndb] Need to update DB
2026-01-29T12:29:48+05:30       INFO    [vulndb] Downloading vulnerability DB...
2026-01-29T12:29:48+05:30       INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
83.50 MiB / 83.50 MiB [-------------------------------------------------------------------------------------------] 100.00% 21.70 MiB p/s 4.0s
2026-01-29T12:29:53+05:30       INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-01-29T12:29:53+05:30       INFO    [vuln] Vulnerability scanning is enabled
2026-01-29T12:29:53+05:30       INFO    [secret] Secret scanning is enabled
2026-01-29T12:29:53+05:30       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-29T12:29:53+05:30       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2026-01-29T12:29:54+05:30       INFO    Number of language-specific files       num=1
2026-01-29T12:29:54+05:30       INFO    [gobinary] Detecting vulnerabilities...

Report Summary

┌────────┬──────────┬─────────────────┬─────────┐
│ Target │   Type   │ Vulnerabilities │ Secrets │
├────────┼──────────┼─────────────────┼─────────┤
│ kbld   │ gobinary │        0        │    -    │
└────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

➜  kbld git:(bump-golang-1.25.5) snyk version
1.1302.1
➜  kbld git:(bump-golang-1.25.5) snyk test

Testing /Users/munnati/kbld...

Organization:      codesbyunnati
Package manager:   gomodules
Target file:       go.mod
Project name:      carvel.dev/kbld
Open source:       no
Project path:      /Users/munnati/kbld
Licenses:          enabled

✔ Tested 126 dependencies for known issues, no vulnerable paths found.

➜  kbld git:(bump-golang-1.25.5) govulncheck ./...
No vulnerabilities found.
➜  kbld git:(bump-golang-1.25.5) cd ..
➜  ~ trivy repo kbld
2026-01-29T12:40:27+05:30       INFO    [vuln] Vulnerability scanning is enabled
2026-01-29T12:40:27+05:30       INFO    [secret] Secret scanning is enabled
2026-01-29T12:40:27+05:30       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-29T12:40:27+05:30       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2026-01-29T12:40:29+05:30       INFO    Number of language-specific files       num=2
2026-01-29T12:40:29+05:30       INFO    [gomod] Detecting vulnerabilities...

Report Summary

┌───────────────────────────────────┬───────┬─────────────────┬─────────┐
│              Target               │ Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────────┼───────┼─────────────────┼─────────┤
│ go.mod                            │ gomod │        0        │    -    │
├───────────────────────────────────┼───────┼─────────────────┼─────────┤
│ test/e2e/assets/simple-app/go.mod │ gomod │        0        │    -    │
└───────────────────────────────────┴───────┴─────────────────┴─────────┘
image

@devanshuVmware devanshuVmware changed the title Bump golang + golangci-lint to fix CVEs Bump golang to fix CVEs and golangci-lint fixes Jan 29, 2026
@CodesbyUnnati
Bump golang + golangci-lint
a82585d 
Signed-off-by: Unnati Mishra <unnati.mishra@broadcom.com>

Bump golang, vendir, imgpkg

Signed-off-by: Unnati Mishra <unnati.mishra@broadcom.com>

update ci fix

Signed-off-by: Unnati Mishra <unnati.mishra@broadcom.com>
@PushkarJ
Copy link

PushkarJ commented Jan 30, 2026

Manually approved snyk check, because of ongoing 500 issues as discussed here: carvel-dev/vendir#437 (comment)

@devanshuVmware devanshuVmware merged commit f5157e4 into carvel-dev:develop Jan 30, 2026
5 checks passed
@github-project-automation github-project-automation bot moved this to Closed in Carvel Jan 30, 2026
This was referenced Feb 3, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devanshuVmware devanshuVmware devanshuVmware approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Carvel
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CodesbyUnnati @PushkarJ @devanshuVmware