Skip to content

release: image CVE hardening — x/crypto 0.52.0 + Go 1.25.11 builder#89

Merged
devonartis merged 2 commits into
mainfrom
develop
Jul 5, 2026
Merged

release: image CVE hardening — x/crypto 0.52.0 + Go 1.25.11 builder#89
devonartis merged 2 commits into
mainfrom
develop

Conversation

@devonartis

Copy link
Copy Markdown
Owner

Summary

This release merge lands one fix on main: a bump of two dependency chains that clears 20 HIGH-severity CVEs found in the built broker container image.

What was exposed: A new trivy container-scan gate (private GitLab CI — GitHub CI has no image-level CVE gate) scanned the built broker Docker image and found 20 HIGH CVEs baked into the shipped binary:

  • 8 HIGH CVEs in golang.org/x/crypto/ssh (CVE-2026-39827, -39828, -39829, -39830, -39832, -39835, -42508, -46595, -46597)
  • 12 HIGH CVEs in the Go standard library (net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, mime: CVE-2026-25679, -27145, -32280/-32281/-32283, -33811/-33814, -39820, -39836, -42499, -42504)

What this clears: All 20 HIGH CVEs, via two fixes:

  1. golang.org/x/crypto bumped v0.48.0 -> v0.52.0 (pulls x/sys v0.41.0 -> v0.45.0, raises the go.mod go directive 1.24.0 -> 1.25.0).
  2. Dockerfile builder image bumped golang:1.24-alpine -> golang:1.25-alpine (digest-pinned, ships Go 1.25.11).

Root cause worth understanding: the official golang Docker images set GOTOOLCHAIN=local, so the go.mod toolchain go1.25.11 directive was silently ignored during Docker builds — the shipped binary was still compiled against the base image's Go 1.24.13 standard library even though local/CI builds correctly picked up 1.25.11. The Dockerfile builder tag has to explicitly track the toolchain directive; this was invisible until the image-level scan caught it. A comment now documents the trap in the Dockerfile.

Business impact: the public Docker Hub image (devonartis/agentwrit) currently in circulation still carries all 20 CVEs. This release merge triggers release.yml on push to main, which rebuilds and republishes devonartis/agentwrit:latest (and main-<sha>), cosign-signed, with the fix baked in. No action needed from operators beyond re-pulling the image after this lands.

Commits since last release (91fd17b, PR #86)

Verification already done (pre-merge, on develop)

  • go build ./cmd/broker ./cmd/awrit — OK
  • go test -short -count=1 ./... — all packages pass
  • gofmt — clean
  • Post-merge develop push-trigger CI (CI + CodeQL) — green

Test plan

  • All required checks green on this PR (CI, CodeQL; changelog/dep-review may correctly skip)
  • Merge via gh pr merge --merge (no squash/rebase — preserve merge commit)
  • Confirm main push-trigger CI passes
  • Confirm release.yml (Docker Hub publish) runs and cosign-signs the new image
  • Trigger scorecard.yml --ref main post-release

devonartis and others added 2 commits July 4, 2026 20:51
….25 — clears 20 HIGH image CVEs

A trivy scan of the built broker image (new container-scan gate on the
private GitLab CI; GitHub CI has no image-level CVE gate) found 20 HIGH
CVEs in the Go binary. All 20 had upstream fixes published — we bump
them ourselves rather than wait.

Two CVE groups, two fixes:

1. golang.org/x/crypto v0.48.0 -> v0.52.0 (8 HIGH, all in x/crypto/ssh:
   CVE-2026-39827/-39828/-39829/-39830/-39832/-39835, CVE-2026-42508,
   CVE-2026-46595/-46597). Pulls x/sys v0.41.0 -> v0.45.0 and raises
   the go.mod 'go' directive 1.24.0 -> 1.25.0 (x/crypto's minimum).

2. Dockerfile builder golang:1.24-alpine -> golang:1.25-alpine,
   digest-pinned per project convention (new digest ships Go 1.25.11).
   Clears 12 HIGH stdlib CVEs (net/url, crypto/x509, crypto/tls, net,
   HTTP/2, net/mail, mime: CVE-2026-25679, -27145, -32280/-32281/-32283,
   -33811/-33814, -39820, -39836, -42499, -42504).

   Root cause of the stdlib exposure: official golang images set
   GOTOOLCHAIN=local, so go.mod's 'toolchain go1.25.11' directive
   (bumped 2026-06-29) was silently ignored inside Docker builds — the
   shipped binary was still built against the image's Go 1.24.13
   stdlib. The builder tag must track the toolchain directive; a
   Dockerfile comment now documents the trap.

Local acceptance before push: go build ./cmd/broker ./cmd/awrit OK,
go test -short -count=1 ./... all packages ok, gofmt clean.

The public Docker Hub image refreshes on the next release merge.

Co-authored-by: Claude <noreply@anthropic.com>
fix(security): clear 20 HIGH image CVEs — x/crypto 0.52.0 + Go 1.25.11 builder
@devonartis devonartis merged commit eb7e5f7 into main Jul 5, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant