Skip to content

Fix CVEs and update builder image to golang:1.25.9#1272

Merged
k8s-ci-robot merged 2 commits intokubernetes:masterfrom
BrunoChauvet:fix/grype-vulnerabilities-logrus-prometheus
May 4, 2026
Merged

Fix CVEs and update builder image to golang:1.25.9#1272
k8s-ci-robot merged 2 commits intokubernetes:masterfrom
BrunoChauvet:fix/grype-vulnerabilities-logrus-prometheus

Conversation

@BrunoChauvet
Copy link
Copy Markdown
Contributor

@BrunoChauvet BrunoChauvet commented May 3, 2026
edited
Loading

Background

Vulnerability scanning flagged two CVEs against the current dependencies. The builder image was also one patch release behind.

What Has Changed

CVE fixes (go.mod / test/go.mod / vendor/):

  • github.com/sirupsen/logrus v1.9.0 → v1.9.3 in test/go.mod — fixes GHSA-4f99-4q7p-p3gh (High)
  • github.com/prometheus/prometheus v0.35.0 → v0.311.3 — fixes GHSA-vffh-x6r8-xx99 (Medium)
  • github.com/go-openapi/swag v0.25.4 → v0.25.5 — resolves a broken test dependency in swag that blocked go mod tidy

Builder image (Dockerfile, Dockerfile.windows):

  • golang:1.25.8-bookwormgolang:1.25.9-bookworm (patch released 2026-04-07)

Grype scan: master (before)

NAME                              INSTALLED  FIXED IN                               TYPE       VULNERABILITY        SEVERITY
github.com/sirupsen/logrus        v1.9.0     1.9.1                                  go-module  GHSA-4f99-4q7p-p3gh  High
github.com/prometheus/prometheus  v0.35.0    0.311.2-0.20260410083055-07c6232d159b  go-module  GHSA-vffh-x6r8-xx99  Medium

Grype scan: this branch (after)

No vulnerabilities found

Local verification

$ go mod tidy
(no output — clean)

$ go build ./...
(no output — success)

$ go test ./...
ok  k8s.io/node-problem-detector/cmd/healthchecker/options
ok  k8s.io/node-problem-detector/cmd/nodeproblemdetector
ok  k8s.io/node-problem-detector/cmd/options
ok  k8s.io/node-problem-detector/pkg/custompluginmonitor
ok  k8s.io/node-problem-detector/pkg/custompluginmonitor/plugin
ok  k8s.io/node-problem-detector/pkg/custompluginmonitor/types
ok  k8s.io/node-problem-detector/pkg/exporters
ok  k8s.io/node-problem-detector/pkg/exporters/k8sexporter/condition
ok  k8s.io/node-problem-detector/pkg/exporters/k8sexporter/problemclient
ok  k8s.io/node-problem-detector/pkg/exporters/stackdriver
ok  k8s.io/node-problem-detector/pkg/exporters/stackdriver/config
ok  k8s.io/node-problem-detector/pkg/healthchecker
ok  k8s.io/node-problem-detector/pkg/healthchecker/types
ok  k8s.io/node-problem-detector/pkg/problemdaemon
ok  k8s.io/node-problem-detector/pkg/problemdetector
ok  k8s.io/node-problem-detector/pkg/problemmetrics
ok  k8s.io/node-problem-detector/pkg/systemlogmonitor
ok  k8s.io/node-problem-detector/pkg/systemlogmonitor/logwatchers/filelog
ok  k8s.io/node-problem-detector/pkg/systemstatsmonitor
ok  k8s.io/node-problem-detector/pkg/systemstatsmonitor/types
ok  k8s.io/node-problem-detector/pkg/util
ok  k8s.io/node-problem-detector/pkg/util/metrics
ok  k8s.io/node-problem-detector/pkg/util/metrics/system
ok  k8s.io/node-problem-detector/pkg/util/tomb

Checklist

  • Self-review completed
  • Tests added or updated
  • Tested locally

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented May 3, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 3, 2026

Welcome @BrunoChauvet!

It looks like this is your first PR to kubernetes/node-problem-detector 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/node-problem-detector has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 3, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 3, 2026

Hi @BrunoChauvet. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 3, 2026
@BrunoChauvet
Fix Grype CVEs: update logrus and prometheus/prometheus
877b6d6 
- Update github.com/sirupsen/logrus v1.9.0 -> v1.9.3 in test/go.mod
  to fix GHSA-4f99-4q7p-p3gh (High)
- Update github.com/prometheus/prometheus v0.35.0 -> v0.311.3
  to fix GHSA-vffh-x6r8-xx99 (Medium)
- Run go mod tidy and go mod vendor to update vendor directory
@BrunoChauvet BrunoChauvet force-pushed the fix/grype-vulnerabilities-logrus-prometheus branch from 6a70440 to 877b6d6 Compare May 3, 2026 14:06
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 3, 2026
@BrunoChauvet BrunoChauvet changed the title Fix Grype CVEs: update logrus and prometheus/prometheus Fix Grype CVEs and update builder image to golang:1.25.9 May 3, 2026
@BrunoChauvet BrunoChauvet changed the title Fix Grype CVEs and update builder image to golang:1.25.9 Fix CVEs and update builder image to golang:1.25.9 May 3, 2026
@hakman
Copy link
Copy Markdown
Member

hakman commented May 4, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 4, 2026
@hakman hakman mentioned this pull request May 4, 2026
Open
@hakman
Copy link
Copy Markdown
Member

hakman commented May 4, 2026

Thanks @BrunoChauvet!
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 4, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 4, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BrunoChauvet, hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 4, 2026
@k8s-ci-robot k8s-ci-robot merged commit f06e6fa into kubernetes:master May 4, 2026
15 checks passed
This was referenced May 4, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangzhen127 wangzhen127 Awaiting requested review from wangzhen127

@yujuhong yujuhong Awaiting requested review from yujuhong

Assignees

@hakman hakman

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BrunoChauvet @k8s-ci-robot @hakman