Skip to content

OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#165

Closed
kaovilai wants to merge 3 commits intooadp-1.6from
cve-fix-oadp-1.6-v2
Closed

OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#165
kaovilai wants to merge 3 commits intooadp-1.6from
cve-fix-oadp-1.6-v2

Conversation

@kaovilai
Copy link
Member

@kaovilai kaovilai commented Mar 24, 2026

Summary

  • Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
    • GO-2026-4337, GO-2026-4340 (crypto/tls)
    • GO-2026-4341 (net/url)
    • GO-2026-4342 (archive/zip)
    • CVE-2026-25679 (net/url IPv6 host parsing)
    • CVE-2026-27137 (crypto/x509 email constraints)
  • Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
  • Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
  • CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
    • test.yml: bumped actions/setup-go@v4@v6 (supports toolchain directive)

Note

golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Supersedes #160

Test plan

  • go build ./... passes
  • CI passes

Note

Responses generated with Claude

kaovilai and others added 3 commits March 17, 2026 16:06
@kaovilai @claude @happy-otter
OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps
d4f6915 
- Add toolchain go1.25.8 (fixes GO-2026-4337, GO-2026-4340,
  GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137)
- golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw)
- golang.org/x/sys v0.35.0 → v0.42.0
- golang.org/x/text v0.23.0 → v0.35.0
- golang.org/x/term v0.30.0 → v0.41.0
- golang.org/x/mod v0.22.0 → v0.33.0

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
@kaovilai
Merge remote-tracking branch 'origin/oadp-1.6' into cve-fix-oadp-1.6
f64f52b
@kaovilai @claude @happy-otter
OADP-7565: Use go-version-file in CI workflows
7a39353 
- lint.yml: Replace hardcoded go-version '1.25' with go-version-file: 'go.mod'
- test.yml: Replace hardcoded go-version '1.24' with go-version-file: 'go.mod'
  and bump actions/setup-go@v4 → @v6 (supports toolchain directive)

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Copilot AI review requested due to automatic review settings March 24, 2026 02:56
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 24, 2026
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-7565 which is a valid jira issue.

Details

In response to this:

Summary

  • Adds toolchain go1.25.8 directive to fix Go stdlib CVEs:
  • GO-2026-4337, GO-2026-4340 (crypto/tls)
  • GO-2026-4341 (net/url)
  • GO-2026-4342 (archive/zip)
  • CVE-2026-25679 (net/url IPv6 host parsing)
  • CVE-2026-27137 (crypto/x509 email constraints)
  • Bumps golang.org/x/net v0.38.0 → v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)
  • Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0
  • CI workflows updated to use go-version-file: 'go.mod' instead of hardcoded versions
  • test.yml: bumped actions/setup-go@v4@v6 (supports toolchain directive)

[!Note]
golang.org/x/crypto is not in this module's dependency graph — those CVEs do not apply here.

Supersedes #160

Test plan

  • go build ./... passes
  • CI passes

[!Note]
Responses generated with Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link

coderabbitai bot commented Mar 24, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df1374a8-6baf-486b-bb03-c70418564ee7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cve-fix-oadp-1.6-v2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Go toolchain and golang.org/x/* dependencies to address reported CVEs, and aligns GitHub Actions workflows to use the Go version specified in go.mod (including the toolchain directive).

Changes:

  • Adds/uses toolchain go1.25.8 in go.mod and bumps golang.org/x/net (and related transitive x/*) to newer patched versions.
  • Updates CI workflows to use go-version-file: 'go.mod' instead of hardcoding Go versions.
  • Updates the test workflow to use actions/setup-go@v6 (toolchain-aware).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/test.yml Switches to actions/setup-go@v6 and reads Go version from go.mod via go-version-file.
.github/workflows/lint.yml Reads Go version from go.mod via go-version-file for consistency with the toolchain directive.
go.mod Declares toolchain go1.25.8 and updates golang.org/x/* versions to patched releases.
go.sum Refreshes module sums consistent with the dependency bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kaovilai kaovilai mentioned this pull request Mar 24, 2026
Merged
2 tasks
@openshift-ci
Copy link

openshift-ci bot commented Mar 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Joeavaikath, kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [Joeavaikath,kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kaovilai kaovilai mentioned this pull request Mar 24, 2026
Open
1 task
@kaovilai
Copy link
Member Author

kaovilai commented Mar 24, 2026

Closed in favor of #168. Prior PRs were pushed directly to migtools/oadp-cli because kaovilai/oadp-cli was not a fork of migtools/oadp-cli at the time — it was a separate, unrelated repository. This prevented cross-repo PRs from the fork. The repo has now been renamed to kaovilai/container-oadp-cli-suite and kaovilai/oadp-cli has been re-created as a proper fork of migtools/oadp-cli.

Note

Responses generated with Claude

@kaovilai kaovilai closed this Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Joeavaikath Joeavaikath Joeavaikath approved these changes

@shubham-pampattiwar shubham-pampattiwar Awaiting requested review from shubham-pampattiwar

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kaovilai @openshift-ci-robot @Joeavaikath