chore: codacy fixes

[rshoemaker]

Summary

• Update vulnerable dependencies to resolve 12 Codacy security findings:
  • Go toolchain go1.25.5 → go1.25.8 (7 stdlib CVEs)
  • google.golang.org/grpc v1.77.0 → v1.79.3 (CVE-2026-33186, critical AuthZ bypass)
  • go.opentelemetry.io/otel/sdk v1.38.0 → v1.40.0 (CVE-2026-24051, PATH hijacking)
  • github.com/containerd/containerd v1.7.27 → v1.7.29 (CVE-2024-25621, CVE-2025-64329)
• Set explicit MinVersion: tls.VersionTLS12 in TLS config for certificate service
• Suppress 4 false positive findings:
  • Dockerfile missing-user-entrypoint (distroless has no user DB; CI image needs root for Swarm)
  • Docker SDK CVEs (CVE-2026-34040, CVE-2026-33997) are daemon-side, not in the Go client SDK

Test plan

• go build ./... passes
• make test passes
• Verify Codacy re-scan shows reduced issue count - no security issues, no HIGH issues

PLAT-481

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

Warning

Rate limit exceeded

@rshoemaker has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 40 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 22 minutes and 40 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 54da6b2b-c717-47a5-84a3-41ebf76d3f45

📥 Commits

Reviewing files that changed from the base of the PR and between c5f9fd1 and 94f6499.

📒 Files selected for processing (1)

• common.mk

📝 Walkthrough

Walkthrough

Added a new .trivyignore (no trailing newline) listing two CVEs, inserted Semgrep suppression comments in control-plane Dockerfiles, bumped Go toolchain and several dependencies with NOTICE updates, enforced TLS 1.2 in certificate creation, declared a JS global, and adjusted goreleaser install environment variables.

Changes

Cohort / File(s)	Summary
Vulnerability ignores & Dockerfile suppressions \.trivyignore, docker/control-plane-ci/Dockerfile, docker/control-plane/Dockerfile, docker/control-plane-dev/Dockerfile	Added .trivyignore entries for CVE-2026-34040 and CVE-2026-33997 (file lacks trailing newline). Added # nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint comments before ENTRYPOINT in the control-plane Dockerfiles.
Dependency & Toolchain updates go.mod, NOTICE.txt	Bumped Go toolchain to go1.25.8; upgraded OpenTelemetry modules to v1.40.0, containerd to v1.7.29, google.golang.org/grpc to v1.79.3, golang.org/x/sys and golang.org/x/time versions, and updated genproto commit and NOTICE license URLs accordingly.
TLS configuration server/internal/certificates/service.go	Set tls.Config.MinVersion = tls.VersionTLS12 in PostgresUserTLS.
Script global declaration docs/scripts/generate-stack.js	Added /* global document$ */ to declare document$ as a global symbol.
Build/install environment common.mk	Modified install-tools target to set GONOSUMDB and GONOSUMCHECK for the go install of github.com/goreleaser/goreleaser/v2@v2.13.3.

Poem

🐇 I nibble lines where changes grow,
Two CVEs tucked soft and low,
Go climbs up, modules align,
TLS stands firm at one-two fine,
A tiny global — hop! — the repo glows.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: codacy fixes' is vague and generic, using non-descriptive terms that don't clearly convey the specific changes made (dependency updates, TLS config, suppression directives).	Consider a more specific title such as 'chore: update vulnerable dependencies and add security suppressions' to better reflect the substantive changes in the PR.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers all major sections of the template (Summary, Testing, Checklist) and provides detailed information about dependency updates, TLS configuration changes, and false-positive suppressions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/PLAT-481/codacy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docker/control-plane-ci/Dockerfile (1)

9-10: Suppression is valid for CI image, but rationale is only in PR description.

The nosemgrep comment suppresses the missing-user-entrypoint finding. Per the PR objectives, this CI image requires root for Docker Swarm operations. Consider adding a brief inline rationale to the comment for future maintainers who won't have context from the PR:

📝 Suggested documentation improvement

-# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
+# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
+# CI image runs as root for Docker Swarm operations
 ENTRYPOINT ["/control-plane"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/control-plane-ci/Dockerfile` around lines 9 - 10, Add an inline
rationale to the existing suppression comment so future maintainers understand
why running as root is intentional for this CI image; update the nosemgrep
suppression comment that precedes the ENTRYPOINT ["/control-plane"] line (the
"nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint"
token) to include a short explanation like "CI image requires root for Docker
Swarm operations — intentional for CI; see PR X or docs" so the reasoning is
preserved next to the ENTRYPOINT.

docker/control-plane/Dockerfile (1)

7-8: Valid suppression for distroless image.

The nosemgrep comment correctly suppresses the missing-user-entrypoint finding. Distroless images don't contain a user database (/etc/passwd), making the USER instruction ineffective. Consider adding inline rationale:

📝 Suggested documentation improvement

-# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
+# nosemgrep: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
+# Distroless images have no user database; USER instruction is not applicable
 ENTRYPOINT ["/control-plane"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/control-plane/Dockerfile` around lines 7 - 8, The nosemgrep
suppression above ENTRYPOINT ["/control-plane"] is valid but lacks rationale;
update the Dockerfile by expanding the existing nosemgrep comment to include a
concise inline explanation that this is a distroless image (no /etc/passwd so
USER is ineffective) and that running as non-root is enforced elsewhere or
acceptable for this artifact, referencing the ENTRYPOINT and the nosemgrep
suppression so reviewers can understand why the rule is suppressed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.trivyignore:
- Around line 1-4: Add a POSIX trailing newline to the end of the .trivyignore
file so the file ends with a newline character (after the last listed CVE
entries "CVE-2026-34040" and "CVE-2026-33997"); simply ensure the file
terminates with a newline to satisfy POSIX tools and linters.

---

Nitpick comments:
In `@docker/control-plane-ci/Dockerfile`:
- Around line 9-10: Add an inline rationale to the existing suppression comment
so future maintainers understand why running as root is intentional for this CI
image; update the nosemgrep suppression comment that precedes the ENTRYPOINT
["/control-plane"] line (the "nosemgrep:
dockerfile.security.missing-user-entrypoint.missing-user-entrypoint" token) to
include a short explanation like "CI image requires root for Docker Swarm
operations — intentional for CI; see PR X or docs" so the reasoning is preserved
next to the ENTRYPOINT.

In `@docker/control-plane/Dockerfile`:
- Around line 7-8: The nosemgrep suppression above ENTRYPOINT ["/control-plane"]
is valid but lacks rationale; update the Dockerfile by expanding the existing
nosemgrep comment to include a concise inline explanation that this is a
distroless image (no /etc/passwd so USER is ineffective) and that running as
non-root is enforced elsewhere or acceptable for this artifact, referencing the
ENTRYPOINT and the nosemgrep suppression so reviewers can understand why the
rule is suppressed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7a9cff9-869f-4770-b6c1-f8a06c7b6b34

📥 Commits

Reviewing files that changed from the base of the PR and between 6ee7a84 and a06beb1.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .trivyignore
• docker/control-plane-ci/Dockerfile
• docker/control-plane/Dockerfile
• go.mod
• server/internal/certificates/service.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify no Docker plugin APIs are imported in the codebase
echo "=== Searching for docker/plugin imports ==="
rg -n 'docker/docker/plugin|containerd.*plugin' --type=go

echo ""
echo "=== Verify Docker SDK usage is client-side only ==="
rg -n '"github.com/docker/docker' --type=go | head -30

Repository: pgEdge/control-plane

Length of output: 3021

---

Well-documented CVE suppression with valid rationale.

These are Docker daemon-side vulnerabilities, not client SDK issues. The codebase imports only standard Docker API client types (container, network, swarm, filters, etc.) without any plugin-related APIs, confirming this suppression is appropriate.

Add a trailing newline at the end of the file for POSIX compliance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.trivyignore around lines 1 - 4, Add a POSIX trailing newline to the end of
the .trivyignore file so the file ends with a newline character (after the last
listed CVE entries "CVE-2026-34040" and "CVE-2026-33997"); simply ensure the
file terminates with a newline to satisfy POSIX tools and linters.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@common.mk`:
- Around line 26-29: Remove the non-standard GONOSUMCHECK env var from the
goreleaser install invocation; keep only the valid GONOSUMDB workaround. Update
the line that currently sets "GONOSUMDB=github.com/goreleaser/goreleaser
GONOSUMCHECK=github.com/goreleaser/goreleaser go install
github.com/goreleaser/goreleaser/v2@v2.13.3" so it uses only GONOSUMDB (e.g.,
"GONOSUMDB=github.com/goreleaser/goreleaser go install
github.com/goreleaser/goreleaser/v2@v2.13.3"), referencing the common.mk entry
that defines these env vars and the go install command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 058a764e-46fb-42ca-8b0a-bb3d190d4bd8

📥 Commits

Reviewing files that changed from the base of the PR and between 9c44935 and 6f1eb40.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• .trivyignore
• NOTICE.txt
• common.mk
• docker/control-plane-ci/Dockerfile
• docker/control-plane/Dockerfile
• docs/scripts/generate-stack.js
• go.mod
• server/internal/certificates/service.go

✅ Files skipped from review due to trivial changes (6)

• docs/scripts/generate-stack.js
• docker/control-plane/Dockerfile
• .trivyignore
• docker/control-plane-ci/Dockerfile
• NOTICE.txt
• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• server/internal/certificates/service.go