chore(security): bump Go to 1.25.10, go-jose v4.1.4, add govulncheck CI#742
Open
UtkarshBhatthere wants to merge 4 commits into
Open
chore(security): bump Go to 1.25.10, go-jose v4.1.4, add govulncheck CI#742UtkarshBhatthere wants to merge 4 commits into
UtkarshBhatthere wants to merge 4 commits into
Conversation
UtkarshBhatthere
force-pushed
the
chore/govulncheck-bumps
branch
2 times, most recently
from
3f7a778 to
6373680
Compare
Clears 9 of 13 govulncheck-called vulnerabilities on the microceph module: * 8 Go stdlib vulns (net, crypto/x509, crypto/tls, net/http http2, archive/tar, os, net/url) - fixed by Go toolchain bump 1.25.7 -> 1.25.10 * GO-2026-4945 (CVE-2026-34986) JWE decryption panic in go-jose/v4 - fixed by upgrade v4.1.3 -> v4.1.4 The remaining 4 vulnerabilities (GO-2026-4595, GO-2025-4121, GO-2025-4003, GO-2025-3999) are in github.com/canonical/lxd with no upstream fix available yet. Also wires up govulncheck in CI via a reusable composite action: * .github/actions/govulncheck - composite action that installs Go + libdqlite, runs `govulncheck -format json ./...`, and emits the JSON output plus a count of called-path vulnerabilities. Configurable via `fail-on-vuln` so callers can either gate or just collect output. * .github/workflows/vuln-scan-pr.yml - PR-time job, paths-filtered on microceph/go.{mod,sum} and the action itself. Scans PR head and base ref, diffs called-path OSV IDs, fails only on net-new findings. This keeps existing unfixed LXD vulns from blocking unrelated PRs while still catching new vulns introduced by dependency changes. * .github/workflows/vuln-scan-cron.yml - daily 06:00 UTC scan of the full module on main, plus workflow_dispatch. On any called-path finding it opens (or comments on) a single tracking issue titled "[vuln-scan] govulncheck found called-path vulnerabilities", and auto-closes it when the next scan is clean. The earlier ad-hoc vuln-scan job in tests.yml is removed in favour of the dedicated workflows above. Signed-off-by: Utkarsh Bhatt <utkarsh_bhatt@outlook.com> Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
UtkarshBhatthere
force-pushed
the
chore/govulncheck-bumps
branch
from
6373680 to
e5623c9
Compare
sabaini
requested changes
May 28, 2026
Collaborator
sabaini
left a comment
sabaini
left a comment
There was a problem hiding this comment.
Hey, some comments inline.
- vuln-scan-pr: extend paths filter to include microceph/**/*.go so source changes that open new called-path vulns trigger the diff scan - vuln-scan-pr: base scan now uses ./base/.github/actions/govulncheck so the scanner comes from the already-merged base ref, not from the PR head being evaluated - govulncheck action: drop || true from jq call so a corrupt/missing output file fails loudly instead of producing a silently-clean result Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Utkarsh Bhatt <utkarsh.bhatt@canonical.com>
…rom vulns vuln-scan-pr: post new called-path vuln findings as a PR comment instead of failing the CI run. Adds pull-requests: write permission. vuln-scan-cron: set fail-on-vuln: false and remove continue-on-error so the job only fails on real infra errors. Gate issue open/close on called-count output (string comparison) rather than step outcome, so an infra failure never opens or suppresses a vuln tracking issue. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Utkarsh Bhatt <utkarsh.bhatt@canonical.com>
UtkarshBhatthere
force-pushed
the
chore/govulncheck-bumps
branch
from
2dc3d85 to
23b586d
Compare
sabaini
reviewed
May 29, 2026
Move ${{ github.event.pull_request.* }} expressions from inline bash
strings into named env vars to avoid mixing GHA template syntax inside
multiline shell strings. Add exit 1 after posting the PR comment so the
workflow job fails when new called-path vulnerabilities are found.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Utkarsh Bhatt <utkarsh.bhatt@canonical.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
microceph/go.modfrom 1.25.7 → 1.25.10, clearing 8 Go stdlib vulnerabilities (net,crypto/x509,crypto/tls,net/httphttp2,archive/tar,os,net/url) reachable from microceph code paths.github.com/go-jose/go-jose/v4from v4.1.3 → v4.1.4, clearing GO-2026-4945 / CVE-2026-34986 (JWE decryption panic).govulncheck delta
Before: 13 called-path vulnerabilities (10 HIGH, 2 MEDIUM/MODERATE, 1 LOW).
After: 4 called-path vulnerabilities, all in
github.com/canonical/lxd(no upstream fix available):These four require an upstream LXD release. Filing/tracking is a follow-up.
CI design
.github/actions/govulncheck— composite action. Installs Go + libdqlite (cgo), runsgovulncheck -format json ./..., emits the JSON output and a count of called-path findings.fail-on-vulninput lets callers either gate (cron) or collect output silently (PR diff)..github/workflows/vuln-scan-pr.yml— PR-time job. Paths-filtered onmicroceph/go.{mod,sum}and the action itself: GitHub skips the workflow entirely when no dep change is in the PR. When it does run, it scans both PR HEAD and base ref via the composite action and diffs the called-path OSV ID sets — failing only on net-new findings. Existing unfixed LXD vulns therefore don't block unrelated PRs..github/workflows/vuln-scan-cron.yml— daily 06:00 UTC scan of the full module onmain, plusworkflow_dispatch. On any called-path finding it opens (or comments on) a single tracking issue titled[vuln-scan] govulncheck found called-path vulnerabilitiesand auto-closes it when the next run is clean.The earlier ad-hoc
vuln-scanjob that lived intests.ymlis removed in favour of the dedicated workflows above.Test plan
govulncheck ./...rerun locally — 13 → 4 called vulns, all remaining are LXD-only with no fixgo build ./...cleango test -short ./...passes (api, ceph, cmd, common, dsl, logger all OK)govulncheck -format jsonoutput (returns exactly the 4 LXD IDs, no false positives from module-only finding summaries)vuln-scan-prjob: paths-filter triggers it (go.{mod,sum} touched in this PR); diff vs main should report only the unchanged 4 LXD vulns and pass (no net-new)vuln-scan-cronjob:workflow_dispatchtrigger frommainafter merge should fail and open the tracking issuestatic-checks+unit-testsgreen on this PR🤖 Generated with Claude Code