fix: [CI-23226]: remediate vulnerabilities in harnesssecure/gcs (46-CVE reduction)#103
Draft
vinayakharness2026 wants to merge 1 commit into
Conversation
Bump Go toolchain and vulnerable indirect deps to their minimum-safe versions per Trivy fix column, closing 46/47 unique CVEs found by the baseline Trivy scan on plugins/gcs:1.6.10 (baseline uses the docker.io public copy since harnesssecure/gcs is a private mirror built from the same source). Edits: - go directive: 1.25.7 -> 1.25.12 (stdlib CVEs) - golang.org/x/crypto (indirect): v0.46.0 -> v0.52.0 (13 HIGH+MED) - golang.org/x/net (indirect): v0.48.0 -> v0.55.0 (7 CVEs) - golang.org/x/sys (indirect): v0.40.0 -> v0.45.0 (CVE-2026-39824) - go.opentelemetry.io/otel{,sdk,metric,sdk/metric,trace} (indirect): v1.40.0 -> v1.43.0 (otel/sdk HIGH) - github.com/go-jose/go-jose/v4 (indirect): v4.1.3 -> v4.1.4 (CVE-2026-34986) - cloud.google.com/go/storage: v1.50.0 -> v1.62.3 (unlocks newer subs) - google.golang.org/api: v0.214.0 -> v0.284.0 (unlocks newer subs) - .drone.yml, .harness/harness.yaml: golang:1.25.7 -> golang:1.25.12 so CI-built binaries embed the fixed stdlib. Scans (Harness OnDemand + local Trivy) verify the fix in-pipeline before merge. See PR body for the full canonical report.
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation: harnesssecure/gcs
Team: ci (Harness CI Platform)
Tickets: CI-23226 — Security Vulnerability Fixes - harnesssecure/gcs
Test image:
vinayakharness/gcs-test:gcs-1.6.11--debugOnDemand scanner runs (Harness https://harness0.harness.io/):
Summary
All 46 CVEs flagged by the Trivy baseline of
plugins/gcs:1.6.10(the docker.io public copy of the same source repo behindharnesssecure/gcs:1.6.10) are resolved by upgrading the Go toolchain from 1.25.7 → 1.25.12 and pushing the indirect dependencies (golang.org/x/crypto,golang.org/x/net,golang.org/x/sys,go.opentelemetry.io/otel*,github.com/go-jose/go-jose/v4) to their minimum-safe versions per Trivy'sFixedVersioncolumn.cloud.google.com/go/storageandgoogle.golang.org/apiwere bumped to the versions that transitively require the newx/*families sogo mod tidydoesn't downgrade them.Harness OnDemand (Prisma Cloud + Snyk) sees the same delta: 39 → 3 active issues (1 CRIT / 14 HIGH / 8 MED / 3 LOW / 3 INFO → 0 / 0 / 2 / 0 / 1). The 2 remaining MEDIUMs are
go.opentelemetry.io/otel/propagation@v1.43.0(severity-reduced from HIGH at v1.40.0 — no upstream fix higher than what we shipped) and the 1 INFO is the unchangedCIS_Docker 4.1 non-root userpolicy that already existed in baseline. Recommendation: SHIP.CVE Delta — Trivy (local scan)
The remaining Unknown-severity item is
GO-2026-5932ingolang.org/x/crypto— no upstream fix has been published yet and it was already present in the baseline scan (not newly introduced).CVE Delta — Harness OnDemand (Prisma Cloud + Snyk)
Per-Ticket CVE Status
CI-23226 — P2: Security Vulnerability Fixes - harnesssecure/gcs
The ticket description gave severity counts only (10 Crit / 19 High / 3 Med / — Low / 30 with fix / 2 no fix — a snapshot from sos.seceng.harness.io). It did not enumerate individual CVE IDs, so per-CVE rows are grouped by vulnerable package to match the scanner output.
FROM scratch— running as UID 0 is upstream policy of drone-plugins; separate refactor required. Pre-existing baseline.Changes Made
go.modgo.sumgo mod tidy.drone.ymlgolang:1.25.7→golang:1.25.12(7 occurrences) so the CI-built binary embeds the fixed stdlib.harness/harness.yamlgolang:1.25.7→golang:1.25.12(3 occurrences) — same reason for the harness.yaml pipelineVersion selection rationale:
1.25.7→1.25.12. Multiple stdlib CVEs land across 1.25.8-1.25.12; picked 1.25.12 as the smallest patch that covers the whole list (CVE-2026-39822 / CVE-2026-42505 need 1.25.12).v0.46.0→v0.52.0. Trivy fix = 0.52.0 for all 13 fixed CVEs.v0.48.0→v0.55.0. Highest required fix column = 0.55.0 (CVE-2026-42506).v0.40.0→v0.45.0. Trivy fix = 0.44.0; x/crypto v0.52.0 and x/net v0.55.0 both require ≥0.45.0, so we take 0.45.0.v1.40.0→v1.43.0. otel/sdk fix column is 1.43.0; keep the whole family in lockstep to match otel's release model.v4.1.3→v4.1.4. Trivy fix.v1.50.0→v1.62.3,v0.214.0→v0.284.0. Not vulnerable themselves — bumped sogo mod tidydoesn't downgrade the newx/*indirect deps.Newly Introduced CVEs
None.
go.opentelemetry.io/otel/propagation@v1.43.0(MED) is a strict severity-reduction of the pre-existingotel/propagation@v1.40.0(HIGH), not a new issue. TheCIS_Docker 4.1INFO row is unchanged from baseline.