Skip to content

fix: [CI-23226]: remediate vulnerabilities in harnesssecure/gcs (46-CVE reduction)#103

Draft
vinayakharness2026 wants to merge 1 commit into
drone-plugins:masterfrom
vinayakharness2026:fix/CI-23226-vuln-remediation-1783922267
Draft

fix: [CI-23226]: remediate vulnerabilities in harnesssecure/gcs (46-CVE reduction)#103
vinayakharness2026 wants to merge 1 commit into
drone-plugins:masterfrom
vinayakharness2026:fix/CI-23226-vuln-remediation-1783922267

Conversation

@vinayakharness2026

@vinayakharness2026 vinayakharness2026 commented Jul 13, 2026

Copy link
Copy Markdown

Vulnerability Remediation: harnesssecure/gcs

Team: ci (Harness CI Platform)
Tickets: CI-23226 — Security Vulnerability Fixes - harnesssecure/gcs
Test image: vinayakharness/gcs-test:gcs-1.6.11--debug

OnDemand scanner runs (Harness https://harness0.harness.io/):


Summary

All 46 CVEs flagged by the Trivy baseline of plugins/gcs:1.6.10 (the docker.io public copy of the same source repo behind harnesssecure/gcs:1.6.10) are resolved by upgrading the Go toolchain from 1.25.7 → 1.25.12 and pushing the indirect dependencies (golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, go.opentelemetry.io/otel*, github.com/go-jose/go-jose/v4) to their minimum-safe versions per Trivy's FixedVersion column. cloud.google.com/go/storage and google.golang.org/api were bumped to the versions that transitively require the new x/* families so go mod tidy doesn't downgrade them.

Harness OnDemand (Prisma Cloud + Snyk) sees the same delta: 39 → 3 active issues (1 CRIT / 14 HIGH / 8 MED / 3 LOW / 3 INFO → 0 / 0 / 2 / 0 / 1). The 2 remaining MEDIUMs are go.opentelemetry.io/otel/propagation@v1.43.0 (severity-reduced from HIGH at v1.40.0 — no upstream fix higher than what we shipped) and the 1 INFO is the unchanged CIS_Docker 4.1 non-root user policy that already existed in baseline. Recommendation: SHIP.


CVE Delta — Trivy (local scan)

Severity Before After Change
Critical 0 0 0
High 28 0 -28
Medium 16 0 -16
Low 1 0 -1
Unknown 2 1 -1
Total 47 1 -46

The remaining Unknown-severity item is GO-2026-5932 in golang.org/x/crypto — no upstream fix has been published yet and it was already present in the baseline scan (not newly introduced).

CVE Delta — Harness OnDemand (Prisma Cloud + Snyk)

Severity Before After Change
Critical 1 0 -1
High 14 0 -14
Medium 8 2 -6
Low 3 0 -3
Info 3 1 -2
Total 29 existing + 10 new = 39 3 -36

Per-Ticket CVE Status

CI-23226 — P2: Security Vulnerability Fixes - harnesssecure/gcs

The ticket description gave severity counts only (10 Crit / 19 High / 3 Med / — Low / 30 with fix / 2 no fix — a snapshot from sos.seceng.harness.io). It did not enumerate individual CVE IDs, so per-CVE rows are grouped by vulnerable package to match the scanner output.

Package Before After Required Status Reason
stdlib (Go toolchain) 1.25.7 1.25.12 ≥1.25.12 OK 22 CVEs closed (CVE-2026-25679CVE-2026-42507)
golang.org/x/crypto v0.46.0 v0.52.0 ≥0.52.0 OK 13/14 CVEs closed; GO-2026-5932 has no upstream fix (already in baseline, not newly introduced)
golang.org/x/net v0.48.0 v0.55.0 ≥0.55.0 OK 7 CVEs closed (CVE-2026-25680/1, CVE-2026-27136, CVE-2026-33814, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506)
golang.org/x/sys v0.40.0 v0.45.0 ≥0.44.0 OK CVE-2026-39824
go.opentelemetry.io/otel v1.40.0 v1.43.0 ≥1.41.0 OK CVE-2026-29181 (otel), CVE-2026-39883 (otel/sdk); otel/propagation drops HIGH → MED
github.com/go-jose/go-jose/v4 v4.1.3 v4.1.4 ≥4.1.4 OK CVE-2026-34986
CIS_Docker 4.1 non-root user fail fail pass BLOCKED Dockerfile uses FROM scratch — running as UID 0 is upstream policy of drone-plugins; separate refactor required. Pre-existing baseline.

Changes Made

File Change
go.mod go directive 1.25.7 → 1.25.12; bump direct/indirect deps (see Version Rationale)
go.sum regenerated by go mod tidy
.drone.yml golang:1.25.7golang:1.25.12 (7 occurrences) so the CI-built binary embeds the fixed stdlib
.harness/harness.yaml golang:1.25.7golang:1.25.12 (3 occurrences) — same reason for the harness.yaml pipeline

Version selection rationale:

  • Go toolchain: 1.25.71.25.12. Multiple stdlib CVEs land across 1.25.8-1.25.12; picked 1.25.12 as the smallest patch that covers the whole list (CVE-2026-39822 / CVE-2026-42505 need 1.25.12).
  • golang.org/x/crypto: v0.46.0v0.52.0. Trivy fix = 0.52.0 for all 13 fixed CVEs.
  • golang.org/x/net: v0.48.0v0.55.0. Highest required fix column = 0.55.0 (CVE-2026-42506).
  • golang.org/x/sys: v0.40.0v0.45.0. Trivy fix = 0.44.0; x/crypto v0.52.0 and x/net v0.55.0 both require ≥0.45.0, so we take 0.45.0.
  • otel + otel/{sdk,metric,sdk/metric,trace}: v1.40.0v1.43.0. otel/sdk fix column is 1.43.0; keep the whole family in lockstep to match otel's release model.
  • github.com/go-jose/go-jose/v4: v4.1.3v4.1.4. Trivy fix.
  • cloud.google.com/go/storage / google.golang.org/api: v1.50.0v1.62.3, v0.214.0v0.284.0. Not vulnerable themselves — bumped so go mod tidy doesn't downgrade the new x/* indirect deps.

Newly Introduced CVEs

None. go.opentelemetry.io/otel/propagation@v1.43.0 (MED) is a strict severity-reduction of the pre-existing otel/propagation@v1.40.0 (HIGH), not a new issue. The CIS_Docker 4.1 INFO row is unchanged from baseline.

Bump Go toolchain and vulnerable indirect deps to their minimum-safe
versions per Trivy fix column, closing 46/47 unique CVEs found by the
baseline Trivy scan on plugins/gcs:1.6.10 (baseline uses the docker.io
public copy since harnesssecure/gcs is a private mirror built from
the same source).

Edits:
- go directive:                    1.25.7  -> 1.25.12  (stdlib CVEs)
- golang.org/x/crypto (indirect): v0.46.0 -> v0.52.0  (13 HIGH+MED)
- golang.org/x/net    (indirect): v0.48.0 -> v0.55.0  (7 CVEs)
- golang.org/x/sys    (indirect): v0.40.0 -> v0.45.0  (CVE-2026-39824)
- go.opentelemetry.io/otel{,sdk,metric,sdk/metric,trace} (indirect):
                                   v1.40.0 -> v1.43.0  (otel/sdk HIGH)
- github.com/go-jose/go-jose/v4 (indirect): v4.1.3 -> v4.1.4  (CVE-2026-34986)
- cloud.google.com/go/storage:     v1.50.0 -> v1.62.3  (unlocks newer subs)
- google.golang.org/api:           v0.214.0 -> v0.284.0 (unlocks newer subs)
- .drone.yml, .harness/harness.yaml: golang:1.25.7 -> golang:1.25.12
  so CI-built binaries embed the fixed stdlib.

Scans (Harness OnDemand + local Trivy) verify the fix in-pipeline
before merge. See PR body for the full canonical report.
@imaditya55

Copy link
Copy Markdown
Collaborator

CI fixes pushed to imaditya55 fork (lint + test failures after dependency upgrade). Please use PR #106 for review/CI: #106

Commit: b94a912 on branch fix/CI-23226-vuln-remediation-1783922267.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants