chore: fix vulnerabilities and CI failures by ashnamehrotra · Pull Request #1179 · eraser-dev/eraser

ashnamehrotra · 2025-11-20T21:58:58Z

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes unit tests and updates all vulnerable modules/handles api incompatibilities introduced. Also fixes golang lint errors aside from revive lint (issue created for this for follow up as there are large file changes needed). Remaining vulnerability is from latest version of Trivy binary and cannot be resolved on eraser side:

ashnamehrotra@MacBookPro eraser % trivy image ghcr.io/aquasecurity/trivy:0.67.2
....
usr/local/bin/trivy (gobinary)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 4, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                            Title                             │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd    │ CVE-2024-25621 │ HIGH     │ fixed  │ v1.7.28           │ 1.7.29              │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 0.1.0 through ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2024-25621                   │
│                                     ├────────────────┼──────────┤        │                   │                     ├──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2025-64329 │ MEDIUM   │        │                   │                     │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 1.7.28 and be ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-64329                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd/v2 │ CVE-2024-25621 │ HIGH     │        │ v2.1.4            │ 2.0.7, 2.1.5, 2.2.0 │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 0.1.0 through ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2024-25621                   │
│                                     ├────────────────┼──────────┤        │                   │                     ├──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2025-64329 │ MEDIUM   │        │                   │                     │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 1.7.28 and be ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-64329                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/selinux   │ CVE-2025-52881 │ HIGH     │        │ v1.12.0           │ 1.13.0              │ runc: opencontainers/selinux: container escape and denial of │
│                                     │                │          │        │                   │                     │ service due to arbitrary write...                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-52881                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto                 │ CVE-2025-47914 │ MEDIUM   │        │ v0.42.0           │ 0.45.0              │ SSH Agent servers do not validate the size of messages when  │
│                                     │                │          │        │                   │                     │ processing...                                                │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-47914                   │
│                                     ├────────────────┤          │        │                   │                     ├──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2025-58181 │          │        │                   │                     │ SSH servers parsing GSSAPI authentication requests do not    │
│                                     │                │          │        │                   │                     │ validate the ...                                             │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-58181                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                              │ CVE-2025-58187 │ HIGH     │        │ 1.25.2            │ 1.24.9, 1.25.3      │ Due to the design of the name constraint checking algorithm, │
│                                     │                │          │        │                   │                     │ the proce...                                                 │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-58187                   │
└─────────────────────────────────────┴───────

Special notes for your reviewer:

- Convert .golangci.yaml from v1 to v2 format with version: '2' - Replace deprecated linters: exportloopref -> copyloopvar - Move formatters (gofmt, gofumpt, goimports) to formatters section - Update linters.disable-all to linters.default: none - Update Go version in CI from 1.21 to 1.23 to match go.mod - Add exclusion for docs directory to avoid linting generated files Fixes the CI error: 'unsupported version of the configuration' Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

christensenjairus · 2025-11-21T22:07:38Z

Thanks for looking into this @ashnamehrotra! We look forward to the new release :)

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

codecov · 2025-11-26T14:29:04Z

Codecov Report

❌ Patch coverage is 0% with 65 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/remover/remover.go	0.00%	18 Missing ⚠️
controllers/imagejob/imagejob_controller.go	0.00%	11 Missing ⚠️
main.go	0.00%	10 Missing ⚠️
controllers/imagelist/imagelist_controller.go	0.00%	8 Missing ⚠️
pkg/collector/collector.go	0.00%	6 Missing ⚠️
pkg/scanners/template/scanner_template.go	0.00%	4 Missing ⚠️
...ollers/imagecollector/imagecollector_controller.go	0.00%	2 Missing ⚠️
pkg/scanners/trivy/trivy.go	0.00%	2 Missing ⚠️
test/e2e/util/utils.go	0.00%	2 Missing ⚠️
controllers/configmap/configmap.go	0.00%	1 Missing ⚠️
... and 1 more

Flag	Coverage Δ
unittests	`3.87% <0.00%> (-10.97%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
controllers/controller.go	`0.00% <ø> (ø)`
pkg/scanners/trivy/helpers.go	`0.00% <ø> (ø)`
pkg/scanners/trivy/types.go	`30.15% <ø> (-8.68%)`	⬇️
pkg/utils/utils.go	`13.30% <ø> (+1.46%)`	⬆️
...party/open-policy-agent/gatekeeper/helmify/main.go	`0.00% <ø> (ø)`
version/version.go	`100.00% <ø> (ø)`
controllers/configmap/configmap.go	`0.00% <0.00%> (ø)`
controllers/util/util.go	`0.00% <0.00%> (ø)`
...ollers/imagecollector/imagecollector_controller.go	`0.00% <0.00%> (ø)`
pkg/scanners/trivy/trivy.go	`0.00% <0.00%> (ø)`
... and 7 more

... and 27 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

.github/workflows/e2e-build.yaml

Dockerfile

sozercan · 2025-11-26T22:42:01Z

controllers/imagejob/imagejob_controller.go

 func checkNodeFitness(pod *corev1.Pod, node *corev1.Node) bool {
-	nodeInfo := framework.NewNodeInfo()
-	nodeInfo.SetNode(node)
+	// Check if node has sufficient resources for the pod


why did we reimplement this?

The framework package it was using introduces k8s.io/kubernetes vulnerabilities which is what this was trying to resolve. In order to upgrade this to latest version, it would require major controller runtime api changes. By removing the dependency on this we can eliminate both the dependency and vulns.

Dockerfile

sozercan · 2025-11-26T22:44:52Z

pkg/utils/utils.go

 		return nil, err
 	}

+	//nolint:staticcheck // SA1019: grpc.DialContext is deprecated but maintains required blocking behavior


can we open issues for these too

created issue to track #1188

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

.github/workflows/e2e-test.yaml

.github/workflows/release-pr.yaml

docs/package.json

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

christensenjairus · 2025-12-02T18:13:02Z

One of the specific vulns we're looking to get remediated by a new release is CVE-2025-58188

@ashnamehrotra @sozercan

.golangci.yaml

Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Signed-off-by: Ashna Mehrotra <ashnamehrotra@gmail.com>

sozercan

thank you! lgtm

sozercan · 2025-12-02T19:14:31Z

@christensenjairus yes, after this is merged and we cut a release that CVE will be resolved since we'll be building with latest version of Go

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com> Signed-off-by: Ashna Mehrotra <ashnamehrotra@gmail.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [eraser](https://github.com/eraser-dev/eraser) | minor | `v1.3.1` -> `1.4.1` | --- ### Release Notes <details> <summary>eraser-dev/eraser (eraser)</summary> ### [`v1.4.1`](https://github.com/eraser-dev/eraser/releases/tag/v1.4.1) [Compare Source](eraser-dev/eraser@v1.3.1...v1.4.1) #### Chores - Prepare v1.4.0 release ([#1085](eraser-dev/eraser#1085)) [#1085](eraser-dev/eraser#1085) ([github-actions\[bot\]](eraser-dev/eraser@e89d585)) - Prepare v1.4.1 release ([#1190](eraser-dev/eraser#1190)) [#1190](eraser-dev/eraser#1190) ([github-actions\[bot\]](eraser-dev/eraser@bb7634b)) - fix vulnerabilities and CI failures ([#1179](eraser-dev/eraser#1179)) ([Ashna Mehrotra](eraser-dev/eraser@a9cfd88)) - revert "chore: Prepare v1.4.1 release" ([#1191](eraser-dev/eraser#1191)) [#1191](eraser-dev/eraser#1191) ([Ashna Mehrotra](eraser-dev/eraser@311e972)) - release 1.4.1 cherry pick module upgrades ([#1192](eraser-dev/eraser#1192)) [#1192](eraser-dev/eraser#1192) ([Ashna Mehrotra](eraser-dev/eraser@96b21ed)) - Prepare v1.4.1 release ([#1193](eraser-dev/eraser#1193)) [#1193](eraser-dev/eraser#1193) ([github-actions\[bot\]](eraser-dev/eraser@4b1a834)) #### Commits - [`1d7dabe`](eraser-dev/eraser@1d7dabe): Upgrade OpenTelemetry modules to v1.37.0 and migrate deprecated APIs ([#1160](eraser-dev/eraser#1160)) (Copilot) - [`a5e6a65`](eraser-dev/eraser@a5e6a65): Merge branch 'release-1.4' of github.com:Azure/eraser into release-1.4 (ashnamehrotra) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2217 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

ashnamehrotra requested review from pmengelbert and sozercan as code owners November 20, 2025 21:58

ashnamehrotra added 3 commits November 20, 2025 17:01

update manager vulns and handle api migrations

3bf4801

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

remover image vulns

115c155

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

ashnamehrotra force-pushed the fix-vulns branch from 21f4884 to 115c155 Compare November 20, 2025 22:07

ashnamehrotra added 4 commits November 20, 2025 17:28

update k8s

bd92d2f

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

update trivy binary

53c6cc5

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

change base img

eac2ac4

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

Merge branch 'main' of github.com:Azure/eraser into fix-vulns

7b47784

ashnamehrotra added 4 commits November 25, 2025 19:49

final cve changes

114fd1a

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

more lint

81fb459

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

unit test fix

3e59077

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

ignore revive

aa34ec4

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

ashnamehrotra added 10 commits November 26, 2025 09:46

trivy binary update

12e2be3

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

try increase timeout

b2e73a5

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

test fix

d374da9

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

use grcp new client

46fd36e

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

grpc fix

1f9b180

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

grpc fix

4977f2b

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

getConn test

67c84e8

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

update go version in CI

7507e05

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

revert grpc

946f21c

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

revert Dockerfile

8da8978

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

ashnamehrotra mentioned this pull request Nov 26, 2025

chore: bump github.com/aquasecurity/trivy from 0.35.0 to 0.51.2 #1180

Closed

ashnamehrotra force-pushed the fix-vulns branch from aba19d2 to 8da8978 Compare November 26, 2025 20:50

ashnamehrotra added 2 commits November 26, 2025 16:37

Merge branch 'main' of github.com:Azure/eraser into fix-vulns

e929a4c

trivy fs vulns upgrade

bb54194

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

ashnamehrotra added 2 commits November 26, 2025 17:04

govulncheck fixes

e6549b0

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>

docs changes

b0dcdc6

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>