Skip to content

fix(security): remediate CVE vulnerabilities in Go stdlib#577

Merged
bobh66 merged 2 commits into
release-0.11from
fix/cve-remediation-release-0.11-20260521-223737
May 22, 2026
Merged

fix(security): remediate CVE vulnerabilities in Go stdlib#577
bobh66 merged 2 commits into
release-0.11from
fix/cve-remediation-release-0.11-20260521-223737

Conversation

@ulucinar
Copy link
Copy Markdown
Collaborator

@ulucinar ulucinar commented May 21, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2026-39820 High stdlib (Go) 1.25.10
CVE-2026-42499 High stdlib (Go) 1.25.10
CVE-2026-39836 High stdlib (Go) 1.25.10
CVE-2026-33814 High stdlib (Go) 1.25.10
CVE-2026-33811 High stdlib (Go) 1.25.10
CVE-2026-42501 High stdlib (Go) 1.25.10
CVE-2026-39817 Medium stdlib (Go) 1.25.10
CVE-2026-39826 Medium stdlib (Go) 1.25.10
CVE-2026-39825 Medium stdlib (Go) 1.25.10
CVE-2026-39823 Medium stdlib (Go) 1.25.10
CVE-2026-39819 Medium stdlib (Go) 1.25.10

Changes Made

  • Updated Go version from 1.25.9 to 1.25.10 in go.mod
  • Updated toolchain directive to go1.25.10
  • Updated GO_VERSION in .github/workflows/ci.yml to 1.25.10
  • Ran go mod tidy to update dependencies

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
f95ea87 
- Update Go version to 1.25.10 (fixes CVE-2026-39820, CVE-2026-42499,
  CVE-2026-39836, CVE-2026-33814, CVE-2026-33811, CVE-2026-42501,
  CVE-2026-39817, CVE-2026-39826, CVE-2026-39825, CVE-2026-39823,
  CVE-2026-39819)
- Update GO_VERSION in CI workflow to match

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar
Copy link
Copy Markdown
Collaborator Author

ulucinar commented May 21, 2026

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-05-21 22:41:00 UTC

Summary

The Crossplane CLI installation failed because "version current" does not exist on "channel master".

Root Cause

The workflow configuration specifies:

  • XP_CHANNEL: master
  • XP_VERSION: current

The Crossplane install script cannot find this version/channel combination. The workflow file includes TODO comments indicating these should be pinned to stable values.

Error Details

Failed to download Crossplane CLI. Please make sure version current exists on channel master.
[error]Process completed with exit code 1.

Environment variables at time of failure:

  • XP_CHANNEL: master
  • XP_VERSION: current

Recommendation

Code fix required: Update .github/workflows/ci.yml to use stable channel and a specific stable version instead of "current" on "master" channel.

Suggested fix:

  XP_CHANNEL: stable
  XP_VERSION: v1.18.2

A remediation plan has been generated with detailed steps.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update Crossplane CLI to stable channel
64419d7 
- Use stable channel instead of master
- Pin to v1.18.2 instead of current
- Resolves Crossplane CLI download failure

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@bobh66 bobh66 merged commit 0a7969e into release-0.11 May 22, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobh66 bobh66 bobh66 approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ulucinar @bobh66