Skip to content

fix(build): update Go dependencies to resolve known security vulnerabilities#2591

Merged
rksharma95 merged 4 commits into
kubearmor:mainfrom
Athang69:main
May 13, 2026
Merged

fix(build): update Go dependencies to resolve known security vulnerabilities#2591
rksharma95 merged 4 commits into
kubearmor:mainfrom
Athang69:main

Conversation

@Athang69

@Athang69 Athang69 commented May 11, 2026

Copy link
Copy Markdown
Contributor

Purpose of PR?:
Updates Go dependencies across all modules in the monorepo to resolve known security vulnerabilities detected by osv-scanner against the OSV database. This reduces the OpenSSF Scorecard Vulnerabilities score from 0/10 (20 vulnerabilities) to 5/10 (5 vulnerabilities). The remaining 5 have no patched version available upstream yet.

Related to #2566

Does this PR introduce a breaking change?
No. Changes are limited to go.mod, go.sum files, and Dockerfile base image version bumps to match the Go version upgrade. No source code is modified.

If the changes in this PR are manually verified, list down the scenarios covered:

  • Ran osv-scanner scan --lockfile=<module>/go.mod across all 7 modules before and after changes
  • Before: 20 vulnerabilities detected across all modules
  • After: 5 vulnerabilities remaining, all confirmed to have no upstream fix available yet
Screenshot from 2026-05-11 11-13-44

Fixed vulnerabilities:

ID Package CVSS
GHSA-gj49-89wh-h4gj github.com/cilium/cilium v1.18.6 -> v1.18.9 7.9
GO-2026-4856 github.com/cilium/cilium v1.18.6 -> v1.18.9 5.4
GO-2026-4918 golang.org/x/net updated across all modules -
GO-2026-4971 + stdlib CVEs Go toolchain 1.25.9 -> 1.25.10 -
GHSA-78h2-9frx-2jm8 github.com/go-jose/go-jose/v4 updated -
GO-2025-4096/4097/4098 github.com/opencontainers/runc v1.3.0 -> v1.4.2 7.3
GO-2026-4311, GO-2025-4193 github.com/sigstore/fulcio updated 5.8
GO-2026-4358 github.com/sigstore/sigstore updated 5.8
GO-2025-3922 github.com/ulikunitz/xz updated 5.3
GHSA-mh2q-q3fh-2475 go.opentelemetry.io/otel updated 7.5
GHSA-pc3f-x583-g7j2 github.com/moby/spdystream v0.5.0 -> v0.5.1 8.7
GHSA-w8rr-5gcm-pp58 go.opentelemetry.io/otel/exporters updated 5.3

Unfixable (no patched version available upstream):

ID Package Reason
GO-2026-4883, GO-2026-4887 github.com/docker/docker OSV lists all versions as affected, no known fix
GO-2024-3042, GO-2025-3961 github.com/containers/podman/v5 v5.8.2 is latest, no patch released
GHSA-hfvc-g4fc-pqhx go.opentelemetry.io/otel/sdk No fixed version available

Modules updated: KubeArmor/, pkg/KubeArmorController/, pkg/KubeArmorOperator/, deployments/, deployments/podman/, tests/, protobuf/
Dockerfiles updated: Dockerfile, pkg/KubeArmorController/Dockerfile, pkg/KubeArmorOperator/Dockerfile (base image bumped to golang:1.26 to match Go version upgrade)

Additional information for reviewer?:
Scanned using osv-scanner which uses the same OSV database as OpenSSF Scorecard. The scorecard Vulnerabilities check was independently verified after pushing changes, confirming the reduction from 20 to 5 vulnerabilities.

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

Copilot AI review requested due to automatic review settings May 11, 2026 05:52

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Go module dependencies across the KubeArmor monorepo to remediate OSV-reported vulnerabilities (including bumping the Go version used by modules), without modifying source code.

Changes:

  • Bump module Go version from 1.25.9 to 1.25.10 across the updated modules.
  • Update multiple dependency versions in each module’s go.mod / go.sum to pick up security fixes (e.g., golang.org/x/*, go-jose, runc, cilium, etc.).
  • Introduce a toolchain go1.25.10 directive in some (but not all) modules.

Reviewed changes

Copilot reviewed 7 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
KubeArmor/go.mod Updates Go version and bumps key dependencies (e.g., cilium) for vulnerability remediation.
KubeArmor/go.sum Refreshes checksums to match updated dependencies in KubeArmor/go.mod.
deployments/go.mod Updates Go version and indirect golang.org/x/* dependency versions.
deployments/go.sum Refreshes checksums for the deployments module after dependency updates.
deployments/podman/go.mod Updates Go version, updates podman-related dependency set, and adds toolchain go1.25.10.
deployments/podman/go.sum Refreshes checksums for the updated podman deployments module dependencies.
pkg/KubeArmorController/go.mod Updates Go version, indirect dependencies, and adds toolchain go1.25.10.
pkg/KubeArmorController/go.sum Refreshes checksums for controller module dependency updates.
pkg/KubeArmorOperator/go.mod Updates Go version and indirect golang.org/x/* dependencies for the operator module.
pkg/KubeArmorOperator/go.sum Refreshes checksums for operator module dependency updates.
protobuf/go.mod Updates Go version, indirect golang.org/x/* versions, and adds toolchain go1.25.10.
protobuf/go.sum Refreshes checksums for protobuf module dependency updates.
tests/go.mod Updates Go version and a subset of indirect dependencies used by the tests module.
tests/go.sum Refreshes checksums for tests module dependency updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/KubeArmorController/go.mod Outdated
Comment thread deployments/podman/go.mod Outdated
Comment thread protobuf/go.mod Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 14 changed files in this pull request and generated 1 comment.

Comment thread KubeArmor/go.mod

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 17 changed files in this pull request and generated 1 comment.

Comment thread Dockerfile
Comment thread deployments/podman/go.mod Outdated
Comment thread pkg/KubeArmorController/Dockerfile Outdated
@Athang69 Athang69 force-pushed the main branch 2 times, most recently from 9f3e7a5 to f330e45 Compare May 12, 2026 05:33
@Athang69

Copy link
Copy Markdown
Contributor Author

@rksharma95 I've addressed the required changes PTAL.
Thanks!!

@Athang69 Athang69 requested a review from rksharma95 May 12, 2026 05:35
rksharma95
rksharma95 previously approved these changes May 13, 2026

@AryanBakliwal AryanBakliwal left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Athang69 I see that apart from one go.mod file, the go version is 1.25.10 elsewhere. Let’s upgrade all go.mod files to go 1.26.0 for consistency.

@Athang69

Copy link
Copy Markdown
Contributor Author

@AryanBakliwal bumped all go.mod files to go 1.26.0 in the latest commit.
PTAL.
Thankss!!

@Athang69 Athang69 requested a review from AryanBakliwal May 13, 2026 10:48
@AryanBakliwal

Copy link
Copy Markdown
Member

@AryanBakliwal bumped all go.mod files to go 1.26.0 in the latest commit. PTAL. Thankss!!

go-vuln is failing again, please check

@Athang69

Copy link
Copy Markdown
Contributor Author

@AryanBakliwal Should I bump all go.mod files to go 1.26.3 to fix the stdlib vulnerabilities reported by govulncheck, or is there a preferred approach?

@AryanBakliwal

Copy link
Copy Markdown
Member

@AryanBakliwal Should I bump all go.mod files to go 1.26.3 to fix the stdlib vulnerabilities reported by govulncheck, or is there a preferred approach?

Yes, bump all to 1.26.3

@Athang69

Copy link
Copy Markdown
Contributor Author

@AryanBakliwal Should I bump all go.mod files to go 1.26.3 to fix the stdlib vulnerabilities reported by govulncheck, or is there a preferred approach?

Yes, bump all to 1.26.3

Done, bumped all go.mod files to go 1.26.3 in the latest commit.

@AryanBakliwal AryanBakliwal requested a review from rksharma95 May 13, 2026 12:02
@rksharma95 rksharma95 merged commit bcfdb95 into kubearmor:main May 13, 2026
18 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants