fix(build): update Go dependencies to resolve known security vulnerabilities#2591
Conversation
Signed-off-by: Athang69 <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR updates Go module dependencies across the KubeArmor monorepo to remediate OSV-reported vulnerabilities (including bumping the Go version used by modules), without modifying source code.
Changes:
- Bump module Go version from
1.25.9to1.25.10across the updated modules. - Update multiple dependency versions in each module’s
go.mod/go.sumto pick up security fixes (e.g.,golang.org/x/*,go-jose,runc,cilium, etc.). - Introduce a
toolchain go1.25.10directive in some (but not all) modules.
Reviewed changes
Copilot reviewed 7 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
KubeArmor/go.mod |
Updates Go version and bumps key dependencies (e.g., cilium) for vulnerability remediation. |
KubeArmor/go.sum |
Refreshes checksums to match updated dependencies in KubeArmor/go.mod. |
deployments/go.mod |
Updates Go version and indirect golang.org/x/* dependency versions. |
deployments/go.sum |
Refreshes checksums for the deployments module after dependency updates. |
deployments/podman/go.mod |
Updates Go version, updates podman-related dependency set, and adds toolchain go1.25.10. |
deployments/podman/go.sum |
Refreshes checksums for the updated podman deployments module dependencies. |
pkg/KubeArmorController/go.mod |
Updates Go version, indirect dependencies, and adds toolchain go1.25.10. |
pkg/KubeArmorController/go.sum |
Refreshes checksums for controller module dependency updates. |
pkg/KubeArmorOperator/go.mod |
Updates Go version and indirect golang.org/x/* dependencies for the operator module. |
pkg/KubeArmorOperator/go.sum |
Refreshes checksums for operator module dependency updates. |
protobuf/go.mod |
Updates Go version, indirect golang.org/x/* versions, and adds toolchain go1.25.10. |
protobuf/go.sum |
Refreshes checksums for protobuf module dependency updates. |
tests/go.mod |
Updates Go version and a subset of indirect dependencies used by the tests module. |
tests/go.sum |
Refreshes checksums for tests module dependency updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
9f3e7a5 to
f330e45
Compare
|
@rksharma95 I've addressed the required changes PTAL. |
Signed-off-by: Athang69 <[email protected]>
AryanBakliwal
left a comment
There was a problem hiding this comment.
@Athang69 I see that apart from one go.mod file, the go version is 1.25.10 elsewhere. Let’s upgrade all go.mod files to go 1.26.0 for consistency.
Signed-off-by: Athang69 <[email protected]>
|
@AryanBakliwal bumped all go.mod files to go 1.26.0 in the latest commit. |
go-vuln is failing again, please check |
|
@AryanBakliwal Should I bump all go.mod files to go 1.26.3 to fix the stdlib vulnerabilities reported by govulncheck, or is there a preferred approach? |
Yes, bump all to 1.26.3 |
Signed-off-by: Athang69 <[email protected]>
Done, bumped all go.mod files to go 1.26.3 in the latest commit. |
Purpose of PR?:
Updates Go dependencies across all modules in the monorepo to resolve known security vulnerabilities detected by osv-scanner against the OSV database. This reduces the OpenSSF Scorecard Vulnerabilities score from 0/10 (20 vulnerabilities) to 5/10 (5 vulnerabilities). The remaining 5 have no patched version available upstream yet.
Related to #2566
Does this PR introduce a breaking change?
No. Changes are limited to go.mod, go.sum files, and Dockerfile base image version bumps to match the Go version upgrade. No source code is modified.
If the changes in this PR are manually verified, list down the scenarios covered:
osv-scanner scan --lockfile=<module>/go.modacross all 7 modules before and after changesFixed vulnerabilities:
Unfixable (no patched version available upstream):
Modules updated: KubeArmor/, pkg/KubeArmorController/, pkg/KubeArmorOperator/, deployments/, deployments/podman/, tests/, protobuf/
Dockerfiles updated: Dockerfile, pkg/KubeArmorController/Dockerfile, pkg/KubeArmorOperator/Dockerfile (base image bumped to golang:1.26 to match Go version upgrade)
Additional information for reviewer?:
Scanned using
osv-scannerwhich uses the same OSV database as OpenSSF Scorecard. The scorecard Vulnerabilities check was independently verified after pushing changes, confirming the reduction from 20 to 5 vulnerabilities.Checklist:
<type>(<scope>): <subject>