Fix CVE-2026-33186, CVE-2026-25679, CVE-2026-27142, CVE-2026-27171, CVE-2025-60876#235
Open
kezhenxu94 wants to merge 3 commits intoapache:mainfrom
Open
Fix CVE-2026-33186, CVE-2026-25679, CVE-2026-27142, CVE-2026-27171, CVE-2025-60876#235kezhenxu94 wants to merge 3 commits intoapache:mainfrom
kezhenxu94 wants to merge 3 commits intoapache:mainfrom
Conversation
…VE-2025-60876 - Upgrade google.golang.org/grpc from v1.78.0 to v1.79.3 (CVE-2026-33186) - Upgrade Go from 1.25 to 1.25.8 (CVE-2026-25679, CVE-2026-27142) - Upgrade Alpine base image from 3.19 to 3.21 (CVE-2026-27171, CVE-2025-60876)
- Fix go.mod: use 'go 1.25' + 'toolchain go1.25.8' (patch version not valid in go directive) - Fix TestStaticServer: replace fixed sleep with retry loop since grpc.NewClient connects lazily and both connections may not be READY within 1 second - Fix Istio E2E: add xpack.security.enabled=false for ES 8 compatibility
… operator Following apache/skywalking@92a8f5d: - Update SW_KUBERNETES_COMMIT_SHA to 2850db1502283a2d8516146c57cc2b49f1da934b (supports ECK operator with ES 8.18.8) - Add ECK operator installation step before SkyWalking install - Switch helm install from git-clone approach to OCI registry pull - Replace --set elasticsearch.replicas/minimumMasterNodes with --set eckOperator.enabled=false - Fix values file path (no longer relative to chart subdir) - Remove xpack.security.enabled from values.yaml (ECK handles ES security)
There was a problem hiding this comment.
Pull request overview
This PR primarily updates the Satellite component’s build/runtime dependencies to address multiple CVEs, and also adjusts Istio E2E installation steps and a gRPC client test to accommodate updated behavior.
Changes:
- Bump
google.golang.org/grpcto v1.79.3 and addtoolchain go1.25.8to remediate stdlib-related CVEs via Go toolchain patching. - Update container images: builder to
golang:1.25.8and runtime toalpine:3.21withapk -U upgrade. - Modify Istio E2E setup to install SkyWalking via OCI Helm chart and install the ECK operator explicitly; tweak gRPC static client test retry logic.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test/e2e/case/istio/metrics/e2e.yaml | Switches E2E installation flow to OCI Helm chart and adds ECK operator installation step. |
| test/e2e/case/istio/als/e2e.yaml | Same as above for ALS scenario. |
| test/e2e/base/env | Updates the SkyWalking Kubernetes commit SHA used by E2E. |
| plugins/client/grpc/static_clients_test.go | Replaces fixed sleep with retry loop to handle lazy gRPC connections. |
| go.mod | Adds Go toolchain pin and bumps gRPC + genproto rpc versions. |
| go.sum | Updates checksums for gRPC bump and related transitive deps (e.g., OTel). |
| docker/Dockerfile | Pins build image to Go 1.25.8 and updates runtime base to Alpine 3.21 + upgrades packages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+88
to
+94
| allReceived := true | ||
| for _, r := range receivers { | ||
| if r.receiveCount <= 0 { | ||
| allReceived = false | ||
| break | ||
| } | ||
| } |
There was a problem hiding this comment.
receiveCount is read here while it's incremented from the gRPC handler goroutines (see Collect()), which introduces a data race (and can make this test flaky under -race). Make receiveCount concurrency-safe (e.g., use sync/atomic for increments/loads or guard it with a mutex) and update the read/check logic accordingly.
Comment on lines
+82
to
+84
| for time.Now().Before(deadline) { | ||
| for inx := 0; inx < serverCount; inx++ { | ||
| if _, err := jvmClient.Collect(context.Background(), &agent.JVMMetricCollection{}); err != nil { |
There was a problem hiding this comment.
The retry loop is bounded by deadline, but each RPC uses context.Background() so a single Collect call can block indefinitely (e.g., during connection establishment) and exceed the intended 30s bound. Use a per-RPC context with timeout/deadline (or reuse a context tied to deadline) so the test runtime is actually bounded and failures return promptly.
Suggested change
| for time.Now().Before(deadline) { | |
| for inx := 0; inx < serverCount; inx++ { | |
| if _, err := jvmClient.Collect(context.Background(), &agent.JVMMetricCollection{}); err != nil { | |
| ctx, cancel := context.WithDeadline(context.Background(), deadline) | |
| defer cancel() | |
| for time.Now().Before(deadline) { | |
| for inx := 0; inx < serverCount; inx++ { | |
| if _, err := jvmClient.Collect(ctx, &agent.JVMMetricCollection{}); err != nil { |
Comment on lines
+45
to
+60
| - name: Install ECK operator | ||
| command: | | ||
| helm pull oci://ghcr.io/apache/skywalking-helm/skywalking-helm \ | ||
| --version "0.0.0-${SW_KUBERNETES_COMMIT_SHA}" --untar | ||
| helm dep up skywalking-helm | ||
| helm -n istio-system install eck-operator skywalking-helm/charts/eck-operator-*.tgz \ | ||
| --create-namespace | ||
| kubectl -n istio-system rollout status --watch --timeout=120s statefulset/elastic-operator | ||
| - name: Install SkyWalking | ||
| command: | | ||
| rm -rf skywalking-kubernetes && git clone https://github.com/apache/skywalking-kubernetes.git | ||
| cd skywalking-kubernetes | ||
| git reset --hard $SW_KUBERNETES_COMMIT_SHA | ||
| cd chart | ||
| mkdir -p skywalking/files/conf.d/oap/ && cp ../../test/e2e/case/istio/metadata-service-mapping.yaml skywalking/files/conf.d/oap/metadata-service-mapping.yaml | ||
| helm dep up skywalking | ||
| helm -n istio-system install skywalking skywalking \ | ||
| --set fullnameOverride=skywalking \ | ||
| --set elasticsearch.replicas=1 \ | ||
| --set elasticsearch.minimumMasterNodes=1 \ | ||
| --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=$ALS_ANALYZER \ | ||
| --set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=$ALS_ANALYZER \ | ||
| --set oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \ | ||
| --set oap.envoy.als.enabled=true \ | ||
| --set oap.replicas=1 \ | ||
| --set ui.image.repository=ghcr.io/apache/skywalking/ui \ | ||
| --set ui.image.tag=$SW_UI_COMMIT \ | ||
| --set oap.image.tag=$SW_OAP_COMMIT \ | ||
| --set oap.image.repository=ghcr.io/apache/skywalking/oap \ | ||
| --set oap.storageType=elasticsearch \ | ||
| --set oap.startupProbe.failureThreshold=60 \ | ||
| --set oap.startupProbe.tcpSocket.port=12800 \ | ||
| --set oap.startupProbe.initialDelaySeconds=120 \ | ||
| --set oap.startupProbe.periodSeconds=10 \ | ||
| --set satellite.enabled=true \ | ||
| --set satellite.image.repository=apache/skywalking-satellite \ | ||
| --set satellite.image.tag=vlatest \ | ||
| --set satellite.env.SATELLITE_GRPC_ACCEPT_LIMIT_CPU_UTILIZATION=100 \ | ||
| -f ../../test/e2e/case/istio/values.yaml | ||
| helm -n istio-system install skywalking \ | ||
| oci://ghcr.io/apache/skywalking-helm/skywalking-helm \ | ||
| --version "0.0.0-${SW_KUBERNETES_COMMIT_SHA}" \ | ||
| --set fullnameOverride=skywalking \ | ||
| --set eckOperator.enabled=false \ | ||
| --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=$ALS_ANALYZER \ |
There was a problem hiding this comment.
The PR description focuses on CVE/dependency and base-image upgrades, but these changes introduce a new E2E flow (switching SkyWalking install to the OCI Helm chart and adding an explicit ECK operator install). Please update the PR description to mention these E2E changes (or split them into a separate PR) so reviewers/maintainers understand the additional scope and risk.
Comment on lines
+55
to
+70
| - name: Install ECK operator | ||
| command: | | ||
| helm pull oci://ghcr.io/apache/skywalking-helm/skywalking-helm \ | ||
| --version "0.0.0-${SW_KUBERNETES_COMMIT_SHA}" --untar | ||
| helm dep up skywalking-helm | ||
| helm -n istio-system install eck-operator skywalking-helm/charts/eck-operator-*.tgz \ | ||
| --create-namespace | ||
| kubectl -n istio-system rollout status --watch --timeout=120s statefulset/elastic-operator | ||
| - name: Install SkyWalking | ||
| command: | | ||
| rm -rf skywalking-kubernetes && git clone https://github.com/apache/skywalking-kubernetes.git | ||
| cd skywalking-kubernetes | ||
| git reset --hard $SW_KUBERNETES_COMMIT_SHA | ||
| cd chart | ||
| mkdir -p skywalking/files/conf.d/oap/ && cp ../../test/e2e/case/istio/metadata-service-mapping.yaml skywalking/files/conf.d/oap/metadata-service-mapping.yaml | ||
| helm dep up skywalking | ||
| helm -n istio-system install skywalking skywalking \ | ||
| --set fullnameOverride=skywalking \ | ||
| --set elasticsearch.replicas=1 \ | ||
| --set elasticsearch.minimumMasterNodes=1 \ | ||
| --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=$ALS_ANALYZER \ | ||
| --set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=$ALS_ANALYZER \ | ||
| --set oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \ | ||
| --set oap.envoy.als.enabled=true \ | ||
| --set oap.replicas=1 \ | ||
| --set ui.image.repository=ghcr.io/apache/skywalking/ui \ | ||
| --set ui.image.tag=$SW_UI_COMMIT \ | ||
| --set oap.image.tag=$SW_OAP_COMMIT \ | ||
| --set oap.image.repository=ghcr.io/apache/skywalking/oap \ | ||
| --set oap.storageType=elasticsearch \ | ||
| --set oap.startupProbe.failureThreshold=60 \ | ||
| --set oap.startupProbe.tcpSocket.port=12800 \ | ||
| --set oap.startupProbe.initialDelaySeconds=120 \ | ||
| --set oap.startupProbe.periodSeconds=10 \ | ||
| --set satellite.enabled=true \ | ||
| --set satellite.image.repository=apache/skywalking-satellite \ | ||
| --set satellite.image.tag=vlatest \ | ||
| --set satellite.env.SATELLITE_GRPC_ACCEPT_LIMIT_CPU_UTILIZATION=100 \ | ||
| -f ../../test/e2e/case/istio/values.yaml | ||
| helm -n istio-system install skywalking \ | ||
| oci://ghcr.io/apache/skywalking-helm/skywalking-helm \ | ||
| --version "0.0.0-${SW_KUBERNETES_COMMIT_SHA}" \ | ||
| --set fullnameOverride=skywalking \ | ||
| --set eckOperator.enabled=false \ | ||
| --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=$ALS_ANALYZER \ |
There was a problem hiding this comment.
The PR description is framed as CVE/dependency and base-image upgrades, but this file also changes the Istio E2E setup (adds ECK operator installation and switches SkyWalking install to the OCI Helm chart). Please reflect this additional E2E scope in the PR description (or split it out) to keep the security-fix PR narrowly scoped and easier to review/rollback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the following CVEs in the satellite component:
Changes
google.golang.org/grpcfrom v1.78.0 to v1.79.3go1.25.8to fix stdlib CVEs (CVE-2026-25679, CVE-2026-27142)golang:1.25.8alpine:3.21withapk -U upgradeto pick up patched busybox and zlib packages