govulncheck: run from a container #1219
Conversation
|
Skipping CI for Draft Pull Request. |
WalkthroughUpdated CI workflows and vuln config: govulncheck action inputs changed (removed go-version-file/cache, added path and debug, ref updated); test-with-coverage fixed a misnamed setup key; Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Possibly related PRs
Suggested labels
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
xcoulon
force-pushed
the
govulncheck_action_setup
branch
from
2f60f1f to
1b2c42d
Compare
xcoulon
force-pushed
the
govulncheck_action_setup
branch
2 times, most recently
from
51e556a to
6c00ebf
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.github/workflows/govulncheck.yml(1 hunks).github/workflows/test-with-coverage.yml(1 hunks).govulncheck.yaml(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
- .github/workflows/govulncheck.yml
- .github/workflows/test-with-coverage.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Build & push operator bundles for e2e tests
🔇 Additional comments (1)
.govulncheck.yaml (1)
7-7: Clarify the remediation timeline for silenced vulnerabilities.All eight existing vulnerabilities (GO-2025-4013 through GO-2025-4006) have their
silence-untildates extended to 2026-01-03, approximately one month from now. This pattern suggests a planned remediation effort tied to a specific deadline.Verify that the remediation plan is on track (e.g., Go version upgrade, patch application, or architectural workaround) and will be completed before the silence expiration date.
Also applies to: 13-13, 19-19, 25-25, 31-31, 37-37, 43-43, 49-49
| # Excessive resource consumption when printing error string for host certificate validation in crypto/x509 | ||
| # Found in: crypto/[email protected] | ||
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4155 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4155 | ||
| silence-until: 2026-01-03 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GO-2025-4155 golang vulnerability crypto/x509
💡 Result:
Summary: GO-2025-4155 (CVE-2025-61729) is an excessive-resource-consumption bug in crypto/x509: HostnameError.Error() could print an unbounded number of hosts using repeated string concatenation (quadratic runtime), allowing a malicious certificate to cause high CPU/memory use. Fixes limit the number of hosts and use strings.Builder. [1][2]
Affected Go releases:
- All 1.24.x before 1.24.11; all 1.25.x before 1.25.5. [1]
Fixed in:
- go1.24.11 and go1.25.5 (upgrade to these or later). [1][2]
References:
- OSV / GO-2025-4155 (alias CVE-2025-61729). [1]
- Go issue tracking & description (issue #76445). [2]
- Fix CL in the Go repo. [3]
If you want, I can provide exact upgrade commands for your platform or scan a go.mod to show whether your codebase is affected.
🏁 Script executed:
# Check if GO-2025-4155 appears elsewhere in the file
rg "GO-2025-4155" .govulncheck.yaml
# Also verify the file structure and list all vulnerability IDs
rg "^\s*- id: GO-" .govulncheck.yamlRepository: codeready-toolchain/host-operator
Length of output: 210
🏁 Script executed:
# Attempt to read the .govulncheck.yaml file directly without cloning
cat .govulncheck.yaml | rg "GO-2025-4155"Repository: codeready-toolchain/host-operator
Length of output: 210
🏁 Script executed:
# Try reading the file if it exists in the current context
fd "govulncheck.yaml" --exec cat {}Repository: codeready-toolchain/host-operator
Length of output: 210
Add go1.25.5 to the fix version for GO-2025-4155.
The vulnerability GO-2025-4155 is published and legitimate (CVE-2025-61729), but the entry is incomplete. The vulnerability is fixed in both go1.24.11 and go1.25.5; the YAML should reflect both versions.
🤖 Prompt for AI Agents
In .govulncheck.yaml around lines 50 to 55, update the GO-2025-4155 entry so its
"Fixed in" field lists both go1.24.11 and go1.25.5; modify the comment or the
value that currently says "Fixed in: crypto/[email protected]" to include ",
crypto/[email protected]" (or add a second "Fixed in" entry if your schema prefers
multiple entries) so the YAML accurately reflects both fix versions for
CVE-2025-61729.
| # Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 | ||
| # Found in: crypto/[email protected] | ||
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4175 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4175 | ||
| silence-until: 2026-01-03 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GO-2025-4175 Go vulnerability crypto/x509 DNS name constraints
💡 Result:
Summary: GO-2025-4175 (CVE-2025-61727) is a crypto/x509 bug where an excluded DNS name constraint in a certificate chain does not stop a leaf certificate from using a wildcard SAN (e.g., excluding test.example.com doesn’t block a leaf with SAN *.example.com). This can allow acceptance of certificates that should have been excluded. [1][2]
Affected Go versions:
- All releases before Go 1.24.11 (i.e., < 1.24.11).
- Go 1.25.0 through < 1.25.5. [1]
Fixes / Mitigation:
- Upgrade to Go 1.24.11 or Go 1.25.5 (these releases include the fix). [1][3]
References:
- Go vulnerability entry (GO-2025-4175 / pkg.go.dev). [1]
- Go issue discussing the bug (Issue #76442). [2]
- Gerrit CL with the fix. [3]
GO-2025-4175 is a legitimate vulnerability, but the entry is incomplete.
The vulnerability is verified as a real, published Go security issue (CVE-2025-61727) affecting crypto/x509 DNS name constraint validation with wildcard names. However, the entry only documents the fix for Go 1.24.11 and omits that this vulnerability also affects Go 1.25.0–1.25.4 and is fixed in Go 1.25.5. Update the entry to reflect all affected versions and fix versions for completeness.
🤖 Prompt for AI Agents
.govulncheck.yaml lines 56-61: the GO-2025-4175 entry is incomplete — update its
metadata to list all affected and fixed Go versions. Edit the entry to indicate
the vulnerability affects crypto/x509 in Go 1.23.12 and also Go 1.25.0–1.25.4,
and add the corresponding fix versions Go 1.24.11 and Go 1.25.5 (or merge into a
single affected/fixed field as project conventions require); ensure the info URL
remains and adjust the silence-until date only if policy requires.
6c00ebf to
5afef70
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.govulncheck.yaml (2)
50-55: Incomplete fix versions for GO-2025-4155 — still missing go1.25.5.This was flagged in the previous review: GO-2025-4155 (CVE-2025-61729) is fixed in both go1.24.11 and go1.25.5, but the entry only documents the fix for go1.24.11. Update the comment or entry to reflect both fix versions.
Update the comment to include go1.25.5:
- # Fixed in: crypto/[email protected] + # Fixed in: crypto/[email protected] and crypto/[email protected]
56-61: Incomplete affected and fixed versions for GO-2025-4175 — missing Go 1.25.x details.This was flagged in the previous review: GO-2025-4175 (CVE-2025-61727) affects Go 1.25.0–1.25.4 and is fixed in go1.25.5, but the entry only documents Go 1.23.12 (affected) and go1.24.11 (fixed). Update the entry to reflect all affected and fixed versions for completeness.
Update the comments to include Go 1.25 details:
- # Found in: crypto/[email protected] - # Fixed in: crypto/[email protected] + # Found in: crypto/[email protected] and Go 1.25.0-1.25.4 + # Fixed in: crypto/[email protected] and crypto/[email protected]
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.github/workflows/govulncheck.yml(1 hunks).github/workflows/test-with-coverage.yml(1 hunks).govulncheck.yaml(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/test-with-coverage.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: GolangCI Lint
- GitHub Check: Build & push operator bundles for e2e tests
🔇 Additional comments (1)
.govulncheck.yaml (1)
7-7: Date extensions are consistent and policy-aligned.All eight silence-until dates extended one month from 2025-12-03 to 2026-01-03. The updates appear intentional and consistent.
Also applies to: 13-13, 19-19, 25-25, 31-31, 37-37, 43-43, 49-49
.github/workflows/govulncheck.yml
Outdated
|
|
||
| - name: Run govulncheck | ||
| uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master | ||
| uses: xcoulon/toolchain-cicd/govulncheck-action@govulncheck_dockerfile |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd -type f -name "govulncheck.yml" | head -20Repository: codeready-toolchain/host-operator
Length of output: 210
🌐 Web query:
codeready-toolchain host-operator govulncheck.yml xcoulon fork
💡 Result:
I couldn't find a public fork by user "xcoulon" of codeready-toolchain/host-operator that adds a govulncheck.yml. I did find:
- Xavier Coulon (xcoulon) GitHub profile/gists. [1]
- xcoulon/govulncheckx-action — a govulncheck GitHub Action that uses a .govulncheck.yaml/.govulncheckx.yaml config to ignore entries. [2]
- The upstream codeready-toolchain/host-operator repository (no obvious govulncheck.yml in main). [3]
If you want, I can:
- search deeper (include private forks if you give a GitHub link or username token), or
- show how to add a govulncheck workflow to a host-operator fork and open a PR. Which do you prefer?
Sources:
[1] https://gist.github.com/xcoulon
[2] https://github.com/xcoulon/govulncheckx-action
[3] https://github.com/codeready-toolchain/host-operator
🌐 Web query:
codeready-toolchain toolchain-cicd govulncheck-action repository
💡 Result:
Here are relevant repositories I found:
- govulncheck-action (official Go mirror on GitHub / canonical repo on go.googlesource.com). [golang/govulncheck-action]. [1][2]
- Alternative govulncheck-action that produces SARIF (Templum/govulncheck-action). [3]
- CodeReady Toolchain (GitHub org) — notable repos: host-operator, member-operator, api, toolchain-e2e. [4][5][6][7]
Sources:
- golang/govulncheck-action (GitHub mirror). [1]
- go.googlesource.com — govulncheck-action README. [2]
- Templum/govulncheck-action (SARIF uploader). [3]
- codeready-toolchain/host-operator (libraries.io / GitHub). [4]
- codeready-toolchain/member-operator (libraries.io / GitHub). [5]
- codeready-toolchain/api (libraries.io / GitHub). [6]
- codeready-toolchain/toolchain-e2e (libraries.io / GitHub). [7]
Would you like direct GitHub links or example workflow snippets for integrating govulncheck-action into a CodeReady Toolchain repo?
🌐 Web query:
site:github.com codeready-toolchain/toolchain-cicd govulncheck-action
💡 Result:
I searched GitHub for "site:github.com codeready-toolchain/toolchain-cicd govulncheck-action" and found no occurrences of govulncheck-action in the codeready-toolchain/toolchain-cicd repository.
Related govulncheck-action repositories I found:
- golang/govulncheck-action (official mirror). [1]
- Templum/govulncheck-action. [2]
- kmulvey/govulncheck-action. [3]
If you want, I can open the codeready-toolchain/toolchain-cicd repo and search its CI/workflow files directly for govulncheck references.
🌐 Web query:
site:github.com/codeready-toolchain/toolchain-cicd
💡 Result:
Found the GitHub repository codeready-toolchain/toolchain-cicd — a public repo containing GitHub Actions composite run steps and CI/CD scripts (Go + Shell + Makefile). It shows ~169 commits, 3 stars, 20 forks, and no releases. [1]
Sources
- GitHub: codeready-toolchain/toolchain-cicd (repository page). [1]
Action reference uses personal fork with feature branch — unsuitable for merging to master.
The action reference xcoulon/toolchain-cicd/govulncheck-action@govulncheck_dockerfile points to a personal fork instead of the organization repository (codeready-toolchain/toolchain-cicd), and references a feature branch rather than a stable release or stable branch reference. This pattern is unsuitable for production code merging to master.
Ensure the action reference uses the organization account with an appropriate stable branch or tag reference before merging. Additionally, verify the setup-go action mentioned in the PR description is properly defined in this workflow.
🤖 Prompt for AI Agents
In .github/workflows/govulncheck.yml around line 17, the workflow uses a
personal fork and feature branch reference
(xcoulon/toolchain-cicd@govulncheck_dockerfile); update this to reference the
organization repository and a stable tag or branch (e.g.,
codeready-toolchain/[email protected] or @main) to avoid relying on personal
forks/feature branches, and confirm or add the setup-go action step referenced
in the PR so it uses the official setup-go action (actions/setup-go@vX) or a
pinned tag; replace the action reference and verify workflow runs locally or via
CI to ensure no other missing/misnamed actions.
There was a problem hiding this comment.
this needs to be updated once codeready-toolchain/toolchain-cicd#159 is merged
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Get details about the referenced PR #159 in toolchain-cicd repository
gh pr view 159 --repo codeready-toolchain/toolchain-cicd --json title,state,url,author,body,headRefName
Length of output: 534
@xcoulon, understood! I can see that PR #159 ("govulncheck: run from a Container") is currently open and uses the same govulncheck_dockerfile branch. Once that PR is merged to the codeready-toolchain/toolchain-cicd repository, you'll need to update line 17 in this workflow to reference the organization repository instead of your personal fork.
The update should change:
uses: xcoulon/toolchain-cicd/govulncheck-action@govulncheck_dockerfileto something like:
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master(or whichever stable branch/tag is appropriate after the merge)
Would you like me to create a follow-up issue to track this update, or will you handle it as part of the merge process?
xcoulon
force-pushed
the
govulncheck_action_setup
branch
14 times, most recently
from
9baa5de to
d88c35e
Compare
see codeready-toolchain/toolchain-cicd#159 Signed-off-by: Xavier Coulon <[email protected]>
xcoulon
force-pushed
the
govulncheck_action_setup
branch
from
d88c35e to
c756495
Compare
| uses: actions/setup-go@v6 | ||
| with: | ||
| go-version file: go.mod | ||
| go-version-file: go.mod |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MatousJobanek, xcoulon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Xavier Coulon <[email protected]>
|
xcoulon
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. ❌ Your changes status has failed because you have indirect coverage changes. Learn more about Unexpected Coverage Changes and reasons for indirect coverage changes. Additional details and impacted files@@ Coverage Diff @@
## master #1219 +/- ##
==========================================
- Coverage 70.12% 70.11% -0.02%
==========================================
Files 84 84
Lines 6561 6561
==========================================
- Hits 4601 4600 -1
- Misses 1748 1749 +1
Partials 212 212 🚀 New features to boost your workflow:
|
2 participants
see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159
as a small side effect, we need to check out the code in the workflow here
Signed-off-by: Xavier Coulon [email protected]
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.