govulncheck: run from a container #1219
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,46 +4,58 @@ ignored-vulnerabilities: | |
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4013 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4013 | ||
| silence-until: 2026-01-03 | ||
| # Lack of limit when parsing cookies can cause memory exhaustion in net/http | ||
| # Found in: net/[email protected] | ||
| # Fixed in: net/[email protected] | ||
| - id: GO-2025-4012 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4012 | ||
| silence-until: 2026-01-03 | ||
| # Parsing DER payload can cause memory exhaustion in encoding/asn1 | ||
| # Found in: encoding/[email protected] | ||
| # Fixed in: encoding/[email protected] | ||
| - id: GO-2025-4011 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4011 | ||
| silence-until: 2026-01-03 | ||
| # Insufficient validation of bracketed IPv6 hostnames in net/url | ||
| # Found in: net/[email protected] | ||
| # Fixed in: net/[email protected] | ||
| - id: GO-2025-4010 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4010 | ||
| silence-until: 2026-01-03 | ||
| # Quadratic complexity when parsing some invalid inputs in encoding/pem | ||
| # Found in: encoding/[email protected] | ||
| # Fixed in: encoding/[email protected] | ||
| - id: GO-2025-4009 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4009 | ||
| silence-until: 2026-01-03 | ||
| # ALPN negotiation error contains attacker controlled information in crypto/tls | ||
| # Found in: crypto/[email protected] | ||
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4008 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4008 | ||
| silence-until: 2026-01-03 | ||
| # Quadratic complexity when checking name constraints in crypto/x509 | ||
| # Found in: crypto/[email protected] | ||
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4007 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4007 | ||
| silence-until: 2026-01-03 | ||
| # Excessive CPU consumption in ParseAddress in net/mail | ||
| # Found in: net/[email protected] | ||
| # Fixed in: net/[email protected] | ||
| - id: GO-2025-4006 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4006 | ||
| silence-until: 2026-01-03 | ||
| # Excessive resource consumption when printing error string for host certificate validation in crypto/x509 | ||
| # Found in: crypto/[email protected] | ||
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4155 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4155 | ||
| silence-until: 2026-01-03 | ||
|
Comment on lines
+50
to
+55
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: Summary: GO-2025-4155 (CVE-2025-61729) is an excessive-resource-consumption bug in crypto/x509: HostnameError.Error() could print an unbounded number of hosts using repeated string concatenation (quadratic runtime), allowing a malicious certificate to cause high CPU/memory use. Fixes limit the number of hosts and use strings.Builder. [1][2] Affected Go releases:
Fixed in:
References:
If you want, I can provide exact upgrade commands for your platform or scan a go.mod to show whether your codebase is affected. 🏁 Script executed: # Check if GO-2025-4155 appears elsewhere in the file
rg "GO-2025-4155" .govulncheck.yaml
# Also verify the file structure and list all vulnerability IDs
rg "^\s*- id: GO-" .govulncheck.yamlRepository: codeready-toolchain/host-operator Length of output: 210 🏁 Script executed: # Attempt to read the .govulncheck.yaml file directly without cloning
cat .govulncheck.yaml | rg "GO-2025-4155"Repository: codeready-toolchain/host-operator Length of output: 210 🏁 Script executed: # Try reading the file if it exists in the current context
fd "govulncheck.yaml" --exec cat {}Repository: codeready-toolchain/host-operator Length of output: 210 Add go1.25.5 to the fix version for GO-2025-4155. The vulnerability GO-2025-4155 is published and legitimate (CVE-2025-61729), but the entry is incomplete. The vulnerability is fixed in both go1.24.11 and go1.25.5; the YAML should reflect both versions. 🤖 Prompt for AI Agents |
||
| # Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 | ||
| # Found in: crypto/[email protected] | ||
| # Fixed in: crypto/[email protected] | ||
| - id: GO-2025-4175 | ||
| info: https://pkg.go.dev/vuln/GO-2025-4175 | ||
| silence-until: 2026-01-03 | ||
|
Comment on lines
+56
to
+61
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: Summary: GO-2025-4175 (CVE-2025-61727) is a crypto/x509 bug where an excluded DNS name constraint in a certificate chain does not stop a leaf certificate from using a wildcard SAN (e.g., excluding test.example.com doesn’t block a leaf with SAN *.example.com). This can allow acceptance of certificates that should have been excluded. [1][2] Affected Go versions:
Fixes / Mitigation:
References:
GO-2025-4175 is a legitimate vulnerability, but the entry is incomplete. The vulnerability is verified as a real, published Go security issue (CVE-2025-61727) affecting crypto/x509 DNS name constraint validation with wildcard names. However, the entry only documents the fix for Go 1.24.11 and omits that this vulnerability also affects Go 1.25.0–1.25.4 and is fixed in Go 1.25.5. Update the entry to reflect all affected versions and fix versions for completeness. 🤖 Prompt for AI Agents |
||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: codeready-toolchain/host-operator
Length of output: 210
🌐 Web query:
codeready-toolchain host-operator govulncheck.yml xcoulon fork💡 Result:
I couldn't find a public fork by user "xcoulon" of codeready-toolchain/host-operator that adds a govulncheck.yml. I did find:
If you want, I can:
Sources:
[1] https://gist.github.com/xcoulon
[2] https://github.com/xcoulon/govulncheckx-action
[3] https://github.com/codeready-toolchain/host-operator
🌐 Web query:
codeready-toolchain toolchain-cicd govulncheck-action repository💡 Result:
Here are relevant repositories I found:
Sources:
Would you like direct GitHub links or example workflow snippets for integrating govulncheck-action into a CodeReady Toolchain repo?
🌐 Web query:
site:github.com codeready-toolchain/toolchain-cicd govulncheck-action💡 Result:
I searched GitHub for "site:github.com codeready-toolchain/toolchain-cicd govulncheck-action" and found no occurrences of govulncheck-action in the codeready-toolchain/toolchain-cicd repository.
Related govulncheck-action repositories I found:
If you want, I can open the codeready-toolchain/toolchain-cicd repo and search its CI/workflow files directly for govulncheck references.
🌐 Web query:
site:github.com/codeready-toolchain/toolchain-cicd💡 Result:
Found the GitHub repository codeready-toolchain/toolchain-cicd — a public repo containing GitHub Actions composite run steps and CI/CD scripts (Go + Shell + Makefile). It shows ~169 commits, 3 stars, 20 forks, and no releases. [1]
Sources
Action reference uses personal fork with feature branch — unsuitable for merging to master.
The action reference
xcoulon/toolchain-cicd/govulncheck-action@govulncheck_dockerfilepoints to a personal fork instead of the organization repository (codeready-toolchain/toolchain-cicd), and references a feature branch rather than a stable release or stable branch reference. This pattern is unsuitable for production code merging to master.Ensure the action reference uses the organization account with an appropriate stable branch or tag reference before merging. Additionally, verify the setup-go action mentioned in the PR description is properly defined in this workflow.
🤖 Prompt for AI Agents
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs to be updated once codeready-toolchain/toolchain-cicd#159 is merged
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Length of output: 534
@xcoulon, understood! I can see that PR #159 ("govulncheck: run from a Container") is currently open and uses the same
govulncheck_dockerfilebranch. Once that PR is merged to thecodeready-toolchain/toolchain-cicdrepository, you'll need to update line 17 in this workflow to reference the organization repository instead of your personal fork.The update should change:
to something like:
(or whichever stable branch/tag is appropriate after the merge)
Would you like me to create a follow-up issue to track this update, or will you handle it as part of the merge process?