govulncheck: run from a container

[xcoulon]

see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159

also, update vulns (require Go 1.24.11)

Signed-off-by: Xavier Coulon [email protected]

Summary by CodeRabbit

• Chores
  • Updated vulnerability tracking configuration with extended silence dates for multiple existing vulnerabilities and incorporated two new vulnerability entries into the management system.
  • Refined CI/CD workflow configuration for vulnerability checking, streamlining workflow inputs while enabling enhanced debug capabilities for improved process monitoring and operational visibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates Go vulnerability checker configuration by adjusting workflow inputs (removing caching options, enabling debug mode) and updating vulnerability silencing dates for eight existing entries while adding two new tracked vulnerabilities to the configuration file.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/govulncheck.yml	Removed go-version-file and cache inputs from govulncheck action invocation; added debug: true input.
Vulnerability Configuration .govulncheck.yaml	Updated silence-until dates for 8 existing vulnerabilities (GO-2025-4013, GO-2025-4012, GO-2025-4011, GO-2025-4010, GO-2025-4009, GO-2025-4008, GO-2025-4007, GO-2025-4006) from 2025-12-03 to 2026-01-09; added 2 new vulnerability entries (GO-2025-4155, GO-2025-4175) with silence-until: 2026-01-09.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Workflow input changes are straightforward removals and additions with clear intent
• Vulnerability date updates are mechanical changes affecting multiple entries consistently
• New vulnerability entries follow existing structure and require verification of CVE metadata only

Possibly related PRs

• build: switch to toolchain-cicd/govulncheck-action #490: Directly modifies the same govulncheck workflow and .govulncheck.yaml configuration files to adjust action inputs and ignored vulnerability entries.
• update .govulncheck.yaml #497: Focuses on updating .govulncheck.yaml vulnerability entries (IDs and silence-until dates) with overlapping concern.

Suggested reviewers

• alexeykazakov

Poem

🐰 Eight vulnerabilities now rest till twenty-twenty-six,
Two new threats join the list, our security mix,
Debug mode enabled, cache removed with care,
Hoppy patching season—vulnerabilities beware! 🛡️

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'govulncheck: run from a container' is misleading. The changes show only configuration updates to workflow inputs and vulnerability entries, with no Docker/container-related modifications evident in the changeset.	Update the title to accurately reflect the actual changes, such as 'govulncheck: update vulnerability entries and workflow configuration' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ed5aee and 7ef0c1c.

📒 Files selected for processing (2)

• .github/workflows/govulncheck.yml (1 hunks)
• .govulncheck.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🔇 Additional comments (4)

.github/workflows/govulncheck.yml (1)

18-20: Verify that removed workflow inputs don't impact Go version or caching behavior.

The AI summary indicates that go-version-file and cache inputs were removed from the action invocation. Confirm that:

1. Removing go-version-file doesn't cause version mismatches (relying on the ubuntu-24.04 runner's default Go version, which should match the requirement for Go 1.24.11 mentioned in the PR description).
2. Removing the cache input doesn't negatively impact build performance in the CI pipeline.
3. The govulncheck-action@master version supports the new debug: true flag.

Since the PR references changes in toolchain-cicd#159, verify that the action itself was updated to support these new inputs and no longer accepts the removed ones.

.govulncheck.yaml (3)

7-7: Verify the rationale for uniform silence-until date across all vulnerabilities.

All eight existing vulnerabilities have their silence-until dates updated to 2026-01-09 (approximately 31 days from the PR creation date). Confirm that this uniform re-synchronization was intentional and part of an upgrade window strategy.

Also applies to: 13-13, 19-19, 25-25, 31-31, 37-37, 43-43, 49-49

---

1-61: Well-structured configuration updates.

The .govulncheck.yaml file has been updated with consistent formatting and proper YAML syntax. The structure maintains consistency with existing entries, and the metadata for all vulnerabilities is complete. The silence-until dates align with the PR's objective to handle vulnerabilities requiring Go 1.24.11.

---

50-61: Vulnerability IDs GO-2025-4155 and GO-2025-4175 are correctly documented.

Both vulnerabilities are confirmed in the official Go vulnerability database:

• GO-2025-4155 (CVE-2025-61729): Excessive resource consumption in crypto/x509 certificate validation due to unbounded host printing in HostnameError.Error() with quadratic runtime. Fixed in Go 1.24.11 and Go 1.25.5.
• GO-2025-4175 (CVE-2025-61727): Improper application of excluded DNS name constraints in crypto/x509, allowing wildcard SANs to bypass constraint checks. Fixed in Go 1.24.11 and Go 1.25.5.

The fixed versions referenced (go1.24.11) are accurate, and the silence-until dates are reasonable for these recent vulnerabilities.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.86%. Comparing base (6ed5aee) to head (7ef0c1c).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #502   +/-   ##
=======================================
  Coverage   78.86%   78.86%           
=======================================
  Files          53       53           
  Lines        2210     2210           
=======================================
  Hits         1743     1743           
  Misses        404      404           
  Partials       63       63           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.