From d492bf1d87989de068787645717caa9e8eb03409 Mon Sep 17 00:00:00 2001 From: cx-adar-zandberg Date: Thu, 29 Jan 2026 14:23:37 +0200 Subject: [PATCH 1/2] fix: upgrade dependencies to fix security vulnerabilities - containerd/v2: v2.1.4 -> v2.1.5 (fixes CVE-2025-64329, CVE-2024-25621) - open-policy-agent/opa: v0.70.0 -> v1.4.2 (fixes CVE-2025-46569) - runc: already at v1.3.3 (fixes CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) Jira tickets: AST-123981, AST-123980, AST-123302, AST-123300, AST-123298, AST-120967, AST-116271, AST-108828 Note: CVE-2019-25210 (helm) is disputed by vendor as intentional behavior. Note: CVE-2025-27144 (go-jose v2) has no fix available for v2 branch - dependency is pulled by k8s.io/apiserver. --- go.mod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 78d86aa..06547b2 100644 --- a/go.mod +++ b/go.mod @@ -287,7 +287,8 @@ require ( ) replace ( - github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.4 + github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.5 + github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v1.4.2 github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.3 google.golang.org/protobuf => google.golang.org/protobuf v1.33.0 ) From bae934a526c84a2b31890deaaca5f331269e278c Mon Sep 17 00:00:00 2001 From: cx-adar-zandberg Date: Thu, 29 Jan 2026 14:35:50 +0200 Subject: [PATCH 2/2] fix: upgrade hcsshim to address SCA scanner visibility - Upgraded Microsoft/hcsshim from v0.13.1-0.20250731174403 to v0.14.0-rc.1 - This helps SCA scanners better detect the replaced versions - Also upgraded spf13/viper to v1.20.1 Note: The vulnerable packages (containerd/v2, runc, opa) are transitive dependencies from hcsshim. The replace directives override these at build time, but SCA scanners may still report the declared versions from hcsshim's go.mod. Configure your SCA scanner to respect Go replace directives or use govulncheck for accurate vulnerability detection. --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 06547b2..fcc0b1b 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.13.1-0.20250731174403-0842153594e0 // indirect + github.com/Microsoft/hcsshim v0.14.0-rc.1 // indirect github.com/ProtonMail/go-crypto v1.1.6 // indirect github.com/acobaugh/osrelease v0.1.0 // indirect github.com/adrg/xdg v0.5.3 // indirect @@ -212,7 +212,7 @@ require ( github.com/spf13/cast v1.7.1 // indirect github.com/spf13/cobra v1.10.1 // indirect github.com/spf13/pflag v1.0.10 // indirect - github.com/spf13/viper v1.20.0 // indirect + github.com/spf13/viper v1.20.1 // indirect github.com/stretchr/objx v0.5.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/sylabs/sif/v2 v2.21.1 // indirect diff --git a/go.sum b/go.sum index 7c088e7..cd893ce 100644 --- a/go.sum +++ b/go.sum @@ -91,8 +91,8 @@ github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.13.1-0.20250731174403-0842153594e0 h1:HBsAEmISuZmBrZJ0MUPKuQM06TsIrcixG8Had8haKbM= -github.com/Microsoft/hcsshim v0.13.1-0.20250731174403-0842153594e0/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c= +github.com/Microsoft/hcsshim v0.14.0-rc.1 h1:qAPXKwGOkVn8LlqgBN8GS0bxZ83hOJpcjxzmlQKxKsQ= +github.com/Microsoft/hcsshim v0.14.0-rc.1/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -876,8 +876,8 @@ github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= -github.com/spf13/viper v1.20.0 h1:zrxIyR3RQIOsarIrgL8+sAvALXul9jeEPa06Y0Ph6vY= -github.com/spf13/viper v1.20.0/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= +github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= +github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=