From 967fdf8904219c6783261171cc2bf48ea9478354 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Wed, 10 Dec 2025 11:18:05 +0100 Subject: [PATCH 1/2] govulncheck: run from a container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159 also, update ignored vulnerabilities (remove obsolete and unneeded 🤷‍♂️) Signed-off-by: Xavier Coulon --- .github/workflows/govulncheck.yml | 5 ++--- .govulncheck.yaml | 22 ++-------------------- 2 files changed, 4 insertions(+), 23 deletions(-) diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index daf21ee4..b9f66984 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -16,6 +16,5 @@ jobs: - name: Run govulncheck uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master with: - go-version-file: go.mod - cache: false - config: .govulncheck.yaml \ No newline at end of file + config: .govulncheck.yaml + debug: true # optional (default = false) diff --git a/.govulncheck.yaml b/.govulncheck.yaml index 190759b8..b7eb0585 100644 --- a/.govulncheck.yaml +++ b/.govulncheck.yaml @@ -1,25 +1,7 @@ ignored-vulnerabilities: - # Parsing DER payload can cause memory exhaustion in encoding/asn1 - # Found in: encoding/asn1@go1.23.12 - # Fixed in: encoding/asn1@go1.24.8 - - id: GO-2025-4011 - info: https://pkg.go.dev/vuln/GO-2025-4011 - silence-until: 2025-12-03 -# Insufficient validation of bracketed IPv6 hostnames in net/url + # Insufficient validation of bracketed IPv6 hostnames in net/url # Found in: net/url@go1.23.12 # Fixed in: net/url@go1.24.8 - id: GO-2025-4010 info: https://pkg.go.dev/vuln/GO-2025-4010 - silence-until: 2025-12-03 - # Quadratic complexity when parsing some invalid inputs in encoding/pem - # Found in: encoding/pem@go1.23.12 - # Fixed in: encoding/pem@go1.24.8 - - id: GO-2025-4009 - info: https://pkg.go.dev/vuln/GO-2025-4009 - silence-until: 2025-12-03 - # Quadratic complexity when checking name constraints in crypto/x509 - # Found in: crypto/x509@go1.23.12 - # Fixed in: crypto/x509@go1.24.9 - - id: GO-2025-4007 - info: https://pkg.go.dev/vuln/GO-2025-4007 - silence-until: 2025-12-03 \ No newline at end of file + silence-until: 2026-01-03 \ No newline at end of file From 740ea5a49d7e8dfaaef619e833f00ca32a6d5561 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Thu, 11 Dec 2025 12:26:54 +0100 Subject: [PATCH 2/2] also, new vuln exclusions Signed-off-by: Xavier Coulon --- .govulncheck.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.govulncheck.yaml b/.govulncheck.yaml index b7eb0585..f3307054 100644 --- a/.govulncheck.yaml +++ b/.govulncheck.yaml @@ -4,4 +4,23 @@ ignored-vulnerabilities: # Fixed in: net/url@go1.24.8 - id: GO-2025-4010 info: https://pkg.go.dev/vuln/GO-2025-4010 - silence-until: 2026-01-03 \ No newline at end of file + silence-until: 2026-01-03 + # Quadratic complexity when checking name constraints in crypto/x509 + # Found in: crypto/x509@go1.23.12 + # Fixed in: crypto/x509@go1.24.9 + - id: GO-2025-4007 + info: https://pkg.go.dev/vuln/GO-2025-4007 + silence-until: 2026-01-10 + # Quadratic complexity when parsing some invalid inputs in encoding/pem + # Found in: encoding/pem@go1.23.12 + # Fixed in: encoding/pem@go1.24.8 + - id: GO-2025-4009 + info: https://pkg.go.dev/vuln/GO-2025-4009 + silence-until: 2026-01-10 + # Parsing DER payload can cause memory exhaustion in encoding/asn1 + # Found in: encoding/asn1@go1.23.12 + # Fixed in: encoding/asn1@go1.24.8 + - id: GO-2025-4011 + info: https://pkg.go.dev/vuln/GO-2025-4011 + silence-until: 2026-01-10 + \ No newline at end of file