Skip to content

fix(security): remediate CVE vulnerabilities#542

Merged
bobh66 merged 2 commits intocrossplane-contrib:release-0.11from
upbound-bot:fix/cve-remediation-release-0.11-20260226-225014
Feb 27, 2026
Merged

fix(security): remediate CVE vulnerabilities#542
bobh66 merged 2 commits intocrossplane-contrib:release-0.11from
upbound-bot:fix/cve-remediation-release-0.11-20260226-225014

Conversation

@upbound-bot
Copy link

@upbound-bot upbound-bot commented Feb 26, 2026
edited
Loading

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2025-68121 Critical stdlib go1.24.13
CVE-2025-61726 High stdlib go1.24.13
CVE-2025-61731 High stdlib go1.24.13
CVE-2025-61732 High stdlib go1.24.13
CVE-2025-61728 Medium stdlib go1.24.13
CVE-2025-61730 Medium stdlib go1.24.13

Changes Made

  • Updated Go version from 1.24.11 to 1.24.13 in go.mod

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
96aeb53 
- Update Go version to 1.24.13 (fixes CVE-2025-68121, CVE-2025-61726,
  CVE-2025-61731, CVE-2025-61732, CVE-2025-61728, CVE-2025-61730)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Author

upbound-bot commented Feb 26, 2026

Build Failure Analysis

Check: build (amd64)
Status: Failed
Analyzed: 2026-02-26T20:00:00Z

Summary

The Docker build failed during go mod download because the Go version in the CI workflow (1.24.11) is older than what go.mod requires (1.24.13).

Root Cause

The go.mod file specifies go 1.24.13 as the minimum required Go version. However, the CI workflow (.github/workflows/ci.yaml) is configured with GO_VERSION: 1.24.11. When Docker runs the build with --build-arg GO_VERSION=1.24.11, the go mod download command fails because the Go toolchain version is insufficient.

The container environment has GOTOOLCHAIN=local set, which prevents automatic toolchain downloading and enforces strict version checking.

Error Details

go: go.mod requires go >= 1.24.13 (running go 1.24.11; GOTOOLCHAIN=local)
ERROR: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1

Recommendation

Update the GO_VERSION environment variable in .github/workflows/ci.yaml from 1.24.11 to 1.24.13 to match the Go version requirement in go.mod. This is a CI configuration issue, not a code issue.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): update GO_VERSION to 1.24.13
c57efc2 
The go.mod requires go >= 1.24.13 but the CI workflow was configured
with GO_VERSION 1.24.11, causing Docker builds to fail.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@bobh66 bobh66 merged commit 7a1af48 into crossplane-contrib:release-0.11 Feb 27, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobh66 bobh66 bobh66 approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upbound-bot @bobh66 @ulucinar