Skip to content

fix: reduce CVEs in build-go-alpine and service-base-alpine#59

Merged
sam-at-luther merged 1 commit into
mainfrom
fix/refresh-container-packages-v2
Apr 20, 2026
Merged

fix: reduce CVEs in build-go-alpine and service-base-alpine#59
sam-at-luther merged 1 commit into
mainfrom
fix/refresh-container-packages-v2

Conversation

@sam-at-luther
Copy link
Copy Markdown
Member

@sam-at-luther sam-at-luther commented Apr 20, 2026

Summary

Reduces CVEs in our published container images after a customer-initiated Docker Scout review flagged a large set of vulnerabilities in v0.0.96 / v0.0.97.

  • Bump Go 1.26.11.26.2 (fixes stdlib CVEs including those flagged as High).
  • Bump Alpine 3.223.23 (newer git-lfs built with Go 1.25.9 — this is what eliminates the Critical stdlib 1.24.12 CVE embedded in the older git-lfs binary).
  • Switch golangci-lint from a prebuilt release tarball to go install ...@v${GOLANGCI_LINT_VERSION} so it is rebuilt with our pinned Go toolchain (and verified via go.sum). This removes the 4 High stdlib 1.26.1 CVEs embedded in the upstream prebuilt binary.

Docker Scout results — build-go-alpine

Critical High Medium Low Unspec Total
v0.0.97 1 13 25 2 1 42
This PR 0 6 15 1 0 22

All 22 remaining CVEs are in Alpine 3.23 apk packages flagged not fixed upstream:

Package H M L Notes
binutils 2.45.1-r0 2 5 0 Alpine not fixed
curl 8.17.0-r1 1 8 1 Alpine not fixed
git-lfs 3.7.0-r8 1 0 0 Alpine not fixed
unzip 6.0-r16 1 0 0 CVE-2008-0888 — wontfix upstream; transitive via zip
nghttp2 1.68.0-r0 1 0 0 Alpine not fixed
openssh 10.2_p1-r0 0 1 0 Alpine not fixed
busybox 1.37.0-r30 0 1 0 Alpine not fixed

These are only resolvable by switching base distros (e.g. Chainguard/Wolfi) — out of scope for this PR.

service-base-alpine

Unchanged behaviorally. Still 1 Medium busybox CVE (same not fixed upstream status). No regression.

Test plan

  • CI builds both images successfully for linux/amd64 and linux/arm64.
  • Verify go version, golangci-lint version, gotestsum --version, and go-bindata -version in the published image.
  • Re-run docker scout cves on the published tag to confirm the numbers above.

@sam-at-luther
fix: reduce CVEs in build-go-alpine and service-base-alpine
97723e2 
Bump Go 1.26.1 -> 1.26.2 and Alpine 3.22 -> 3.23 to pick up upstream
security patches, and switch golangci-lint from a prebuilt release
binary to `go install` with a pinned version so it is rebuilt against
the pinned Go toolchain (and verified via go.sum).

Docker Scout scan results for build-go-alpine:
- before: 42 CVEs (1 Critical, 13 High, 25 Medium, 2 Low, 1 Unspecified)
- after:  22 CVEs (0 Critical, 6 High, 15 Medium, 1 Low)

The remaining 22 CVEs are all in Alpine 3.23 apk packages marked
"not fixed" upstream (binutils, curl, nghttp2, unzip, git-lfs, openssh,
busybox). service-base-alpine is unchanged behaviorally and still
contains only the single upstream-unfixed busybox CVE.
@sam-at-luther sam-at-luther merged commit 20f3761 into main Apr 20, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sam-at-luther