Skip to content

fix: bump vulnerable dependencies (PLAT-686)#435

Open
moizpgedge wants to merge 4 commits into
mainfrom
Bug/PLAT-686/Security-Trivy-Triage-security-issues
Open

fix: bump vulnerable dependencies (PLAT-686)#435
moizpgedge wants to merge 4 commits into
mainfrom
Bug/PLAT-686/Security-Trivy-Triage-security-issues

Conversation

@moizpgedge

Copy link
Copy Markdown
Contributor

No description provided.

Bump pgx, otel, x/crypto, x/net, and the Go toolchain to
patched versions per Trivy scan. Risk-accept the two
docker/docker CVEs with no available fix in the v27.x line.

PLAT-686
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Bump pgx, otel, x/crypto, x/net, go-chi/chi, and the Go
toolchain to patched versions per Trivy scan. Verified via
govulncheck and a local image rescan (0 findings). Risk-accept
the docker/docker  CVEs (no fix in the v27.x line)
and the unused x/crypto/openpgp advisory in
.trivy/pgedge-control-plane.trivyignore.yaml.

PLAT-686
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@moizpgedge, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 24 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3a0b8949-ce0e-43b3-b5b9-7b3fb7da04f3

📥 Commits

Reviewing files that changed from the base of the PR and between 9880e66 and 7e7d979.

⛔ Files ignored due to path filters (1)
  • server/internal/resource/migrations/schematool/go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • NOTICE.txt
  • server/internal/resource/migrations/schematool/go.mod
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch Bug/PLAT-686/Security-Trivy-Triage-security-issues

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
docker/control-plane-dev/Dockerfile (1)

1-1: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the base image by digest.

Use golang:1.26.5@sha256:<digest> rather than relying only on the mutable version tag, so future tag changes cannot silently alter this security-sensitive build.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile’s FROM
declaration to pin golang:1.26.5 to its immutable SHA256 digest, preserving the
existing version tag alongside the digest.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile to create a dedicated unprivileged user, ensure
required application files and directories are accessible to that user, and add
a USER directive selecting it before the entrypoint so the container does not
run as root.

In `@go.mod`:
- Line 5: Update the toolchain directive in the schematool module’s go.mod from
Go 1.25.8 to Go 1.26.5, preserving the existing module configuration and
directive format.

---

Nitpick comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile’s FROM declaration to pin golang:1.26.5 to its
immutable SHA256 digest, preserving the existing version tag alongside the
digest.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9eb91c6-f070-4dcc-ac1e-3c7276b29246

📥 Commits

Reviewing files that changed from the base of the PR and between 81492c6 and 9880e66.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (4)
  • .trivy/pgedge-control-plane.trivyignore.yaml
  • changes/unreleased/Security-20260717-040124.yaml
  • docker/control-plane-dev/Dockerfile
  • go.mod

@@ -1,4 +1,4 @@
FROM golang:1.25.8
FROM golang:1.26.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Run the container as a non-root user.

Trivy reports that this image runs as root. Create a dedicated unprivileged user and add a USER directive before the entrypoint; otherwise the security refresh still ships a container with unnecessary privilege.

Proposed fix
 FROM golang:1.26.5
+RUN useradd --system --uid 10001 app
+USER app
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM golang:1.26.5
FROM golang:1.26.5
RUN useradd --system --uid 10001 app
USER app
🧰 Tools
🪛 Trivy (0.72.0)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile to
create a dedicated unprivileged user, ensure required application files and
directories are accessible to that user, and add a USER directive selecting it
before the entrypoint so the container does not run as root.

Source: Linters/SAST tools

Comment thread go.mod
`make licenses` wasn't run after bumping pgx, otel, x/crypto,
x/net, and go-chi/chi — CI's licenses-ci check caught the stale
NOTICE.txt. No license changes, only version-string updates for
the already-bumped packages.

PLAT-686
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant