fix: bump vulnerable dependencies (PLAT-686)#435
Conversation
Bump pgx, otel, x/crypto, x/net, and the Go toolchain to patched versions per Trivy scan. Risk-accept the two docker/docker CVEs with no available fix in the v27.x line. PLAT-686
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
Bump pgx, otel, x/crypto, x/net, go-chi/chi, and the Go toolchain to patched versions per Trivy scan. Verified via govulncheck and a local image rescan (0 findings). Risk-accept the docker/docker CVEs (no fix in the v27.x line) and the unused x/crypto/openpgp advisory in .trivy/pgedge-control-plane.trivyignore.yaml. PLAT-686
|
Warning Review limit reached
Next review available in: 24 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
docker/control-plane-dev/Dockerfile (1)
1-1: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the base image by digest.
Use
golang:1.26.5@sha256:<digest>rather than relying only on the mutable version tag, so future tag changes cannot silently alter this security-sensitive build.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile’s FROM declaration to pin golang:1.26.5 to its immutable SHA256 digest, preserving the existing version tag alongside the digest.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile to create a dedicated unprivileged user, ensure
required application files and directories are accessible to that user, and add
a USER directive selecting it before the entrypoint so the container does not
run as root.
In `@go.mod`:
- Line 5: Update the toolchain directive in the schematool module’s go.mod from
Go 1.25.8 to Go 1.26.5, preserving the existing module configuration and
directive format.
---
Nitpick comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile’s FROM declaration to pin golang:1.26.5 to its
immutable SHA256 digest, preserving the existing version tag alongside the
digest.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e9eb91c6-f070-4dcc-ac1e-3c7276b29246
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (4)
.trivy/pgedge-control-plane.trivyignore.yamlchanges/unreleased/Security-20260717-040124.yamldocker/control-plane-dev/Dockerfilego.mod
| @@ -1,4 +1,4 @@ | |||
| FROM golang:1.25.8 | |||
| FROM golang:1.26.5 | |||
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Run the container as a non-root user.
Trivy reports that this image runs as root. Create a dedicated unprivileged user and add a USER directive before the entrypoint; otherwise the security refresh still ships a container with unnecessary privilege.
Proposed fix
FROM golang:1.26.5
+RUN useradd --system --uid 10001 app
+USER app📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM golang:1.26.5 | |
| FROM golang:1.26.5 | |
| RUN useradd --system --uid 10001 app | |
| USER app |
🧰 Tools
🪛 Trivy (0.72.0)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile to
create a dedicated unprivileged user, ensure required application files and
directories are accessible to that user, and add a USER directive selecting it
before the entrypoint so the container does not run as root.
Source: Linters/SAST tools
`make licenses` wasn't run after bumping pgx, otel, x/crypto, x/net, and go-chi/chi — CI's licenses-ci check caught the stale NOTICE.txt. No license changes, only version-string updates for the already-bumped packages. PLAT-686
No description provided.