From 8ebc672e0f49ed4d364655f85e01ff25f5941bdf Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Wed, 10 Dec 2025 11:06:41 +0100 Subject: [PATCH 1/2] govulncheck: run from a container see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159 Signed-off-by: Xavier Coulon --- .github/workflows/govulncheck.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index daf21ee4..f640442b 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -16,6 +16,5 @@ jobs: - name: Run govulncheck uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master with: - go-version-file: go.mod - cache: false - config: .govulncheck.yaml \ No newline at end of file + config: .govulncheck.yaml + debug: true # optional (default = false) \ No newline at end of file From a4d2144eead817093676e2ac812721e478b07a85 Mon Sep 17 00:00:00 2001 From: Xavier Coulon Date: Wed, 10 Dec 2025 11:45:38 +0100 Subject: [PATCH 2/2] also, update ignored vulns (fixed in Go 1.24.11) Signed-off-by: Xavier Coulon --- .govulncheck.yaml | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/.govulncheck.yaml b/.govulncheck.yaml index bf1fb96a..693fb5df 100644 --- a/.govulncheck.yaml +++ b/.govulncheck.yaml @@ -4,46 +4,58 @@ ignored-vulnerabilities: # Fixed in: crypto/x509@go1.24.8 - id: GO-2025-4013 info: https://pkg.go.dev/vuln/GO-2025-4013 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # Lack of limit when parsing cookies can cause memory exhaustion in net/http # Found in: net/http@go1.23.12 # Fixed in: net/http@go1.24.8 - id: GO-2025-4012 info: https://pkg.go.dev/vuln/GO-2025-4012 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # Parsing DER payload can cause memory exhaustion in encoding/asn1 # Found in: encoding/asn1@go1.23.12 # Fixed in: encoding/asn1@go1.24.8 - id: GO-2025-4011 info: https://pkg.go.dev/vuln/GO-2025-4011 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # Insufficient validation of bracketed IPv6 hostnames in net/url # Found in: net/url@go1.23.12 # Fixed in: net/url@go1.24.8 - id: GO-2025-4010 info: https://pkg.go.dev/vuln/GO-2025-4010 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # Quadratic complexity when parsing some invalid inputs in encoding/pem # Found in: encoding/pem@go1.23.12 # Fixed in: encoding/pem@go1.24.8 - id: GO-2025-4009 info: https://pkg.go.dev/vuln/GO-2025-4009 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # ALPN negotiation error contains attacker controlled information in crypto/tls # Found in: crypto/tls@go1.23.12 # Fixed in: crypto/tls@go1.24.8 - id: GO-2025-4008 info: https://pkg.go.dev/vuln/GO-2025-4008 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # Quadratic complexity when checking name constraints in crypto/x509 # Found in: crypto/x509@go1.23.12 # Fixed in: crypto/x509@go1.24.9 - id: GO-2025-4007 info: https://pkg.go.dev/vuln/GO-2025-4007 - silence-until: 2025-12-03 + silence-until: 2026-01-09 # Excessive CPU consumption in ParseAddress in net/mail # Found in: net/mail@go1.23.12 # Fixed in: net/mail@go1.24.8 - id: GO-2025-4006 info: https://pkg.go.dev/vuln/GO-2025-4006 - silence-until: 2025-12-03 \ No newline at end of file + silence-until: 2026-01-09 + # Excessive resource consumption when printing error string for host certificate validation in crypto/x509 + # Found in: crypto/x509@go1.23.12 + # Fixed in: crypto/x509@go1.24.11 + - id: GO-2025-4155 + info: https://pkg.go.dev/vuln/GO-2025-4155 + silence-until: 2026-01-09 + # Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 + # Found in: crypto/x509@go1.23.12 + # Fixed in: crypto/x509@go1.24.11 + - id: GO-2025-4175 + info: https://pkg.go.dev/vuln/GO-2025-4175 + silence-until: 2026-01-09 \ No newline at end of file