From c215008ea414fafe2be2956be5dd9ff54710b158 Mon Sep 17 00:00:00 2001
From: Brad Geesaman <3769609+bgeesaman@users.noreply.github.com>
Date: Thu, 23 Apr 2026 08:30:27 -0400
Subject: [PATCH] GHO-11493: bump go toolchain and bundled osv-scanner to clear
 CVEs

Go stdlib 1.25.6 -> 1.25.9 to patch embedded stdlib CVEs in the wraith
binary. osv-scanner v2.3.2 -> v2.3.5 picks up grpc 1.79.3, mcp-go-sdk
1.4.1, docker/cli 29.2.0, and a go 1.26.1 build, clearing the bundled
binary's high/critical findings except two buildkit indirect deps that
require an upstream release.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/test.go.yml   | 2 +-
 .goreleaser.yaml                | 2 +-
 go.mod                          | 2 +-
 scripts/download-osv-scanner.sh | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test.go.yml b/.github/workflows/test.go.yml
index 2eb0530..878ea0b 100644
--- a/.github/workflows/test.go.yml
+++ b/.github/workflows/test.go.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
   workflow_dispatch:
 env:
-  OSV_VERSION: 'v2.2.2'
+  OSV_VERSION: 'v2.3.5'
 jobs:
   test-x86:
     name: Go Test
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 12a6abd..8a245a7 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -3,7 +3,7 @@ version: 2
 project_name: wraith
 
 env:
-  - OSV_VERSION=v2.3.2
+  - OSV_VERSION=v2.3.5
 
 before:
   hooks:
diff --git a/go.mod b/go.mod
index a27752f..3565f54 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,3 @@
 module github.com/ghostsecurity/wraith
 
-go 1.25.6
+go 1.25.9
diff --git a/scripts/download-osv-scanner.sh b/scripts/download-osv-scanner.sh
index 585aaf8..cae0ff5 100755
--- a/scripts/download-osv-scanner.sh
+++ b/scripts/download-osv-scanner.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-OSV_VERSION="${OSV_VERSION:-v2.3.2}"
+OSV_VERSION="${OSV_VERSION:-v2.3.5}"
 BUILD_DIR="build/osv-scanner"
 
 echo "Downloading osv-scanner ${OSV_VERSION}..."