Skip to content

fix: bump vulnerable dependencies #435

Open
moizpgedge wants to merge 6 commits into
mainfrom
Bug/PLAT-686/Security-Trivy-Triage-security-issues
Open

fix: bump vulnerable dependencies #435
moizpgedge wants to merge 6 commits into
mainfrom
Bug/PLAT-686/Security-Trivy-Triage-security-issues

Conversation

@moizpgedge

@moizpgedge moizpgedge commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Triages and remediates the Trivy image scan findings for ghcr.io/pgedge/control-plane:latest (2 Critical, 28 High, 17 Medium, 1 Low) by bumping vulnerable dependencies and the Go toolchain, risk-accepting the CVEs with no available fix, and hardening the Dockerfiles.

Changes

  • Dependency bumps to patched versions per the Trivy report:
  • Risk acceptances added to .trivy/pgedge-control-plane.trivyignore.yaml for CVEs with no available fix, each with a justification:
    • github.com/docker/docker v27.x docker cp/archive-related CVEs (CVE-2026-41567, CVE-2026-42306, CVE-2026-41568, plus 3 related AuthZ/plugin CVEs) — no fix exists in the v27.x line (fix requires a breaking module-path migration to moby/moby v2), and this codebase never calls CopyToContainer/CopyFromContainer/any archive-upload API, so the vulnerable code paths are unreachable.
    • golang.org/x/crypto/openpgp unmaintained/unsafe-by-design advisory — not applicable, this codebase never imports that subpackage.
  • Dockerfile hardening (docker/control-plane/Dockerfile, docs/Dockerfile, docker/control-plane-dev/Dockerfile, docker/control-plane-ci/Dockerfile):
    • Pinned FROM base images to exact digests (gcr.io/distroless/static-debian12, squidfunk/mkdocs-material) instead of floating latest.
    • Added --no-install-recommends to the apt-get install in the CI Dockerfile.
    • Documented (via # trivy:ignore:DS-0002 alongside the existing # nosemgrep comment) the deliberate decision to run as root: the control-plane process manages ownership (chown) of bind-mounted Postgres/Patroni data, config, and cert directories on behalf of arbitrary database-owner UIDs/GIDs, which requires root, and the distroless static base has no shell/su-exec to drop privileges after setup.
  • NOTICE.txt regenerated to reflect the bumped dependencies.

Testing

  • go build ./..., go vet ./... — clean.
  • go test ./... — all packages pass except one pre-existing, unrelated failure (mqtt package's TestConnectAndDisconnect, which requires a rootless-Docker socket for a testcontainers-managed broker; not affected by any change in this PR).
  • govulncheck ./... — independently cross-verified that the docker/docker CVEs have no fix in any released version (Fixed in: N/A for all), confirming the risk-acceptance is correct rather than a missed upgrade opportunity.
  • Rebuilt the production image locally from this branch (goreleaser snapshot build + docker build) and rescanned with trivy image --ignorefile .trivy/pgedge-control-plane.trivyignore.yaml:
    • 0 vulnerabilities at every severity level (Critical → Unknown), both in the OS layer (debian 12.15) and the Go binary.
    • Confirmed via --show-suppressed that only the documented docker/docker CVEs are being ignored — nothing else is silently hidden.
  • Rescanned all 4 Dockerfiles with trivy config: only the deliberate, documented non-root-user finding (DS-0002) remains; the unpinned-tag and missing---no-install-recommends findings are resolved.
  • Ran trivy image --scanners secret and --scanners license on the built image as an additional sweep: no secrets found (distroless image has no scannable config/text files); license scan flags base-files/netbase as GPL (standard Debian base-OS packages, not code we link against — informational only, no action needed).

Checklist

  • Tests added or updated (unit and/or e2e, as needed) — N/A, dependency/config-only change; verified via existing test suite + independent rescans above
  • Documentation updated (if needed) — NOTICE.txt regenerated; risk acceptances documented inline in .trivy/pgedge-control-plane.trivyignore.yaml and Dockerfile comments
  • Issue is linked (branch name or URL in PR description) — PLAT-686
  • Changelog entry added for user-facing behavior changes — changes/unreleased/Security-20260717-040124.yaml
  • Breaking changes (if any) are clearly called out in the PR description — none

Notes for Reviewers

  • No functional/behavioral changes — this is a dependency-version and Dockerfile-hardening PR. All bumped dependencies are used in ways consistent with prior versions (verified by the full test suite passing).
  • The docker/docker and x/crypto/openpgp risk acceptances should be revisited if: (a) a v27.x backport lands for the docker CVEs, or (b) the codebase migrates to moby/moby v2 (a breaking module-path change, tracked as a separate future effort, not in scope here).
  • HEALTHCHECK (Trivy DS-0026, LOW) is intentionally not added to the distroless production image — it has no shell, curl, or wget to run a check command, and the binary has no self-check subcommand today. Flagging as a known gap rather than guessing at an instruction that would always fail; happy to follow up if there's appetite for adding a health-check subcommand to the binary itself.

Bump pgx, otel, x/crypto, x/net, and the Go toolchain to
patched versions per Trivy scan. Risk-accept the two
docker/docker CVEs with no available fix in the v27.x line.

PLAT-686
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Bump pgx, otel, x/crypto, x/net, go-chi/chi, and the Go
toolchain to patched versions per Trivy scan. Verified via
govulncheck and a local image rescan (0 findings). Risk-accept
the docker/docker  CVEs (no fix in the v27.x line)
and the unused x/crypto/openpgp advisory in
.trivy/pgedge-control-plane.trivyignore.yaml.

PLAT-686
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@moizpgedge, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 45 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a46df996-ad5f-473c-bfdf-2107870db20b

📥 Commits

Reviewing files that changed from the base of the PR and between 22752e2 and 42cd932.

📒 Files selected for processing (6)
  • .trivyignore
  • NOTICE.txt
  • docker/control-plane-ci/Dockerfile
  • docker/control-plane-dev/Dockerfile
  • docker/control-plane/Dockerfile
  • docs/Dockerfile
📝 Walkthrough

Walkthrough

The changes update Go and dependency versions, refresh license records, pin container images, adjust CI package installation, add Dockerfile security annotations, and document vulnerability remediation and accepted non-applicable findings.

Changes

Security dependency refresh

Layer / File(s) Summary
Go and dependency version updates
go.mod, server/internal/resource/migrations/schematool/go.mod, NOTICE.txt
Go toolchains, application dependencies, migration-tool dependencies, and corresponding license records are updated.
Container image hardening
docker/control-plane*/Dockerfile, docs/Dockerfile
Container bases are upgraded or digest-pinned, CI installs curl without recommended packages, and security-scan annotations document intentional root execution.
Security records and vulnerability suppressions
changes/unreleased/*, .trivy/*
The security changelog records dependency remediation and risk acceptance, while Trivy ignores specified non-applicable findings.

Poem

A rabbit checks the versions bright,
Pins Docker moons in place just right.
Go hops ahead, dependencies grow,
Trivy finds the paths that don’t show.
“Secure and tidy!” the bunny sings,
Then nibbles changelogs with whiskered wings.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is missing all required sections and contains no summary, changes, testing, or checklist details. Add the template sections: Summary, Changes, Testing, Checklist, and Notes for Reviewers, with brief PR-specific details.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: updating vulnerable dependencies and related security fixes.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch Bug/PLAT-686/Security-Trivy-Triage-security-issues

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
docker/control-plane-dev/Dockerfile (1)

1-1: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the base image by digest.

Use golang:1.26.5@sha256:<digest> rather than relying only on the mutable version tag, so future tag changes cannot silently alter this security-sensitive build.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile’s FROM
declaration to pin golang:1.26.5 to its immutable SHA256 digest, preserving the
existing version tag alongside the digest.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile to create a dedicated unprivileged user, ensure
required application files and directories are accessible to that user, and add
a USER directive selecting it before the entrypoint so the container does not
run as root.

In `@go.mod`:
- Line 5: Update the toolchain directive in the schematool module’s go.mod from
Go 1.25.8 to Go 1.26.5, preserving the existing module configuration and
directive format.

---

Nitpick comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile’s FROM declaration to pin golang:1.26.5 to its
immutable SHA256 digest, preserving the existing version tag alongside the
digest.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9eb91c6-f070-4dcc-ac1e-3c7276b29246

📥 Commits

Reviewing files that changed from the base of the PR and between 81492c6 and 9880e66.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (4)
  • .trivy/pgedge-control-plane.trivyignore.yaml
  • changes/unreleased/Security-20260717-040124.yaml
  • docker/control-plane-dev/Dockerfile
  • go.mod

@@ -1,4 +1,4 @@
FROM golang:1.25.8
FROM golang:1.26.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Run the container as a non-root user.

Trivy reports that this image runs as root. Create a dedicated unprivileged user and add a USER directive before the entrypoint; otherwise the security refresh still ships a container with unnecessary privilege.

Proposed fix
 FROM golang:1.26.5
+RUN useradd --system --uid 10001 app
+USER app
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM golang:1.26.5
FROM golang:1.26.5
RUN useradd --system --uid 10001 app
USER app
🧰 Tools
🪛 Trivy (0.72.0)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile to
create a dedicated unprivileged user, ensure required application files and
directories are accessible to that user, and add a USER directive selecting it
before the entrypoint so the container does not run as root.

Source: Linters/SAST tools

Comment thread go.mod
`make licenses` wasn't run after bumping pgx, otel, x/crypto,
x/net, and go-chi/chi — CI's licenses-ci check caught the stale
NOTICE.txt. No license changes, only version-string updates for
the already-bumped packages.

PLAT-686

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/control-plane/Dockerfile`:
- Line 8: Remove the inline DS-0002 suppression comments from
docker/control-plane/Dockerfile:8 and docker/control-plane-ci/Dockerfile:10, and
also remove the corresponding suppression at
docker/control-plane-dev/Dockerfile:11. Add DS-0002 to the repository’s
.trivyignore or .trivyignore.yaml, scoped to these Dockerfiles if supported.

In `@docs/Dockerfile`:
- Line 1: Update the docs Dockerfile after the package installation steps to
switch execution to a non-root USER, using an existing non-root user provided by
the squidfunk/mkdocs-material base image; otherwise document an explicit runtime
user override.

In `@NOTICE.txt`:
- Around line 13736-13737: The license generator invoked by make licenses
produces incorrect OpenTelemetry URLs for the metric, sdk, and trace entries.
Update the generator to use each tag’s root LICENSE URL instead of the
nonexistent module/LICENSE path, then regenerate NOTICE.txt; apply the
correction to NOTICE.txt ranges 13736-13737, 13976-13977, 14216-14217,
14456-14457, 14696-14697, and 14936-14937.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89a23a44-3049-4d06-8b0b-8e182ee9dc83

📥 Commits

Reviewing files that changed from the base of the PR and between 9880e66 and 22752e2.

⛔ Files ignored due to path filters (1)
  • server/internal/resource/migrations/schematool/go.sum is excluded by !**/*.sum
📒 Files selected for processing (6)
  • NOTICE.txt
  • docker/control-plane-ci/Dockerfile
  • docker/control-plane-dev/Dockerfile
  • docker/control-plane/Dockerfile
  • docs/Dockerfile
  • server/internal/resource/migrations/schematool/go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
  • docker/control-plane-dev/Dockerfile

Comment thread docker/control-plane/Dockerfile Outdated
Comment thread docs/Dockerfile
@@ -1,3 +1,3 @@
FROM squidfunk/mkdocs-material
FROM squidfunk/mkdocs-material:latest@sha256:51b87149d227691486b5f08993d28c65ca7e4990010664b697265b8e6fcd5287

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== docs/Dockerfile (numbered) ==\n'
cat -n docs/Dockerfile

printf '\n== repo files mentioning mkdocs-material or docs image usage ==\n'
rg -n --hidden --glob '!**/.git/**' 'mkdocs-material|docs/Dockerfile|squidfunk/mkdocs-material|USER ' .

printf '\n== docs directory file list ==\n'
git ls-files docs

Repository: pgEdge/control-plane

Length of output: 5862


🌐 Web query:

squidfunk/mkdocs-material default user root Dockerfile USER upstream image

💡 Result:

The official squidfunk/mkdocs-material Docker image runs as the root user by default [1][2]. Because the container executes commands as root, any files created or modified within a mounted volume (e.g., when running mkdocs new or building a site) will be owned by the root user on the host system [2]. To avoid file permission issues where generated files are owned by root, you can pass the current user's UID and GID to the container using the --user flag when running the docker command [2]: docker run --rm -it -v ${PWD}:/docs --user "$(id -u):$(id -g)" squidfunk/mkdocs-material build This configuration ensures that files created within the container are owned by your host user rather than the root user [2].

Citations:


Run the docs image as non-root. docs/Dockerfile:1 still inherits the upstream image’s default root user, so the container will run as root unless you add a USER after the package install or document an explicit runtime --user override.

🧰 Tools
🪛 Trivy (0.72.0)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/Dockerfile` at line 1, Update the docs Dockerfile after the package
installation steps to switch execution to a non-root USER, using an existing
non-root user provided by the squidfunk/mkdocs-material base image; otherwise
document an explicit runtime user override.

Source: Linters/SAST tools

Comment thread NOTICE.txt Outdated
@moizpgedge moizpgedge changed the title fix: bump vulnerable dependencies (PLAT-686) fix: bump vulnerable dependencies Jul 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant