fix: bump vulnerable dependencies #435
Conversation
Bump pgx, otel, x/crypto, x/net, and the Go toolchain to patched versions per Trivy scan. Risk-accept the two docker/docker CVEs with no available fix in the v27.x line. PLAT-686
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
Bump pgx, otel, x/crypto, x/net, go-chi/chi, and the Go toolchain to patched versions per Trivy scan. Verified via govulncheck and a local image rescan (0 findings). Risk-accept the docker/docker CVEs (no fix in the v27.x line) and the unused x/crypto/openpgp advisory in .trivy/pgedge-control-plane.trivyignore.yaml. PLAT-686
|
Warning Review limit reached
Next review available in: 45 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughThe changes update Go and dependency versions, refresh license records, pin container images, adjust CI package installation, add Dockerfile security annotations, and document vulnerability remediation and accepted non-applicable findings. ChangesSecurity dependency refresh
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
docker/control-plane-dev/Dockerfile (1)
1-1: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the base image by digest.
Use
golang:1.26.5@sha256:<digest>rather than relying only on the mutable version tag, so future tag changes cannot silently alter this security-sensitive build.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile’s FROM declaration to pin golang:1.26.5 to its immutable SHA256 digest, preserving the existing version tag alongside the digest.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile to create a dedicated unprivileged user, ensure
required application files and directories are accessible to that user, and add
a USER directive selecting it before the entrypoint so the container does not
run as root.
In `@go.mod`:
- Line 5: Update the toolchain directive in the schematool module’s go.mod from
Go 1.25.8 to Go 1.26.5, preserving the existing module configuration and
directive format.
---
Nitpick comments:
In `@docker/control-plane-dev/Dockerfile`:
- Line 1: Update the Dockerfile’s FROM declaration to pin golang:1.26.5 to its
immutable SHA256 digest, preserving the existing version tag alongside the
digest.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e9eb91c6-f070-4dcc-ac1e-3c7276b29246
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (4)
.trivy/pgedge-control-plane.trivyignore.yamlchanges/unreleased/Security-20260717-040124.yamldocker/control-plane-dev/Dockerfilego.mod
| @@ -1,4 +1,4 @@ | |||
| FROM golang:1.25.8 | |||
| FROM golang:1.26.5 | |||
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Run the container as a non-root user.
Trivy reports that this image runs as root. Create a dedicated unprivileged user and add a USER directive before the entrypoint; otherwise the security refresh still ships a container with unnecessary privilege.
Proposed fix
FROM golang:1.26.5
+RUN useradd --system --uid 10001 app
+USER app📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM golang:1.26.5 | |
| FROM golang:1.26.5 | |
| RUN useradd --system --uid 10001 app | |
| USER app |
🧰 Tools
🪛 Trivy (0.72.0)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docker/control-plane-dev/Dockerfile` at line 1, Update the Dockerfile to
create a dedicated unprivileged user, ensure required application files and
directories are accessible to that user, and add a USER directive selecting it
before the entrypoint so the container does not run as root.
Source: Linters/SAST tools
`make licenses` wasn't run after bumping pgx, otel, x/crypto, x/net, and go-chi/chi — CI's licenses-ci check caught the stale NOTICE.txt. No license changes, only version-string updates for the already-bumped packages. PLAT-686
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docker/control-plane/Dockerfile`:
- Line 8: Remove the inline DS-0002 suppression comments from
docker/control-plane/Dockerfile:8 and docker/control-plane-ci/Dockerfile:10, and
also remove the corresponding suppression at
docker/control-plane-dev/Dockerfile:11. Add DS-0002 to the repository’s
.trivyignore or .trivyignore.yaml, scoped to these Dockerfiles if supported.
In `@docs/Dockerfile`:
- Line 1: Update the docs Dockerfile after the package installation steps to
switch execution to a non-root USER, using an existing non-root user provided by
the squidfunk/mkdocs-material base image; otherwise document an explicit runtime
user override.
In `@NOTICE.txt`:
- Around line 13736-13737: The license generator invoked by make licenses
produces incorrect OpenTelemetry URLs for the metric, sdk, and trace entries.
Update the generator to use each tag’s root LICENSE URL instead of the
nonexistent module/LICENSE path, then regenerate NOTICE.txt; apply the
correction to NOTICE.txt ranges 13736-13737, 13976-13977, 14216-14217,
14456-14457, 14696-14697, and 14936-14937.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 89a23a44-3049-4d06-8b0b-8e182ee9dc83
⛔ Files ignored due to path filters (1)
server/internal/resource/migrations/schematool/go.sumis excluded by!**/*.sum
📒 Files selected for processing (6)
NOTICE.txtdocker/control-plane-ci/Dockerfiledocker/control-plane-dev/Dockerfiledocker/control-plane/Dockerfiledocs/Dockerfileserver/internal/resource/migrations/schematool/go.mod
🚧 Files skipped from review as they are similar to previous changes (1)
- docker/control-plane-dev/Dockerfile
| @@ -1,3 +1,3 @@ | |||
| FROM squidfunk/mkdocs-material | |||
| FROM squidfunk/mkdocs-material:latest@sha256:51b87149d227691486b5f08993d28c65ca7e4990010664b697265b8e6fcd5287 | |||
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== docs/Dockerfile (numbered) ==\n'
cat -n docs/Dockerfile
printf '\n== repo files mentioning mkdocs-material or docs image usage ==\n'
rg -n --hidden --glob '!**/.git/**' 'mkdocs-material|docs/Dockerfile|squidfunk/mkdocs-material|USER ' .
printf '\n== docs directory file list ==\n'
git ls-files docsRepository: pgEdge/control-plane
Length of output: 5862
🌐 Web query:
squidfunk/mkdocs-material default user root Dockerfile USER upstream image
💡 Result:
The official squidfunk/mkdocs-material Docker image runs as the root user by default [1][2]. Because the container executes commands as root, any files created or modified within a mounted volume (e.g., when running mkdocs new or building a site) will be owned by the root user on the host system [2]. To avoid file permission issues where generated files are owned by root, you can pass the current user's UID and GID to the container using the --user flag when running the docker command [2]: docker run --rm -it -v
Citations:
- 1: Some clarifications when using Docker squidfunk/mkdocs-material#3208
- 2: Update "Creating your site" article to include -u option for "docker run" in Unix environment squidfunk/mkdocs-material#8099
Run the docs image as non-root. docs/Dockerfile:1 still inherits the upstream image’s default root user, so the container will run as root unless you add a USER after the package install or document an explicit runtime --user override.
🧰 Tools
🪛 Trivy (0.72.0)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/Dockerfile` at line 1, Update the docs Dockerfile after the package
installation steps to switch execution to a non-root USER, using an existing
non-root user provided by the squidfunk/mkdocs-material base image; otherwise
document an explicit runtime user override.
Source: Linters/SAST tools
Summary
Triages and remediates the Trivy image scan findings for
ghcr.io/pgedge/control-plane:latest(2 Critical, 28 High, 17 Medium, 1 Low) by bumping vulnerable dependencies and the Go toolchain, risk-accepting the CVEs with no available fix, and hardening the Dockerfiles.Changes
github.com/jackc/pgx/v5→v5.10.0(fixes CVE-2026-33815, CVE-2026-33816 — both CRITICAL)go.opentelemetry.io/otel(+ related otel modules) →v1.44.0(fixes CVE-2026-29181, CVE-2026-39883)golang.org/x/crypto→v0.54.0(fixes 8x/crypto/ssh*CVEs)golang.org/x/net→v0.57.0(fixes CVE-2026-25681, CVE-2026-27136, CVE-2026-33814, CVE-2026-39821)github.com/go-chi/chibumped alongside the above1.26.5(fixes 11 stdlib CVEs: CVE-2026-27145, 32280, 32281, 32283, 33811, 33814, 39820, 39822, 39836, 42499, 42504).trivy/pgedge-control-plane.trivyignore.yamlfor CVEs with no available fix, each with a justification:github.com/docker/dockerv27.xdocker cp/archive-related CVEs (CVE-2026-41567, CVE-2026-42306, CVE-2026-41568, plus 3 related AuthZ/plugin CVEs) — no fix exists in the v27.x line (fix requires a breaking module-path migration to moby/moby v2), and this codebase never callsCopyToContainer/CopyFromContainer/any archive-upload API, so the vulnerable code paths are unreachable.golang.org/x/crypto/openpgpunmaintained/unsafe-by-design advisory — not applicable, this codebase never imports that subpackage.docker/control-plane/Dockerfile,docs/Dockerfile,docker/control-plane-dev/Dockerfile,docker/control-plane-ci/Dockerfile):FROMbase images to exact digests (gcr.io/distroless/static-debian12,squidfunk/mkdocs-material) instead of floatinglatest.--no-install-recommendsto theapt-get installin the CI Dockerfile.# trivy:ignore:DS-0002alongside the existing# nosemgrepcomment) the deliberate decision to run as root: the control-plane process manages ownership (chown) of bind-mounted Postgres/Patroni data, config, and cert directories on behalf of arbitrary database-owner UIDs/GIDs, which requires root, and the distroless static base has no shell/su-execto drop privileges after setup.NOTICE.txtregenerated to reflect the bumped dependencies.Testing
go build ./...,go vet ./...— clean.go test ./...— all packages pass except one pre-existing, unrelated failure (mqttpackage'sTestConnectAndDisconnect, which requires a rootless-Docker socket for a testcontainers-managed broker; not affected by any change in this PR).govulncheck ./...— independently cross-verified that thedocker/dockerCVEs have no fix in any released version (Fixed in: N/Afor all), confirming the risk-acceptance is correct rather than a missed upgrade opportunity.docker build) and rescanned withtrivy image --ignorefile .trivy/pgedge-control-plane.trivyignore.yaml:--show-suppressedthat only the documenteddocker/dockerCVEs are being ignored — nothing else is silently hidden.trivy config: only the deliberate, documented non-root-user finding (DS-0002) remains; the unpinned-tag and missing---no-install-recommendsfindings are resolved.trivy image --scanners secretand--scanners licenseon the built image as an additional sweep: no secrets found (distroless image has no scannable config/text files); license scan flagsbase-files/netbaseas GPL (standard Debian base-OS packages, not code we link against — informational only, no action needed).Checklist
NOTICE.txtregenerated; risk acceptances documented inline in.trivy/pgedge-control-plane.trivyignore.yamland Dockerfile commentschanges/unreleased/Security-20260717-040124.yamlNotes for Reviewers
docker/dockerandx/crypto/openpgprisk acceptances should be revisited if: (a) a v27.x backport lands for the docker CVEs, or (b) the codebase migrates tomoby/mobyv2 (a breaking module-path change, tracked as a separate future effort, not in scope here).HEALTHCHECK(TrivyDS-0026, LOW) is intentionally not added to the distroless production image — it has no shell,curl, orwgetto run a check command, and the binary has no self-check subcommand today. Flagging as a known gap rather than guessing at an instruction that would always fail; happy to follow up if there's appetite for adding a health-check subcommand to the binary itself.