Skip to content

Commit e91c06c

Browse files
UJESH2KUJESH2K
authored
fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 (#5233)
* fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * chore: update Go version to 1.24.0 in go.mod, Dockerfile, and CI workflow Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: use stable golang:1.24.0-bookworm base image in Dockerfile Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * 1.25 go version Signed-off-by: UJESH KUMAR YADAV <[email protected]> * golang.org/x/crypto v0.35.0 go version Signed-off-by: UJESH KUMAR YADAV <[email protected]> * golang.org/x/crypto v0.35.0 go version and 1.24 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed docker Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed docker Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Temporary commit before rebase Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Changed trivy to v2 and authentication goversion to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Revert Trivy v2 change Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed build.yml from 1.24 to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * removed trivy version mismatch Signed-off-by: UJESH KUMAR YADAV <[email protected]> * go mod tidy Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]>
1 parent 73a154f commit e91c06c

File tree

4 files changed

+16
-8
lines changed

4 files changed

+16
-8
lines changed

.github/workflows/build.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ jobs:
9999
uses: actions/checkout@v4
100100
- uses: actions/setup-go@v5
101101
with:
102-
go-version: "1.22" # By default, the go version is v1.15 in runner.
102+
go-version: "1.24.0" # By default, the go version is v1.15 in runner.
103103
- name: Backend unit tests
104104
shell: bash
105105
run: |
@@ -148,7 +148,8 @@ jobs:
148148
exit-code: '1'
149149
ignore-unfixed: true
150150
vuln-type: 'os,library'
151-
severity: 'CRITICAL,HIGH'
151+
severity: 'CRITICAL,HIGH'
152+
152153

153154
docker-build-authentication-server:
154155
runs-on: ubuntu-latest
@@ -176,7 +177,7 @@ jobs:
176177
ignore-unfixed: true
177178
vuln-type: 'os,library'
178179
severity: 'CRITICAL,HIGH'
179-
180+
180181
docker-build-subscriber:
181182
runs-on: ubuntu-latest
182183
needs:
@@ -203,6 +204,7 @@ jobs:
203204
ignore-unfixed: true
204205
vuln-type: 'os,library'
205206
severity: 'CRITICAL,HIGH'
207+
206208

207209
docker-build-frontend:
208210
runs-on: ubuntu-latest
@@ -233,6 +235,7 @@ jobs:
233235
ignore-unfixed: true
234236
vuln-type: 'os,library'
235237
severity: 'CRITICAL,HIGH'
238+
236239

237240
docker-build-event-tracker:
238241
runs-on: ubuntu-latest
@@ -260,6 +263,7 @@ jobs:
260263
ignore-unfixed: true
261264
vuln-type: 'os,library'
262265
severity: 'CRITICAL,HIGH'
266+
263267

264268
docker-build-dex-server:
265269
runs-on: ubuntu-latest
@@ -286,3 +290,4 @@ jobs:
286290
ignore-unfixed: true
287291
vuln-type: 'os,library'
288292
severity: 'CRITICAL,HIGH'
293+

chaoscenter/authentication/Dockerfile

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,17 @@ RUN go env
1414

1515
RUN CGO_ENABLED=0 go build -o /output/server -v ./api/
1616

17-
# Packaging stage
17+
# PACKAGING STAGE
1818
# Use RedHat UBI minimal image as base
1919
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5
2020

2121
LABEL maintainer="LitmusChaos"
2222

2323
ENV APP_DIR="/litmus"
2424

25+
# Ensure base packages (including libxslt) are patched
26+
RUN microdnf -y update && microdnf clean all
27+
2528
COPY --from=builder /output/server $APP_DIR/
2629
RUN chown 65534:0 $APP_DIR/server && chmod 755 $APP_DIR/server
2730

@@ -30,4 +33,4 @@ USER 65534
3033

3134
CMD ["./server"]
3235

33-
EXPOSE 3000
36+
EXPOSE 3000

chaoscenter/authentication/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ require (
1313
github.com/stretchr/testify v1.9.0
1414
go.mongodb.org/mongo-driver v1.17.1
1515
golang.org/x/crypto v0.43.0
16-
golang.org/x/oauth2 v0.21.0
16+
golang.org/x/oauth2 v0.27.0
1717
google.golang.org/grpc v1.66.2
1818
google.golang.org/protobuf v1.34.2
1919
)

chaoscenter/authentication/go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -128,8 +128,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
128128
golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
129129
golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
130130
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
131-
golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
132-
golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
131+
golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
132+
golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
133133
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
134134
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
135135
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

0 commit comments

Comments
 (0)