Skip to content

Bump x/net to 0.55.0 and refresh OS packages to clear Trivy HIGH CVEs#111

Merged
akwirick merged 2 commits into
mainfrom
aw/trivy-os-and-xnet-bumps
Jun 29, 2026
Merged

Bump x/net to 0.55.0 and refresh OS packages to clear Trivy HIGH CVEs#111
akwirick merged 2 commits into
mainfrom
aw/trivy-os-and-xnet-bumps

Conversation

@akwirick

Copy link
Copy Markdown
Contributor

Why

The daily Scan for Vulnerabilities (Trivy) workflow has been failing on cortex-axon-agent51 fixable CRITICAL/HIGH findings. They come from three sources; this PR fixes the two that live in this repo (~49 of 51):

Source Findings Fix
golang.org/x/net v0.51.0 (indirect) 6 → v0.55.0
OS pkgs linux-libc-dev, libssh2 (Debian 13) ~43 refresh apt layer
npm form-data, ws 2 separate — snyk-broker repo

Fix

  • agent/go.modgo get golang.org/x/net@v0.55.0 (pulls x/sys 0.45.0, x/text 0.37.0). Clears CVE-2026-25680/25681/27136/39821/42502/42506 and CVE-2026-33814.
  • docker/Dockerfile — bump APT_CACHE_BUST 2026-06-11 → 2026-06-29. This is the mechanism documented in the Dockerfile itself: the fixed OS packages are already in Debian's archive, and bumping the bust invalidates the stale cached apt-get upgrade layer so they get re-fetched.

Not covered here

The remaining 2 findingsform-data 4.0.4→4.0.6 and ws 8.20.1→8.21.0 — are pulled in by cortexapps/snyk-broker (cloned and npm installed at image-build time, pinned via SNYK_BROKER_VERSION). The fix belongs in that repo's lockfile, then a SNYK_BROKER_VERSION bump here. Tracking separately.

Session: 58ae38a7 · Worktree: scratchpad clone

🤖 Generated with Claude Code

The daily Trivy CRITICAL/HIGH scan was failing on cortex-axon-agent with
fixable HIGH findings from two in-repo sources:

- golang.org/x/net v0.51.0 (indirect): 6 CVEs (CVE-2026-25680/25681/27136/
  39821/42502/42506, plus CVE-2026-33814). Bumped to v0.55.0 via go get
  (pulls x/sys 0.45.0, x/text 0.37.0).
- OS packages linux-libc-dev and libssh2 (Debian 13): fixes are already in
  the archive; bump APT_CACHE_BUST to invalidate the stale cached apt layer
  and force apt-get upgrade to re-fetch, per the documented mechanism.

The remaining 2 findings (npm form-data, ws) live in the snyk-broker repo
cloned at build time, addressed separately.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v1.0.16-axon carries the form-data 4.0.6, ws 8.21.0, and js-yaml 4.3.0
bumps (cortexapps/snyk-broker#25), clearing the 3 remaining Trivy HIGH
findings the broker contributed to the cortex-axon-agent image.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@akwirick akwirick enabled auto-merge (squash) June 29, 2026 21:05
@akwirick akwirick merged commit 0386623 into main Jun 29, 2026
17 checks passed
@akwirick akwirick deleted the aw/trivy-os-and-xnet-bumps branch June 29, 2026 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants