Skip to content

Security review: GO-2026-5932 (x/crypto/openpgp) open Code Scanning alert #36

Description

@christopherfickess

Finding

Code Scanning alert (Grype): GO-2026-5932 — the golang.org/x/crypto/openpgp subpackage is unmaintained/unsafe-by-design.

Status

Left open intentionally, pending security review. Do not suppress in .grype.yaml or dismiss in the UI until this review concludes.

Triage context (for the reviewer)

  • The advisory targets the x/crypto/openpgp subpackage, which is not compiled into the plugin — verified via go list -deps ./...: only scrypt, bcrypt, chacha20poly1305, pbkdf2, cryptobyte, blowfish are in the build graph. No openpgp.
  • x/crypto is pulled transitively via mattermost/server/public/model → x/crypto/scrypt and golang.org/x/net.
  • No fixed version exists — this is an unmaintained-subpackage advisory, not a patchable CVE. Upgrading x/crypto does not clear it.
  • Authoritative confirmation available via govulncheck ./... (symbol-level reachability) if desired.

Decision paths

  • Confirmed not reachable → add a documented .grype.yaml ignore for GO-2026-5932 (and consider pre-seeding it in mattermost-plugin-template, since every Go plugin pulls x/crypto transitively).
  • Action wanted → migrate any OpenPGP usage to github.com/ProtonMail/go-crypto/openpgp (none present today).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions