Skip to content

fix(deps): exclude goldmark v1.4.13 to clear CVE-2026-5160#94

Merged
fabio-gos-sonarsource merged 1 commit into
mainfrom
fix/goldmark-cve-2026-5160
Jul 8, 2026
Merged

fix(deps): exclude goldmark v1.4.13 to clear CVE-2026-5160#94
fabio-gos-sonarsource merged 1 commit into
mainfrom
fix/goldmark-cve-2026-5160

Conversation

@fabio-gos-sonarsource

Copy link
Copy Markdown
Contributor

Summary

Clears the SonarQube quality-gate failure for CVE-2026-5160 (XSS / CWE-79, CVSS 5.1) in github.com/yuin/goldmark.

The direct requirement was already upgraded to v1.8.2, and Go's minimal version selection (MVS) was already building v1.8.2 — never the vulnerable v1.4.13. But SonarQube's SCA scans the full module graph, where v1.4.13 still appeared as a transitive edge via golang.org/x/tools (a module the build doesn't actually need). That graph edge alone kept the finding open.

Fix

  • Added an exclude github.com/yuin/goldmark v1.4.13 directive (matching the project's existing replace-directive convention) and ran go mod tidy.
  • Because no package in the repo imports goldmark, go mod tidy pruned it entirely from go.mod and go.sum. The package is no longer a dependency, so the CVE can no longer be reported.

Breaking-change assessment: none

No project code imports goldmark — verified via grep and go mod why. There is no API surface to break.

Verification

  • go build ./... → OK
  • go vet ./... → clean
  • go mod verify → all modules verified
  • SonarQube Agentic Analysis (DEEP) → No issues found
  • go.sum no longer contains any goldmark entries

🤖 Generated with Claude Code

The direct requirement was already at v1.8.2, but SonarQube's SCA kept
flagging v1.4.13 because that version remained in the module graph as a
transitive edge via golang.org/x/tools (which the build does not need).
Go's MVS never selected v1.4.13 and go.sum carried only its /go.mod hash,
so it was never compiled — but the graph edge was enough to fail the
quality gate.

Add an exclude directive for the vulnerable version and run `go mod tidy`.
Since no package imports goldmark, tidy prunes it entirely from go.mod and
go.sum, so the CVE can no longer be reported. No code imports goldmark, so
there is no breaking change; go build, go vet, and go mod verify all pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gitar-bot

gitar-bot Bot commented Jul 8, 2026

Copy link
Copy Markdown
Code Review ✅ Approved

Excludes the vulnerable goldmark v1.4.13 version via a go.mod directive, resulting in its complete removal from the dependency graph. No issues found.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

@fabio-gos-sonarsource
fabio-gos-sonarsource merged commit 2f5b4c0 into main Jul 8, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant