Skip to content

Update third party libraries flagged for vulnerability scans#1124

Merged
collin-lee merged 1 commit intoenvoyproxy:mainfrom
bloomenergyguy:third_part_vulnerability_scans_20260429
Apr 30, 2026
Merged

Update third party libraries flagged for vulnerability scans#1124
collin-lee merged 1 commit intoenvoyproxy:mainfrom
bloomenergyguy:third_part_vulnerability_scans_20260429

Conversation

@bloomenergyguy
Copy link
Copy Markdown
Contributor

@bloomenergyguy bloomenergyguy commented Apr 30, 2026

Summary

Updates third-party libraries to address security vulnerabilities identified in the CDP policy engine security scan for
`sfci/3pp/3pp/docker.io/envoyproxy/ratelimit`.

Changes

Go Dependencies (go.mod)

  • Go: `1.26.1` → `1.26.2`
    • Addresses vulnerabilities in `golang:crypto/x509`, `golang:crypto/tls`, and `golang:html/template`
  • OpenTelemetry SDK: `1.40.0` → `1.43.0`
    • `go.opentelemetry.io/otel`
    • `go.opentelemetry.io/otel/sdk`
    • `go.opentelemetry.io/otel/trace`
    • `go.opentelemetry.io/otel/metric`
  • OpenTelemetry OTLP Exporters: → `1.43.0`
    • `go.opentelemetry.io/otel/exporters/otlp/otlptrace` (`1.28.0` → `1.43.0`)
    • `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` (`1.28.0` → `1.43.0`)
    • `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` (`1.27.0` → `1.43.0`)
  • gRPC: Remains at `1.80.0` (required by OpenTelemetry 1.43.0)

Docker Images

  • Updated all Dockerfiles to use `golang:1.26.2@sha256:7095ad02810845fa35d1fb090b8e57dd20dce4ca36b29b42951802350d2ec90e`
    • `Dockerfile`
    • `Dockerfile.integration`
    • `examples/xds-sotw-config-server/Dockerfile`

CI/CD

  • Updated GitHub Actions workflows to use Go 1.26.2
    • `.github/workflows/pullrequest.yaml`
    • `.github/workflows/main.yaml`

@collin-lee
Update third party libraries flagged for vulnerability scans
831911a 
Signed-off-by: collin-lee <collin.lee@salesforce.com>
@collin-lee collin-lee merged commit fe26676 into envoyproxy:main Apr 30, 2026
6 checks passed
@harrisonharris-di harrisonharris-di mentioned this pull request May 4, 2026
Merged
harrisonharris-di pushed a commit to harrisonharris-di/ratelimit that referenced this pull request May 4, 2026
build: pin golang:1.26.2 to multi-arch index digest
7e788b0 
PR envoyproxy#1124 updated the golang base image from 1.26.1 to 1.26.2, but the
new digest sha256:7095ad02810845fa35d1fb090b8e57dd20dce4ca36b29b42951
802350d2ec90e is a single-arch (linux/amd64) image manifest rather
than a multi-arch index. The previous 1.26.1 digest sha256:e2ddb153f7
86ee6210bf8c40f7f35490b3ff7d38be70d1a0d358ba64225f6428 is an OCI image
index covering linux/amd64, arm64/v8, arm/v7, 386, ppc64le, riscv64,
s390x and windows/amd64.

When buildx is asked to produce a non-amd64 variant of the published
envoyproxy/ratelimit image, the FROM line resolves to the amd64 base
on every platform, so the resulting binary is amd64 regardless of the
target. The multi-arch publish then stamps that amd64 binary into the
arm64 layer of the released index, producing an image that fails on
arm64 nodes with:

  exec /bin/ratelimit: exec format error

Swap to the corresponding multi-arch index digest sha256:b54cbf583d39
0341599d7bcbc062425c081105cc5ef6d170ced98ef9d047c716, which contains
the existing 7095ad02... amd64 manifest as one of its children plus
the arm64/v8 and other platform variants. The amd64 image is
unchanged; arm64 builds now produce arm64 binaries.

Signed-off-by: Harrison Harris <harrison.harris@xapien.com>
@jukie jukie mentioned this pull request May 7, 2026
Closed
psbrar99 pushed a commit that referenced this pull request May 7, 2026
@harrisonharris-di
build: pin golang:1.26.2 to multi-arch index digest (#1131)
ff28760 
PR #1124 updated the golang base image from 1.26.1 to 1.26.2, but the
new digest sha256:7095ad02810845fa35d1fb090b8e57dd20dce4ca36b29b42951
802350d2ec90e is a single-arch (linux/amd64) image manifest rather
than a multi-arch index. The previous 1.26.1 digest sha256:e2ddb153f7
86ee6210bf8c40f7f35490b3ff7d38be70d1a0d358ba64225f6428 is an OCI image
index covering linux/amd64, arm64/v8, arm/v7, 386, ppc64le, riscv64,
s390x and windows/amd64.

When buildx is asked to produce a non-amd64 variant of the published
envoyproxy/ratelimit image, the FROM line resolves to the amd64 base
on every platform, so the resulting binary is amd64 regardless of the
target. The multi-arch publish then stamps that amd64 binary into the
arm64 layer of the released index, producing an image that fails on
arm64 nodes with:

  exec /bin/ratelimit: exec format error

Swap to the corresponding multi-arch index digest sha256:b54cbf583d39
0341599d7bcbc062425c081105cc5ef6d170ced98ef9d047c716, which contains
the existing 7095ad02... amd64 manifest as one of its children plus
the arm64/v8 and other platform variants. The amd64 image is
unchanged; arm64 builds now produce arm64 binaries.

Signed-off-by: Harrison Harris <harrison.harris@xapien.com>
Co-authored-by: Harrison Harris <harrison.harris@xapien.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@collin-lee collin-lee collin-lee approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bloomenergyguy @collin-lee