Skip to content

Suppress CVE-2026-32282 (Go stdlib Root.Chmod) and bump shfmt/actionlint#117

Merged
lex57ukr merged 1 commit intomainfrom
114-cve-monitor-fixable-vulnerabilities-in-ci-tools
Apr 13, 2026
Merged

Suppress CVE-2026-32282 (Go stdlib Root.Chmod) and bump shfmt/actionlint#117
lex57ukr merged 1 commit intomainfrom
114-cve-monitor-fixable-vulnerabilities-in-ci-tools

Conversation

@lex57ukr
Copy link
Copy Markdown
Contributor

@lex57ukr lex57ukr commented Apr 13, 2026
edited
Loading

Summary

Today's scheduled ci-tools scan flagged CVE-2026-32282 (Go stdlib internal/syscall/unix: Root.Chmod symlink escape) as fixable against actionlint, shfmt, and yq. Fixed upstream in Go 1.25.9 / 1.26.2, but neither the current releases nor the very latest tags (shfmt v3.13.1, actionlint v1.7.12) have picked up a patched Go toolchain — both still build on Go 1.26.1. Suppress the CVE under the existing stdlib tracker so CI clears, and roll in the latest non-security content from the
bumps at the same time.

Related Issues

Fixes #114
Refs #96

Changes

  • Bump shfmt v3.13.0 → v3.13.1 and actionlint 1.7.11 → 1.7.12 via make resolve
  • Suppress CVE-2026-32282 in images/ci-tools/.trivyignore covering actionlint, shfmt, and yq
  • Refresh the actionlint suppression header to reflect both suppressed stdlib CVEs

Further Comments

Practical risk for this CVE in our image is negligible — none of the three binaries call os.Root.Chmod on untrusted filesystem input. Removal criteria (upstream rebuilds with Go ≥ 1.25.9 / 1.26.2) are tracked alongside CVE-2026-25679 in #96, with a fold-in checklist.

@lex57ukr @claude
Bump shfmt/actionlint and suppress CVE-2026-32282 (Go stdlib)
679066d 
Roll shfmt v3.13.0 → v3.13.1 and actionlint 1.7.11 → 1.7.12 for the
non-security content in both releases. Neither upstream build carries
a patched Go toolchain yet (both on go1.26.1), so CVE-2026-32282
(internal/syscall/unix: Root.Chmod symlink escape, fixed in Go 1.25.9
or 1.26.2) still trips the scan against all three Go binaries.

Suppress CVE-2026-32282 for actionlint, shfmt, and yq under the
existing stdlib tracker. None of the three binaries call os.Root.Chmod
on untrusted filesystem input — they operate offline on local files
under the user's own permissions — so the practical risk is negligible.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lex57ukr lex57ukr added security Security-related change dependencies Dependency updates labels Apr 13, 2026
@lex57ukr lex57ukr linked an issue Apr 13, 2026 that may be closed by this pull request
CVE Monitor: fixable vulnerabilities in ci-tools #114
Closed
@lex57ukr lex57ukr enabled auto-merge (squash) April 13, 2026 12:24
@lex57ukr lex57ukr merged commit 713b3a3 into main Apr 13, 2026
7 checks passed
@lex57ukr lex57ukr deleted the 114-cve-monitor-fixable-vulnerabilities-in-ci-tools branch April 13, 2026 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates security Security-related change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE Monitor: fixable vulnerabilities in ci-tools

1 participant

@lex57ukr