diff --git a/.github/renovate.json b/.github/renovate.json index 2d0340dc9..6dd680fd7 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -477,6 +477,26 @@ "dockerfile" ] }, + { + "description": "Keep the Dockerfile's golang builder image in lockstep with go.mod/GO_VERSION bumps — prevents the Docker build failing when go.mod requires a newer Go than the pinned builder image (overrides the broader Dockerfile ARG grouping above since it matches later)", + "matchManagers": [ + "custom.regex" + ], + "matchFileNames": [ + "Dockerfile" + ], + "matchDepNames": [ + "golang" + ], + "matchUpdateTypes": [ + "minor", + "patch", + "pin", + "digest" + ], + "groupName": "go-non-major", + "groupSlug": "go-non-major" + }, { "description": "Development branch: Auto-merge non-major updates after proven stable", "matchBaseBranches": [ diff --git a/.github/skills/examples/gorm-scanner-ci-workflow.yml b/.github/skills/examples/gorm-scanner-ci-workflow.yml index 49b9f88b1..b0ae9bc90 100644 --- a/.github/skills/examples/gorm-scanner-ci-workflow.yml +++ b/.github/skills/examples/gorm-scanner-ci-workflow.yml @@ -25,7 +25,7 @@ jobs: - name: Setup Go uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 with: - go-version: "1.26.4" + go-version: "1.26.5" - name: Run GORM Security Scanner id: gorm-scan diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index be332d981..ee265e80f 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -12,7 +12,7 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' GOTOOLCHAIN: local # Minimal permissions at workflow level; write permissions granted at job level for push only diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml index 8cdf824fb..0a665c813 100644 --- a/.github/workflows/codecov-upload.yml +++ b/.github/workflows/codecov-upload.yml @@ -23,7 +23,7 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' NODE_VERSION: '24.18.0' GOTOOLCHAIN: local diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index da0e93d3a..2bd995590 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,7 +15,7 @@ concurrency: env: GOTOOLCHAIN: local - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' permissions: contents: read diff --git a/.github/workflows/e2e-tests-split.yml b/.github/workflows/e2e-tests-split.yml index e38a3a092..0fdf7be8b 100644 --- a/.github/workflows/e2e-tests-split.yml +++ b/.github/workflows/e2e-tests-split.yml @@ -83,7 +83,7 @@ on: env: NODE_VERSION: '24.18.0' - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' GOTOOLCHAIN: local DOCKERHUB_REGISTRY: docker.io IMAGE_NAME: ${{ github.repository_owner }}/charon diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 8347aa7ed..fb8d8b5dc 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -15,7 +15,7 @@ on: default: "false" env: - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' NODE_VERSION: '24.18.0' GOTOOLCHAIN: local GHCR_REGISTRY: ghcr.io diff --git a/.github/workflows/orthrus-build.yml b/.github/workflows/orthrus-build.yml index 55b6c4581..4e45c8574 100644 --- a/.github/workflows/orthrus-build.yml +++ b/.github/workflows/orthrus-build.yml @@ -29,7 +29,7 @@ env: GHCR_REGISTRY: ghcr.io DOCKERHUB_REGISTRY: docker.io IMAGE_NAME: wikid82/orthrus - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' permissions: contents: read diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 0a23f2da3..22e0b7e91 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -16,7 +16,7 @@ permissions: checks: write env: - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' NODE_VERSION: '24.18.0' GOTOOLCHAIN: local diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 516cba748..bad8ca777 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -10,7 +10,7 @@ concurrency: cancel-in-progress: false env: - GO_VERSION: '1.26.4' + GO_VERSION: '1.26.5' NODE_VERSION: '24.18.0' GOTOOLCHAIN: local diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index e514d79aa..cbf7b4c7d 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -11,7 +11,12 @@ concurrency: # Renovate authenticates via the RENOVATE_TOKEN PAT; GITHUB_TOKEN is only used by checkout. permissions: - contents: read + contents: write + pull-requests: write + issues: write + +env: + GO_VERSION: '1.26.5' jobs: renovate: diff --git a/.grype.yaml b/.grype.yaml index 64fc1fdff..376f7653b 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -840,6 +840,61 @@ ignore: # Action items: same as GO-2026-5024 entry above. + # GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained, unsafe by design + # Severity: UNKNOWN in Go vulndb (Trivy substitutes another vendor's rating) — + # Package: golang.org/x/crypto v0.53.0, flagged in /app/charon, /usr/bin/caddy, + # /usr/local/bin/crowdsec, /usr/local/bin/cscli + # + # Vulnerability Details: + # - Go's advisory database flags golang.org/x/crypto/openpgp as unmaintained and unsafe by + # design (not a specific exploitable bug) and recommends migrating to a maintained fork + # such as github.com/ProtonMail/go-crypto. + # - No fixed version is recorded — this cannot be resolved by upgrading golang.org/x/crypto. + # + # Root Cause of Suppression (No Fix Path): + # - Trivy's gobinary scanner flags based on module versions embedded in the compiled binary's + # buildinfo, not on which subpackages are actually imported/linked. + # - Verified via `go list -deps ./...` in backend: the openpgp subpackage is not imported + # anywhere in Charon's own code. app/charon is a false positive. + # - caddy, crowdsec, and cscli are third-party binaries built in the Dockerfile; x/crypto is + # a transitive dependency of theirs that we don't control the internals of. + # + # Risk Assessment: ACCEPTED (no fix exists; not reachable via Charon's own code) + # - Charon's own binary does not call any x/crypto/openpgp API. + # - No upstream action can resolve this short of the vendor projects dropping the dependency. + # + # Mitigation: + # - Monitor whether caddy/crowdsec/cscli upstream drop their dependency on x/crypto/openpgp. + # - Re-run govulncheck periodically to confirm Charon's own code stays clean. + # + # Review: + # - Initial suppression 2026-07-08: no fixed version exists; false positive for app/charon. + # - Next review: 2026-08-08. + # + # Removal Criteria: + # - Go vulndb publishes a fixed version for golang.org/x/crypto, OR + # - Trivy adds subpackage-aware (symbol-level) matching instead of module-level matching + # + # References: + # - GO-2026-5932: https://pkg.go.dev/vuln/GO-2026-5932 + - vulnerability: GO-2026-5932 + package: + name: golang.org/x/crypto + version: "v0.53.0" + type: go-module + reason: | + UNKNOWN/HIGH — golang.org/x/crypto/openpgp is flagged as unmaintained and unsafe by design. + No fixed version exists; this is not a patchable bug. Verified via `go list -deps ./...` + that Charon's own code (app/charon) does not import the openpgp subpackage — false positive + from Trivy's module-level (not symbol-level) binary scanning. caddy/crowdsec/cscli are + third-party binaries with their own transitive dependency on x/crypto. + expiry: "2026-08-08" # Review: Initial suppression 2026-07-08. Next review: 2026-08-08. + + # Action items when this suppression expires: + # 1. Check if Go vulndb has published a fixed version for golang.org/x/crypto + # 2. Re-run `go list -deps ./...` in backend to confirm openpgp is still not imported + # 3. If neither changes: extend expiry by 30 days + # Match exclusions (patterns to ignore during scanning) # Use sparingly - prefer specific CVE suppressions above match: diff --git a/.trivyignore b/.trivyignore index 9109c8bed..e272e5d63 100644 --- a/.trivyignore +++ b/.trivyignore @@ -163,3 +163,18 @@ CVE-2024-21492 # See also: .grype.yaml for full justification # exp: 2026-09-23 CVE-2026-39824 + +# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained, unsafe by design +# Severity: reported UNKNOWN by Go vulndb; Trivy falls back to another vendor's severity rating +# Package: golang.org/x/crypto v0.53.0 — flagged in /app/charon, /usr/bin/caddy, +# /usr/local/bin/crowdsec, /usr/local/bin/cscli +# No fixed version exists: this advisory does not describe a patchable bug, it is Go's standing +# recommendation to stop using the openpgp subpackage entirely (superseded by +# github.com/ProtonMail/go-crypto). No golang.org/x/crypto version resolves this. +# Verified `go list -deps ./...` in backend: the openpgp subpackage is not imported anywhere in +# Charon's own code — app/charon is flagged purely because Trivy's gobinary scan checks module +# versions embedded in the binary, not which subpackages are actually linked in. +# caddy/crowdsec/cscli are third-party binaries; x/crypto is a transitive dependency we don't control. +# Review by: 2026-08-08 +# exp: 2026-08-08 +GO-2026-5932 diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 9c43fbcef..43883284d 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -1062,7 +1062,7 @@ { "label": "Utility: Update Go Version", "type": "shell", - "command": "go env -w GOTOOLCHAIN=go$(go list -m -f '{{.Version}}' go@latest)+auto && go list -m -f '{{.Version}}' go@latest && go version", + "command": "./scripts/update-go-toolchain.sh", "group": "none", "problemMatcher": [], "presentation": { diff --git a/Dockerfile b/Dockerfile index 14b748c03..30635c44a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ARG BUILD_DEBUG=0 # ---- Pinned Toolchain Versions ---- # renovate: datasource=docker depName=golang versioning=docker -ARG GO_VERSION=1.26.4 +ARG GO_VERSION=1.26.5 # renovate: datasource=docker depName=alpine versioning=docker ARG ALPINE_IMAGE=alpine:3.24.1@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b diff --git a/SECURITY.md b/SECURITY.md index 9059c435c..432eccc64 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -368,6 +368,53 @@ decode path. Charon defaults to SQLite, so standard deployments do not expose th Track upstream CrowdSec dependency updates and remove suppression once pgx/v4 is no longer present in bundled components. +--- + +### [HIGH] GO-2026-5932 · golang.org/x/crypto/openpgp Unmaintained, Unsafe by Design + +| Field | Value | +|--------------|-------| +| **ID** | GO-2026-5932 | +| **Severity** | Reported Unknown by Go vulndb; Trivy substitutes another vendor's rating | +| **Status** | Awaiting Upstream (no fixed version exists) | + +**What** +`golang.org/x/crypto/openpgp` v0.53.0 is flagged by the Go vulnerability database as +unmaintained and unsafe by design — this is not a specific patchable bug, it is Go's standing +recommendation to migrate off the openpgp subpackage entirely (superseded by +`github.com/ProtonMail/go-crypto`). No fixed `golang.org/x/crypto` version resolves this. + +**Who** + +- Discovered by: Automated scan (Trivy image scan, PR #1133) +- Reported: 2026-07-08 +- Affects: `app/charon`, `usr/bin/caddy`, `usr/local/bin/crowdsec`, `usr/local/bin/cscli` + +**Where** + +- Component: `golang.org/x/crypto` v0.53.0 (declared dependency; embedded across all four binaries) +- Versions affected: all versions containing the `openpgp` subpackage — no fix exists + +**When** + +- Discovered: 2026-07-08 +- Disclosed (if public): Public +- Target fix: N/A — no fixed version will be published; suppression is permanent absent a + Trivy scanner change to symbol-level (rather than module-level) matching + +**How** +Trivy's `gobinary` scanner flags based on module versions recorded in the binary's embedded +build info, not on which subpackages are actually imported and linked. Verified via +`go list -deps ./...` in `backend`: the `openpgp` subpackage is not imported anywhere in +Charon's own code, so the `app/charon` finding is a false positive. `caddy`, `crowdsec`, and +`cscli` are third-party binaries built in the Dockerfile; `golang.org/x/crypto` is a transitive +dependency of theirs that Charon does not control. + +**Planned Remediation** +No remediation path exists upstream. Monitor whether caddy/crowdsec/cscli drop their dependency +on `x/crypto/openpgp`, and periodically re-run `govulncheck` to confirm Charon's own code stays +clean. Suppressed in `.trivyignore` and `.grype.yaml`; review 2026-08-08. + ## Patched Vulnerabilities ### ✅ [HIGH] CVE-2026-34040 · Docker AuthZ Plugin Bypass via Oversized Request Body diff --git a/agent/go.mod b/agent/go.mod index 1f0912053..3e40b329a 100644 --- a/agent/go.mod +++ b/agent/go.mod @@ -1,6 +1,6 @@ module github.com/Wikid82/charon/agent -go 1.26.4 +go 1.26.5 require ( github.com/gorilla/websocket v1.5.3 diff --git a/backend/go.mod b/backend/go.mod index 1714d39e5..0b4048731 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -1,6 +1,6 @@ module github.com/Wikid82/charon/backend -go 1.26.4 +go 1.26.5 require ( github.com/gin-contrib/gzip v1.2.6 diff --git a/go.work b/go.work index 7a85b66f5..fe3169ac3 100644 --- a/go.work +++ b/go.work @@ -1,4 +1,4 @@ -go 1.26.4 +go 1.26.5 use ( ./agent diff --git a/scripts/update-go-toolchain.sh b/scripts/update-go-toolchain.sh new file mode 100755 index 000000000..ff8f3676d --- /dev/null +++ b/scripts/update-go-toolchain.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# Pin GOTOOLCHAIN to the latest Go release, prune stale cached toolchains, +# and kick gopls so it picks up the new version without a manual editor reload. +# +# gopls is a long-running process: it resolves its Go toolchain once at +# startup and never re-reads GOTOOLCHAIN afterwards. Without a restart here, +# the editor keeps reporting "go.work requires go >= X (running go Y)" even +# though `go version` in a fresh shell is already correct. + +set -euo pipefail + +LATEST_VERSION="$(go list -m -f '{{.Version}}' go@latest)" +echo "Latest Go release: go${LATEST_VERSION}" + +go env -w "GOTOOLCHAIN=go${LATEST_VERSION}+auto" +echo "GOTOOLCHAIN pinned to go${LATEST_VERSION}+auto" + +TOOLCHAIN_CACHE="$(go env GOMODCACHE)/golang.org" +if [ -d "$TOOLCHAIN_CACHE" ]; then + echo "Pruning cached toolchains older than go${LATEST_VERSION}..." + for dir in "$TOOLCHAIN_CACHE"/toolchain@v*; do + [ -e "$dir" ] || continue + case "$dir" in + *"go${LATEST_VERSION}."*) continue ;; + esac + chmod -R u+w "$dir" + rm -rf "$dir" + echo " removed $(basename "$dir")" + done +fi + +if pkill -x gopls 2>/dev/null; then + echo "Restarted gopls (killed stale process; your editor will respawn it)." +else + echo "No running gopls process found to restart." +fi + +echo "" +go version +echo "" +echo "Done. If your editor still shows a stale Go version, run 'Developer: Reload Window'."