Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,26 @@
"dockerfile"
]
},
{
"description": "Keep the Dockerfile's golang builder image in lockstep with go.mod/GO_VERSION bumps — prevents the Docker build failing when go.mod requires a newer Go than the pinned builder image (overrides the broader Dockerfile ARG grouping above since it matches later)",
"matchManagers": [
"custom.regex"
],
"matchFileNames": [
"Dockerfile"
],
"matchDepNames": [
"golang"
],
"matchUpdateTypes": [
"minor",
"patch",
"pin",
"digest"
],
"groupName": "go-non-major",
"groupSlug": "go-non-major"
},
{
"description": "Development branch: Auto-merge non-major updates after proven stable",
"matchBaseBranches": [
Expand Down
2 changes: 1 addition & 1 deletion .github/skills/examples/gorm-scanner-ci-workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
- name: Setup Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6
with:
go-version: "1.26.4"
go-version: "1.26.5"

- name: Run GORM Security Scanner
id: gorm-scan
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/benchmark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ concurrency:
cancel-in-progress: true

env:
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'
GOTOOLCHAIN: local

# Minimal permissions at workflow level; write permissions granted at job level for push only
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codecov-upload.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ concurrency:
cancel-in-progress: true

env:
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'
NODE_VERSION: '24.18.0'
GOTOOLCHAIN: local

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ concurrency:

env:
GOTOOLCHAIN: local
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'

permissions:
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-tests-split.yml
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ on:

env:
NODE_VERSION: '24.18.0'
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'
GOTOOLCHAIN: local
DOCKERHUB_REGISTRY: docker.io
IMAGE_NAME: ${{ github.repository_owner }}/charon
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/nightly-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ on:
default: "false"

env:
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'
NODE_VERSION: '24.18.0'
GOTOOLCHAIN: local
GHCR_REGISTRY: ghcr.io
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/orthrus-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ env:
GHCR_REGISTRY: ghcr.io
DOCKERHUB_REGISTRY: docker.io
IMAGE_NAME: wikid82/orthrus
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'

permissions:
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/quality-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ permissions:
checks: write

env:
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'
NODE_VERSION: '24.18.0'
GOTOOLCHAIN: local

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ concurrency:
cancel-in-progress: false

env:
GO_VERSION: '1.26.4'
GO_VERSION: '1.26.5'
NODE_VERSION: '24.18.0'
GOTOOLCHAIN: local

Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/renovate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,12 @@ concurrency:

# Renovate authenticates via the RENOVATE_TOKEN PAT; GITHUB_TOKEN is only used by checkout.
permissions:
contents: read
contents: write
pull-requests: write
issues: write

env:
GO_VERSION: '1.26.5'

jobs:
renovate:
Expand Down
55 changes: 55 additions & 0 deletions .grype.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -840,6 +840,61 @@ ignore:

# Action items: same as GO-2026-5024 entry above.

# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained, unsafe by design
# Severity: UNKNOWN in Go vulndb (Trivy substitutes another vendor's rating) —
# Package: golang.org/x/crypto v0.53.0, flagged in /app/charon, /usr/bin/caddy,
# /usr/local/bin/crowdsec, /usr/local/bin/cscli
#
# Vulnerability Details:
# - Go's advisory database flags golang.org/x/crypto/openpgp as unmaintained and unsafe by
# design (not a specific exploitable bug) and recommends migrating to a maintained fork
# such as github.com/ProtonMail/go-crypto.
# - No fixed version is recorded — this cannot be resolved by upgrading golang.org/x/crypto.
#
# Root Cause of Suppression (No Fix Path):
# - Trivy's gobinary scanner flags based on module versions embedded in the compiled binary's
# buildinfo, not on which subpackages are actually imported/linked.
# - Verified via `go list -deps ./...` in backend: the openpgp subpackage is not imported
# anywhere in Charon's own code. app/charon is a false positive.
# - caddy, crowdsec, and cscli are third-party binaries built in the Dockerfile; x/crypto is
# a transitive dependency of theirs that we don't control the internals of.
#
# Risk Assessment: ACCEPTED (no fix exists; not reachable via Charon's own code)
# - Charon's own binary does not call any x/crypto/openpgp API.
# - No upstream action can resolve this short of the vendor projects dropping the dependency.
#
# Mitigation:
# - Monitor whether caddy/crowdsec/cscli upstream drop their dependency on x/crypto/openpgp.
# - Re-run govulncheck periodically to confirm Charon's own code stays clean.
#
# Review:
# - Initial suppression 2026-07-08: no fixed version exists; false positive for app/charon.
# - Next review: 2026-08-08.
#
# Removal Criteria:
# - Go vulndb publishes a fixed version for golang.org/x/crypto, OR
# - Trivy adds subpackage-aware (symbol-level) matching instead of module-level matching
#
# References:
# - GO-2026-5932: https://pkg.go.dev/vuln/GO-2026-5932
- vulnerability: GO-2026-5932
package:
name: golang.org/x/crypto
version: "v0.53.0"
type: go-module
reason: |
UNKNOWN/HIGH — golang.org/x/crypto/openpgp is flagged as unmaintained and unsafe by design.
No fixed version exists; this is not a patchable bug. Verified via `go list -deps ./...`
that Charon's own code (app/charon) does not import the openpgp subpackage — false positive
from Trivy's module-level (not symbol-level) binary scanning. caddy/crowdsec/cscli are
third-party binaries with their own transitive dependency on x/crypto.
expiry: "2026-08-08" # Review: Initial suppression 2026-07-08. Next review: 2026-08-08.

# Action items when this suppression expires:
# 1. Check if Go vulndb has published a fixed version for golang.org/x/crypto
# 2. Re-run `go list -deps ./...` in backend to confirm openpgp is still not imported
# 3. If neither changes: extend expiry by 30 days

# Match exclusions (patterns to ignore during scanning)
# Use sparingly - prefer specific CVE suppressions above
match:
Expand Down
15 changes: 15 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
Expand Up @@ -163,3 +163,18 @@ CVE-2024-21492
# See also: .grype.yaml for full justification
# exp: 2026-09-23
CVE-2026-39824

# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained, unsafe by design
# Severity: reported UNKNOWN by Go vulndb; Trivy falls back to another vendor's severity rating
# Package: golang.org/x/crypto v0.53.0 — flagged in /app/charon, /usr/bin/caddy,
# /usr/local/bin/crowdsec, /usr/local/bin/cscli
# No fixed version exists: this advisory does not describe a patchable bug, it is Go's standing
# recommendation to stop using the openpgp subpackage entirely (superseded by
# github.com/ProtonMail/go-crypto). No golang.org/x/crypto version resolves this.
# Verified `go list -deps ./...` in backend: the openpgp subpackage is not imported anywhere in
# Charon's own code — app/charon is flagged purely because Trivy's gobinary scan checks module
# versions embedded in the binary, not which subpackages are actually linked in.
# caddy/crowdsec/cscli are third-party binaries; x/crypto is a transitive dependency we don't control.
# Review by: 2026-08-08
# exp: 2026-08-08
GO-2026-5932
2 changes: 1 addition & 1 deletion .vscode/tasks.json
Original file line number Diff line number Diff line change
Expand Up @@ -1062,7 +1062,7 @@
{
"label": "Utility: Update Go Version",
"type": "shell",
"command": "go env -w GOTOOLCHAIN=go$(go list -m -f '{{.Version}}' go@latest)+auto && go list -m -f '{{.Version}}' go@latest && go version",
"command": "./scripts/update-go-toolchain.sh",
"group": "none",
"problemMatcher": [],
"presentation": {
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ARG BUILD_DEBUG=0

# ---- Pinned Toolchain Versions ----
# renovate: datasource=docker depName=golang versioning=docker
ARG GO_VERSION=1.26.4
ARG GO_VERSION=1.26.5

# renovate: datasource=docker depName=alpine versioning=docker
ARG ALPINE_IMAGE=alpine:3.24.1@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b
Expand Down
47 changes: 47 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,53 @@ decode path. Charon defaults to SQLite, so standard deployments do not expose th
Track upstream CrowdSec dependency updates and remove suppression once pgx/v4 is no longer
present in bundled components.

---

### [HIGH] GO-2026-5932 · golang.org/x/crypto/openpgp Unmaintained, Unsafe by Design

| Field | Value |
|--------------|-------|
| **ID** | GO-2026-5932 |
| **Severity** | Reported Unknown by Go vulndb; Trivy substitutes another vendor's rating |
| **Status** | Awaiting Upstream (no fixed version exists) |

**What**
`golang.org/x/crypto/openpgp` v0.53.0 is flagged by the Go vulnerability database as
unmaintained and unsafe by design — this is not a specific patchable bug, it is Go's standing
recommendation to migrate off the openpgp subpackage entirely (superseded by
`github.com/ProtonMail/go-crypto`). No fixed `golang.org/x/crypto` version resolves this.

**Who**

- Discovered by: Automated scan (Trivy image scan, PR #1133)
- Reported: 2026-07-08
- Affects: `app/charon`, `usr/bin/caddy`, `usr/local/bin/crowdsec`, `usr/local/bin/cscli`

**Where**

- Component: `golang.org/x/crypto` v0.53.0 (declared dependency; embedded across all four binaries)
- Versions affected: all versions containing the `openpgp` subpackage — no fix exists

**When**

- Discovered: 2026-07-08
- Disclosed (if public): Public
- Target fix: N/A — no fixed version will be published; suppression is permanent absent a
Trivy scanner change to symbol-level (rather than module-level) matching

**How**
Trivy's `gobinary` scanner flags based on module versions recorded in the binary's embedded
build info, not on which subpackages are actually imported and linked. Verified via
`go list -deps ./...` in `backend`: the `openpgp` subpackage is not imported anywhere in
Charon's own code, so the `app/charon` finding is a false positive. `caddy`, `crowdsec`, and
`cscli` are third-party binaries built in the Dockerfile; `golang.org/x/crypto` is a transitive
dependency of theirs that Charon does not control.

**Planned Remediation**
No remediation path exists upstream. Monitor whether caddy/crowdsec/cscli drop their dependency
on `x/crypto/openpgp`, and periodically re-run `govulncheck` to confirm Charon's own code stays
clean. Suppressed in `.trivyignore` and `.grype.yaml`; review 2026-08-08.

## Patched Vulnerabilities

### ✅ [HIGH] CVE-2026-34040 · Docker AuthZ Plugin Bypass via Oversized Request Body
Expand Down
2 changes: 1 addition & 1 deletion agent/go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/Wikid82/charon/agent

go 1.26.4
go 1.26.5

require (
github.com/gorilla/websocket v1.5.3
Expand Down
2 changes: 1 addition & 1 deletion backend/go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/Wikid82/charon/backend

go 1.26.4
go 1.26.5

require (
github.com/gin-contrib/gzip v1.2.6
Expand Down
2 changes: 1 addition & 1 deletion go.work
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
go 1.26.4
go 1.26.5

use (
./agent
Expand Down
41 changes: 41 additions & 0 deletions scripts/update-go-toolchain.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
# Pin GOTOOLCHAIN to the latest Go release, prune stale cached toolchains,
# and kick gopls so it picks up the new version without a manual editor reload.
#
# gopls is a long-running process: it resolves its Go toolchain once at
# startup and never re-reads GOTOOLCHAIN afterwards. Without a restart here,
# the editor keeps reporting "go.work requires go >= X (running go Y)" even
# though `go version` in a fresh shell is already correct.

set -euo pipefail

LATEST_VERSION="$(go list -m -f '{{.Version}}' go@latest)"
echo "Latest Go release: go${LATEST_VERSION}"

go env -w "GOTOOLCHAIN=go${LATEST_VERSION}+auto"
echo "GOTOOLCHAIN pinned to go${LATEST_VERSION}+auto"

TOOLCHAIN_CACHE="$(go env GOMODCACHE)/golang.org"
if [ -d "$TOOLCHAIN_CACHE" ]; then
echo "Pruning cached toolchains older than go${LATEST_VERSION}..."
for dir in "$TOOLCHAIN_CACHE"/toolchain@v*; do
[ -e "$dir" ] || continue
case "$dir" in
*"go${LATEST_VERSION}."*) continue ;;
esac
chmod -R u+w "$dir"
rm -rf "$dir"
echo " removed $(basename "$dir")"
done
fi

if pkill -x gopls 2>/dev/null; then
echo "Restarted gopls (killed stale process; your editor will respawn it)."
else
echo "No running gopls process found to restart."
fi

echo ""
go version
echo ""
echo "Done. If your editor still shows a stale Go version, run 'Developer: Reload Window'."
Loading