fix cve-2026-42499: Upgrade Go to 1.26.3

[fghanmi]

Fixes:

• https://nvd.nist.gov/vuln/detail/CVE-2026-42499
• https://nvd.nist.gov/vuln/detail/cve-2026-39820
• https://nvd.nist.gov/vuln/detail/CVE-2026-33811

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 22179ec7-7467-4732-990d-b37c19d9f8b0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[qodo-for-conforma]

PR Summary by Qodo

Fix CVE-2026-42499 by upgrading Go toolchain to 1.26.3
🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 10 minutes

Description

• Bump Go toolchain to 1.26.3 to address referenced CVEs.
• Update container build images to Go 1.26.3 equivalents.
• Align module Go version in go.mod with the new toolchain.

Diagram

graph TD
  B["Container build"] --> DF["Dockerfile"] --> GI[("golang:1.26.3")] --> OUT["conforma CLI"]
  B --> DFD["Dockerfile.dist"] --> UBI[("ubi9 go-toolset 9.8") ] --> OUT
  B --> GM["go.mod (go 1.26.3)"] --> OUT

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Pin the upstream golang image by digest in Dockerfile

• ➕ Improves supply-chain security and build reproducibility (immutable base image).
• ➕ Reduces risk of silently picking up future tag changes.
• ➖ Requires periodic digest refreshes and potential tooling support (renovate/dependabot).
• ➖ Slightly more friction when testing quick version bumps.

2. Add an explicit `toolchain go1.26.3` directive in go.mod

• ➕ Ensures the exact toolchain is used even when developers have older Go installed.
• ➕ Makes local/CI builds more consistent across environments.
• ➖ Requires Go 1.21+ tooling behavior familiarity; may surprise contributors not expecting auto-download.
• ➖ Might be redundant if CI/build containers fully control the toolchain already.

Recommendation: The PR’s approach (bumping the build images and go directive) is the right baseline fix for the CVEs. If reproducibility/supply-chain hardening is a priority, consider also pinning docker.io/library/golang by digest (as already done for the UBI image) and optionally adding a toolchain go1.26.3 directive to enforce the exact toolchain across developer machines.

Files changed (3) +3 / -3

Other (3) +3 / -3

DockerfileUpdate build stage to golang:1.26.3 +1/-1

Update build stage to golang:1.26.3

• Bumps the upstream golang base image used for the build stage from 1.25.9 to 1.26.3 to pick up security fixes.

Dockerfile

Dockerfile.distSwitch UBI go-toolset build image to a newer 9.8 release +1/-1

Switch UBI go-toolset build image to a newer 9.8 release

• Updates the Red Hat UBI go-toolset image reference (tag and digest) used for distribution builds to the newer Go toolset level aligned with the CVE fix.

Dockerfile.dist

go.modBump module Go version to 1.26.3 +1/-1

Bump module Go version to 1.26.3

• Updates the module 'go' version directive from 1.25.9 to 1.26.3 so builds and tooling align with the upgraded toolchain.

go.mod

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:40 AM UTC · Completed 11:48 AM UTC
Commit: 47d3320 · View workflow run →

[qodo-for-conforma]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Context used

✅ Compliance rules (platform): 27 rules

1. Asdf Go version mismatch 🐞 Bug ☼ Reliability

Description

The PR raises the minimum Go version to 1.26.3 in the root module, but .tool-versions still pins
golang 1.25.9. Environments that honor .tool-versions (e.g., asdf) will select Go 1.25.9 and
then fail to build/test this repo because go.mod requires Go 1.26.3.

Code

go.mod[3]

+go 1.26.3

Relevance

⭐⭐⭐ High

Past Go bumps synced .tool-versions with go.mod/Dockerfiles (PRs #3052, #3108, #2651); mismatch
likely fixed.

PR-#3052
PR-#3108
PR-#2651

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

go.mod now requires Go 1.26.3, while .tool-versions still pins Go 1.25.9; this is an explicit
version conflict within the repo configuration.

.tool-versions[1-1]
go.mod[1-4]
acceptance/go.mod[1-4]
tools/go.mod[1-4]
tools/kubectl/go.mod[1-6]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Root `go.mod` now requires Go `1.26.3`, but `.tool-versions` still pins `golang 1.25.9`, which makes asdf-managed environments pick an incompatible Go toolchain.

### Issue Context
This PR is explicitly a Go toolchain upgrade for CVE remediation; leaving the repo’s version-manager pin behind both breaks workflows and can keep contributors building with the old (vulnerable) version.

### Fix Focus Areas
- .tool-versions[1-1]
- go.mod[1-4]
- acceptance/go.mod[1-4]
- tools/go.mod[1-4]
- tools/kubectl/go.mod[1-6]

### Expected change
- Update `.tool-versions` to `golang 1.26.3`.
- (Optional, but recommended for consistency) Update the `go` directive in the other modules (`acceptance/`, `tools/`, `tools/kubectl/`) to `1.26.3` as well, since CI runs `go mod download` inside those modules.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[fullsend-ai-review]

Review

Findings

High

• [protected-path] Dockerfile, Dockerfile.dist — These files are under protected paths and require human approval. The PR has no linked issue to provide traceability for why these governance/infrastructure files are being modified. While the PR body references CVE fixes (CVE-2026-42499, CVE-2026-39820, CVE-2026-33811) as rationale, protected-path changes require a linked issue for authorization traceability.
  Remediation: Link a tracking issue that authorizes the Dockerfile changes, then request review from a maintainer with protected-path approval authority.

Previous run

Review

Findings

High

• [protected-path] Dockerfile, Dockerfile.dist — These files are under protected paths (Dockerfile) which require human approval for all changes. The PR has no linked issue to authorize modifications to governance/infrastructure files. While the PR body references CVE fixes (CVE-2026-42499, CVE-2026-39820, CVE-2026-33811) as rationale, protected-path changes require a linked issue for traceability.
  Remediation: Link a tracking issue that authorizes the Go version upgrade and the corresponding Dockerfile changes, or obtain explicit human approval for the protected-path modifications.

Low

• [missing-digest] Dockerfile:19 — The Dockerfile uses a tag-only image reference (docker.io/library/golang:1.26.3) without a digest pin, unlike Dockerfile.dist which correctly pins with @sha256:.... This is pre-existing behavior not introduced by this PR, but worth noting as a supply-chain hardening opportunity.
  Remediation: Consider adding a digest pin to the Dockerfile base image for consistency with Dockerfile.dist.

---

Labels: PR is a CVE-driven Go toolchain version bump fixing security vulnerabilities

Previous run (2)

Review

Findings

High

• [protected-path] Dockerfile:19 — This PR modifies Dockerfile, which is a protected infrastructure file requiring human approval. The PR has no linked issue to authorize the change. While the PR description references CVE-2026-42499, CVE-2026-39820, and CVE-2026-33811 as motivation, protected-path changes require a linked issue for traceability. Human approval is required regardless of context.
  Remediation: Link an issue authorizing this Dockerfile change, or obtain explicit human maintainer approval.

---

Labels: PR bumps Go toolchain version across Dockerfiles, go.mod files, and build tooling to fix CVEs

Previous run (3)

Looks good to me

Previous run (4)

Review

Findings

Medium

• [stale-reference] tools/go.mod:3 — The go directive in tools/go.mod, tools/kubectl/go.mod, and acceptance/go.mod still specifies go 1.25.8, while the root go.mod is being updated to go 1.26.3. No toolchain directive exists in any of these modules. If any sub-module is built independently or its go.mod is used as a go-version-file source, it will use the older, unpatched Go toolchain, leaving the CVE fix incomplete.
  Remediation: Update the go directive in tools/go.mod, tools/kubectl/go.mod, and acceptance/go.mod to go 1.26.3 to match the root module.

Low

• [edge-case] Dockerfile.dist:19 — The base image tag changed from a Go-version-aligned tag (go-toolset:1.25.8) to a UBI build number tag (go-toolset:9.8-1781757851). While the image is pinned by SHA256 digest (ensuring reproducibility), the tag no longer encodes the Go version, making it harder to verify at a glance that the image ships Go 1.26.3.

Info

• [missing-authorization] go.mod:4 — No linked issue. Authorization inferred from the mechanical nature of the change (Go toolchain CVE remediation). The PR title and body reference specific CVEs as justification.

Previous run (5)

Review

Findings

Medium

• [incomplete version update] tools/go.mod:3 — The Go version in tools/go.mod remains at 1.25.8 while the root go.mod is updated to 1.26.3. This creates an inconsistency across modules in the repository. While the Dockerfile (which controls the CI build image) is updated, the go directive should be kept consistent across all modules.
  Remediation: Update the go directive in tools/go.mod to 1.26.3 and run go mod tidy.

• [incomplete version update] tools/kubectl/go.mod:3 — The Go version in tools/kubectl/go.mod remains at 1.25.8 while the root go.mod is updated to 1.26.3. The actual compiler used in CI is determined by the Dockerfile build image (which is updated), but the go directive should be consistent.
  Remediation: Update the go directive in tools/kubectl/go.mod to 1.26.3 and run go mod tidy.

• [incomplete version update] .tool-versions:1 — The .tool-versions file still references golang 1.25.8. Developers using asdf/mise for local Go toolchain management will get the old version instead of 1.26.3.
  Remediation: Update .tool-versions to golang 1.26.3.

Low

• [incomplete version update] acceptance/go.mod:3 — The Go version in acceptance/go.mod remains at 1.25.8 while the root go.mod is updated to 1.26.3. This is an inconsistency in test code, not production-shipped code.
  Remediation: Update the go directive in acceptance/go.mod to 1.26.3 and run go mod tidy.

Info

• [sub-agent-failure] The intent-coherence sub-agent did not return findings: model unavailable (claude-sonnet-4-5@20250929 not available on vertex deployment).

• [sub-agent-failure] The style-conventions sub-agent did not return findings: model unavailable (claude-sonnet-4-5@20250929 not available on vertex deployment).

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:53 AM UTC · Completed 11:59 AM UTC
Commit: 47d3320 · View workflow run →

[simonbaird]

/ok-to-test

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:10 PM UTC · Completed 1:16 PM UTC
Commit: 47d3320 · View workflow run →

[simonbaird]

/ok-to-test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	54.86% <ø> (ø)
generative	18.14% <ø> (ø)
integration	26.99% <ø> (ø)
unit	68.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:22 PM UTC · Completed 10:28 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Review · ❌ Terminated · Started 9:04 AM UTC · Ended 9:12 AM UTC
Commit: 47d3320 · View workflow run →

[st3penta]

/ok-to-test

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:04 AM UTC · Completed 9:12 AM UTC
Commit: 47d3320 · View workflow run →

[fghanmi]

@st3penta I see that ec-v08-enterprise-contract is failing but unfortunately, I don't have permissions to check the logs to debug.

[fullsend-ai-review]

🤖 Review · ❌ Terminated · Started 10:11 AM UTC · Ended 10:18 AM UTC
Commit: 47d3320 · View workflow run →

[st3penta]

/ok-to-test

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:11 AM UTC · Completed 10:18 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

🤖 Finished Retro · ✅ Success · Started 10:58 AM UTC · Completed 11:06 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

Retro: PR #3356 — CVE-2026-42499 Go upgrade

Timeline

1. Jun 24: fghanmi opens a small PR (+28/−13, 8 files) upgrading Go to 1.26.3 to fix three CVEs, targeting release-v0.8.
2. Jun 24 11:47: Review agent requests changes (first review).
3. Jun 24 13:16: Review agent approves after author addresses feedback.
4. Jun 24–25: Human reviewers (simonbaird) provide feedback on Dockerfile.dist tag format and digest pinning.
5. Jun 25 22:28: Review agent requests changes again — flags protected-path on Dockerfile.
6. Jun 29 09:11: Review agent requests changes again — protected-path + missing-digest.
7. Jun 29 10:18: Review agent requests changes a fourth time.
8. Jun 29 10:55: Human maintainer (st3penta) approves and merges, overriding the agent's CHANGES_REQUESTED.

Assessment

The review agent ran 4+ times on this small CVE fix, consuming ~6 minutes of Opus compute per run (~24+ minutes total). After approving on the second run, it reverted to CHANGES_REQUESTED on every subsequent push due to two findings:

• protected-path (high): Flagged Dockerfile changes as needing human approval — but a human was already actively reviewing. This finding was re-raised on every review run even though it cannot be resolved by the author or the fix agent.
• missing-digest (low): Flagged golang:1.26.3 in Dockerfile lacking a digest pin. Reasonable finding, but contributed to a CHANGES_REQUESTED verdict on an urgent security fix.

The human maintainer ultimately overrode the agent and merged. The core friction patterns here — repeated governance-only findings, CHANGES_REQUESTED for non-actionable issues, and re-reviews that re-raise the same findings — are all extensively tracked in fullsend-ai/fullsend with 30+ open issues across these themes:

• Repeated findings: #1013, #1285, #1500, #1583
• Protected-path noise on human PRs: #1551, #1392, #2253
• CHANGES_REQUESTED for governance-only findings: #1068, #2115, #2029
• Dependency/version update review tuning: #2588, #336

No new proposals are warranted — the improvement space is well-covered by existing issues. Implementing #1068 (don't CHANGES_REQUESTED for governance-only findings) and #1500 (don't re-request changes for unchanged findings) would have prevented most of the friction observed here.