From 2c2f2534c33dfad36880ee0bcc28293d0197fa38 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 25 Jun 2026 15:17:16 +0200 Subject: [PATCH 1/4] Update go to 1.25.9 This should address CVE-2026-32281 --- go.mod | 4 ++-- image/scanner/rhel/konflux.Dockerfile | 2 +- tools/linters/go.mod | 2 +- tools/test/go.mod | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 3de9ec114..539b4ba82 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/stackrox/scanner -go 1.24.0 +go 1.25.0 -toolchain go1.24.4 +toolchain go1.25.9 require ( cloud.google.com/go/storage v1.56.1 diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index 4af62bc73..9ead8e228 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -1,5 +1,5 @@ # Compiling scanner binaries and staging repo2cpe and genesis manifests -FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.24@sha256:89a421ef4cecc6eb5c2fc347ab49aa094ebbeff6df8ba05ab19ccb28efa63f79 AS builder +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:e3d5ba0efb0d3cbb5b8964f49ca199ed851ccf4a7f129a34e61cf91166b4e267 ARG SCANNER_TAG RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi diff --git a/tools/linters/go.mod b/tools/linters/go.mod index e29fbd691..f19c510b6 100644 --- a/tools/linters/go.mod +++ b/tools/linters/go.mod @@ -1,6 +1,6 @@ module github.com/stackrox/scanner/tools/linters -go 1.24 +go 1.25 require ( github.com/golangci/golangci-lint v1.64.8 diff --git a/tools/test/go.mod b/tools/test/go.mod index 8c8e753fe..b0559c873 100644 --- a/tools/test/go.mod +++ b/tools/test/go.mod @@ -1,5 +1,5 @@ module github.com/stackrox/scanner/tools/test -go 1.24 +go 1.25 require github.com/jstemmer/go-junit-report/v2 v2.1.0 From 442cf1f1402cdd29b34a95bfc1d52516979fc047 Mon Sep 17 00:00:00 2001 From: ovalenti Date: Thu, 25 Jun 2026 16:16:24 +0200 Subject: [PATCH 2/4] Restore image stage name that I inadvertently clobbered Co-authored-by: Tom Martensen --- image/scanner/rhel/konflux.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index 9ead8e228..c4deab094 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -1,5 +1,5 @@ # Compiling scanner binaries and staging repo2cpe and genesis manifests -FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:e3d5ba0efb0d3cbb5b8964f49ca199ed851ccf4a7f129a34e61cf91166b4e267 +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:e3d5ba0efb0d3cbb5b8964f49ca199ed851ccf4a7f129a34e61cf91166b4e267 AS builder ARG SCANNER_TAG RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi From 36d7e11529cd9a99101be23c273ffff465f4a25d Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 25 Jun 2026 19:27:29 +0200 Subject: [PATCH 3/4] Up to 1.26.3 --- .golangci.yml | 2 +- go.mod | 4 ++-- image/scanner/rhel/konflux.Dockerfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 5fa70d0fa..886f2a4ee 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -3,7 +3,7 @@ run: timeout: 16m modules-download-mode: readonly - go: "1.23" + go: "1.26" output: formats: diff --git a/go.mod b/go.mod index 539b4ba82..6759b0675 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/stackrox/scanner -go 1.25.0 +go 1.26.0 -toolchain go1.25.9 +toolchain go1.26.3 require ( cloud.google.com/go/storage v1.56.1 diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index c4deab094..b450696fa 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -1,5 +1,5 @@ # Compiling scanner binaries and staging repo2cpe and genesis manifests -FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25@sha256:e3d5ba0efb0d3cbb5b8964f49ca199ed851ccf4a7f129a34e61cf91166b4e267 AS builder +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.26@sha256:aa2429f5dcf086b4edb2251f0cea19d54c60638aaedc03a1384d26ec3754cebc AS builder ARG SCANNER_TAG RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi From 159736d89a2320f318c8310fff6bb079906410a1 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 25 Jun 2026 19:32:35 +0200 Subject: [PATCH 4/4] Also bump the linter and the tests --- tools/linters/go.mod | 2 +- tools/test/go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/linters/go.mod b/tools/linters/go.mod index f19c510b6..aac866d97 100644 --- a/tools/linters/go.mod +++ b/tools/linters/go.mod @@ -1,6 +1,6 @@ module github.com/stackrox/scanner/tools/linters -go 1.25 +go 1.26 require ( github.com/golangci/golangci-lint v1.64.8 diff --git a/tools/test/go.mod b/tools/test/go.mod index b0559c873..2407ec665 100644 --- a/tools/test/go.mod +++ b/tools/test/go.mod @@ -1,5 +1,5 @@ module github.com/stackrox/scanner/tools/test -go 1.25 +go 1.26 require github.com/jstemmer/go-junit-report/v2 v2.1.0