fix: bump extras/dagger grpc-go to v1.79.3#3274
fix: bump extras/dagger grpc-go to v1.79.3#3274chainloop-development[bot] wants to merge 1 commit into
Conversation
Kusari Analysis Results:Caution Flagged Issues Detected The code analysis returned zero findings across all scanned files, which is positive. However, the dependency analysis identifies multiple unresolved, high-severity vulnerabilities introduced in the newly updated dependency versions, which we strongly recommend addressing before merging. While the PR successfully remediates the gRPC authorization bypass (CVE-2026-33186, CVSS High C:H/I:H), the updated dependencies carry significant residual risk: (1) golang.org/x/net v0.48.0 carries 7 active vulnerabilities including XSS, remote DoS via HTTP/2, and a privilege escalation via Punycode bypass (CVE-2026-39821, CVSS High C:H/I:H) — fix by upgrading to v0.56.0; (2) go.opentelemetry.io/otel/sdk v1.39.0 contains two PATH hijacking vulnerabilities enabling arbitrary code execution on FreeBSD/Solaris and Darwin platforms (full C:H/I:H/A:H impact) — fix by upgrading to v1.44.0; (3) go.opentelemetry.io/otel v1.39.0 has a remote DoS amplification vulnerability via baggage header parsing (~77x CPU/memory amplification, CVSS AV:N/AC:L/PR:N/UI:N/A:H) — fix by upgrading to v1.44.0; (4) golang.org/x/sys v0.39.0 contains an integer overflow in Windows string handling — fix by upgrading to v0.46.0. The net security posture does not improve sufficiently when trading one resolved critical issue for four dependency groups with unpatched high-severity vulnerabilities. All four have known fixed versions readily available, making remediation straightforward before merge. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Found this helpful? Give it a 👍 or 👎 reaction! |
Summary
Bumped the nested
extras/daggerGo module off the vulnerable indirectgoogle.golang.org/grpc v1.76.0tov1.79.3, the first patched release identified by the assessment. The change is limited to that module's dependency manifests and the transitive versions Go resolved alongside the grpc-go upgrade.Vulnerability Fixed
GHSA-p77j-4mvh-x3m3, severity CRITICAL: gRPC-Go has an authorization bypass via missing leading slash in
:path.Changes Made
extras/dagger/go.modto requiregoogle.golang.org/grpc v1.79.3instead of the vulnerablev1.76.0.extras/dagger/go.sumand the transitive dependency versions that Go module resolution advanced with the grpc-go bump.google.golang.org/grpc v1.81.1; the remediation is scoped to the affected nested module only.Verification
Ran
syft dir:. -o cyclonedx-json > /tmp/extras-dagger-sbom.json && grype sbom:/tmp/extras-dagger-sbom.json --only-fixed -o jsonfromrepo/extras/daggerand checked the results forGHSA-p77j-4mvh-x3m3. Outcome:resolved— the advisory is absent from the post-change grype results for the scanned module.Risk Assessment
View the risk assessment in Chainloop