Skip to content

ROB-266 Fix Vanta CVEs: Go 1.26.4 + slack-go v0.23.1#113

Merged
moshemorad merged 2 commits into
masterfrom
fix/vanta-cve-go-slack
Jun 7, 2026
Merged

ROB-266 Fix Vanta CVEs: Go 1.26.4 + slack-go v0.23.1#113
moshemorad merged 2 commits into
masterfrom
fix/vanta-cve-go-slack

Conversation

@moshemorad

@moshemorad moshemorad commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Remediates all open vulnerabilities Vanta flagged against the kubewatch container image. Two changes clear the entire list:

  1. Pin the build to Go 1.26.4 — the Dockerfile builder is pinned to golang:1.26.4 and go.mod toolchain is set to go1.26.4 (the previous toolchain go1.24.3 line would have forced the old, vulnerable compiler even on a newer base image). Recompiling with the patched stdlib fixes 14 Go stdlib CVEs:
  2. Upgrade github.com/slack-go/slack from v0.6.5 to v0.23.1 — fixes GHSA-gxhx-2686-5h9g. The APIs in use (slack.New, PostMessage, MsgOption helpers, WebhookMessage, PostWebhook) are unchanged, so this is drop-in.

This branch was merged with master, which separately bumped the builder to golang:1.26.2 (PR 111). The merge keeps Go 1.26.4 since it supersedes 1.26.2 and is the floor required by the HIGH CVEs above, and preserves master glibc and stdlib CVE comments.

Tests performed

  • go build ./... and go vet ./... pass after the dependency and toolchain bump.
  • Unit tests in pkg/handlers/slack pass with slack-go v0.23.1. Note: TestWebhookInit in pkg/handlers/slackwebhook fails identically on master (a pre-existing validation/test mismatch), so it is unrelated to this change.
  • Built a multi-arch image (linux/amd64 and linux/arm64) and deployed it to a live AKS cluster as the robusta-forwarder (kubewatch) pod.
  • Verified the deployed binary build info reports go1.26.4 and slack-go v0.23.1.
  • Verified the pod is Running with 0 restarts and actively forwards events (log line: Message successfully sent to the robusta-runner handle endpoint).

Generated with Claude Code.

moshemorad and others added 2 commits June 7, 2026 12:03
@moshemorad @claude
Bump Go toolchain to 1.26.4 and slack-go to v0.23.1 to fix CVEs
ec8062d 
Remediates the open vulnerabilities Vanta flagged against the kubewatch
image:

- Pin the build image to golang:1.26.4 and set the go.mod toolchain to
  go1.26.4 so the binary is compiled with a patched standard library.
  Fixes 14 Go stdlib CVEs (CVE-2026-33811/33814/39817/39819/39820/
  39823/39825/39826/39836/42499/42501/42504/42507, CVE-2026-27145).
- Upgrade github.com/slack-go/slack v0.6.5 -> v0.23.1.
  Fixes GHSA-gxhx-2686-5h9g. The APIs in use (slack.New, PostMessage,
  MsgOption*, WebhookMessage, PostWebhook) are unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@moshemorad
Merge remote-tracking branch 'origin/master' into fix/vanta-cve-go-slack
8b25dba 
# Conflicts:
#	Dockerfile
#	go.mod
@moshemorad moshemorad changed the title Fix Vanta CVEs: Go 1.26.4 + slack-go v0.23.1 ROB-266 Fix Vanta CVEs: Go 1.26.4 + slack-go v0.23.1 Jun 7, 2026
@moshemorad moshemorad merged commit f73aa0b into master Jun 7, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sheeproid Sheeproid Sheeproid approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@moshemorad @Sheeproid