diff --git a/.github/instructions/ARCHITECTURE.instructions.md b/.github/instructions/ARCHITECTURE.instructions.md index ac79c6ab..ed82909a 100644 --- a/.github/instructions/ARCHITECTURE.instructions.md +++ b/.github/instructions/ARCHITECTURE.instructions.md @@ -122,7 +122,7 @@ graph TB | Component | Technology | Version | Purpose | |-----------|-----------|---------|---------| -| **Language** | Go | 1.25.7 | Primary backend language | +| **Language** | Go | 1.26.0 | Primary backend language | | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling | | **Database** | SQLite | 3.x | Embedded database | | **ORM** | GORM | Latest | Database abstraction layer | @@ -751,7 +751,7 @@ COPY frontend/ ./ RUN npm run build # Stage 2: Build backend -FROM golang:1.25-bookworm AS backend-builder +FROM golang:1.26-bookworm AS backend-builder WORKDIR /app/backend COPY backend/go.* ./ RUN go mod download @@ -858,7 +858,7 @@ services: 1. **Prerequisites:** ```bash - - Go 1.25+ (backend development) + - Go 1.26+ (backend development) - Node.js 23+ and npm (frontend development) - Docker 24+ (E2E testing) - SQLite 3.x (database) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 891ed904..60cacf95 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -11,7 +11,7 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' GOTOOLCHAIN: auto # Minimal permissions at workflow level; write permissions granted at job level for push only diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml index 9193c3dc..01364054 100644 --- a/.github/workflows/codecov-upload.yml +++ b/.github/workflows/codecov-upload.yml @@ -23,7 +23,7 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' NODE_VERSION: '24.12.0' GOTOOLCHAIN: auto diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7384f365..88c06bdf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,7 +10,7 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' GOTOOLCHAIN: auto permissions: diff --git a/.github/workflows/e2e-tests-split.yml b/.github/workflows/e2e-tests-split.yml index 64fcc121..acafcce9 100644 --- a/.github/workflows/e2e-tests-split.yml +++ b/.github/workflows/e2e-tests-split.yml @@ -86,7 +86,7 @@ on: env: NODE_VERSION: '20' - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' GOTOOLCHAIN: auto DOCKERHUB_REGISTRY: docker.io IMAGE_NAME: ${{ github.repository_owner }}/charon diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index f5c09a77..073e11da 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -15,7 +15,7 @@ on: default: "false" env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' NODE_VERSION: '24.12.0' GOTOOLCHAIN: auto GHCR_REGISTRY: ghcr.io diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c8148c47..4a0b7c6f 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -13,7 +13,7 @@ permissions: checks: write env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' NODE_VERSION: '24.12.0' GOTOOLCHAIN: auto diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 2aa4ad3d..84c014d6 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -10,7 +10,7 @@ concurrency: cancel-in-progress: false env: - GO_VERSION: '1.25.7' + GO_VERSION: '1.26.0' NODE_VERSION: '24.12.0' GOTOOLCHAIN: auto diff --git a/.gitignore b/.gitignore index e967ec4f..23be289f 100644 --- a/.gitignore +++ b/.gitignore @@ -306,3 +306,4 @@ docs/plans/design.md docs/plans/tasks.md frontend/coverage_output.txt frontend/temp** +playwright-output/** diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md index fa4f0592..c26737b7 100644 --- a/ARCHITECTURE.md +++ b/ARCHITECTURE.md @@ -122,7 +122,7 @@ graph TB | Component | Technology | Version | Purpose | |-----------|-----------|---------|---------| -| **Language** | Go | 1.25.7 | Primary backend language | +| **Language** | Go | 1.26.0 | Primary backend language | | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling | | **Database** | SQLite | 3.x | Embedded database | | **ORM** | GORM | Latest | Database abstraction layer | @@ -816,7 +816,7 @@ COPY frontend/ ./ RUN npm run build # Stage 2: Build backend -FROM golang:1.25-bookworm AS backend-builder +FROM golang:1.26-bookworm AS backend-builder WORKDIR /app/backend COPY backend/go.* ./ RUN go mod download @@ -923,7 +923,7 @@ services: 1. **Prerequisites:** ```bash - - Go 1.25+ (backend development) + - Go 1.26+ (backend development) - Node.js 23+ and npm (frontend development) - Docker 24+ (E2E testing) - SQLite 3.x (database) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ba2113ea..3ee46510 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,7 +26,7 @@ This project follows a Code of Conduct that all contributors are expected to adh -### Prerequisites -- **go 1.25.7+** for backend development +- **go 1.26.0+** for backend development - **Node.js 20+** and npm for frontend development - Git for version control - A GitHub account @@ -63,9 +63,9 @@ golangci-lint --version ### CI/CD Go Version Management -GitHub Actions workflows automatically use go 1.25.7 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows. +GitHub Actions workflows automatically use go 1.26.0 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows. -For local development, install go 1.25.7+ from [go.dev/dl](https://go.dev/dl/). +For local development, install go 1.26.0+ from [go.dev/dl](https://go.dev/dl/). ### Fork and Clone diff --git a/Dockerfile b/Dockerfile index bfb3d641..dd601c94 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f9 # CVEs fixed: CVE-2023-24531, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, # CVE-2023-29405, CVE-2024-24790, CVE-2025-22871, and 15 more # renovate: datasource=docker depName=golang -FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS gosu-builder +FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS gosu-builder COPY --from=xx / / WORKDIR /tmp/gosu @@ -89,7 +89,7 @@ RUN --mount=type=cache,target=/app/frontend/node_modules/.cache \ # ---- Backend Builder ---- # renovate: datasource=docker depName=golang -FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS backend-builder +FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS backend-builder # Copy xx helpers for cross-compilation COPY --from=xx / / @@ -155,7 +155,7 @@ ARG BUILD_DEBUG=0 # Build the Go binary with version information injected via ldflags # xx-go handles CGO and cross-compilation flags automatically -# Note: Go 1.25 defaults to gold linker for ARM64, but clang doesn't support -fuse-ld=gold +# Note: Go 1.26 defaults to gold linker for ARM64, but clang doesn't support -fuse-ld=gold # Use lld for ARM64 cross-linking; keep bfd for amd64 to preserve prior behavior # PIE is required for arm64 cross-linking with lld to avoid relocation conflicts under # QEMU emulation and improves security posture. @@ -192,7 +192,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ # Build Caddy from source to ensure we use the latest Go version and dependencies # This fixes vulnerabilities found in the pre-built Caddy images (e.g. CVE-2025-59530, stdlib issues) # renovate: datasource=docker depName=golang -FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS caddy-builder +FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS caddy-builder ARG TARGETOS ARG TARGETARCH ARG CADDY_VERSION @@ -254,10 +254,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ rm -rf /tmp/buildenv_* /tmp/caddy-initial' # ---- CrowdSec Builder ---- -# Build CrowdSec from source to ensure we use Go 1.25.5+ and avoid stdlib vulnerabilities +# Build CrowdSec from source to ensure we use Go 1.26.0+ and avoid stdlib vulnerabilities # (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729) # renovate: datasource=docker depName=golang versioning=docker -FROM --platform=$BUILDPLATFORM golang:1.25.7-alpine AS crowdsec-builder +FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine AS crowdsec-builder COPY --from=xx / / WORKDIR /tmp/crowdsec @@ -368,7 +368,7 @@ RUN apk add --no-cache \ bash ca-certificates sqlite-libs sqlite tzdata curl gettext libcap libcap-utils \ c-ares binutils libc-utils busybox-extras -# Copy gosu binary from gosu-builder (built with Go 1.25+ to avoid stdlib CVEs) +# Copy gosu binary from gosu-builder (built with Go 1.26+ to avoid stdlib CVEs) COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu RUN chmod +x /usr/sbin/gosu @@ -416,7 +416,7 @@ COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy # Allow non-root to bind privileged ports (80/443) securely RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy -# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.25.5+) +# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.0+) # This ensures we don't have stdlib vulnerabilities from older Go versions COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli @@ -434,7 +434,7 @@ RUN if [ ! -f /etc/crowdsec.dist/config.yaml ]; then \ # Verify CrowdSec binaries and configuration RUN chmod +x /usr/local/bin/crowdsec /usr/local/bin/cscli 2>/dev/null || true; \ if [ -x /usr/local/bin/cscli ]; then \ - echo "CrowdSec installed (built from source with Go 1.25):"; \ + echo "CrowdSec installed (built from source with Go 1.26):"; \ cscli version || echo "CrowdSec version check failed"; \ echo ""; \ echo "Configuration source: /etc/crowdsec.dist"; \ diff --git a/Makefile b/Makefile index ec79c8b2..cb8277ec 100644 --- a/Makefile +++ b/Makefile @@ -37,10 +37,10 @@ install-tools: go install gotest.tools/gotestsum@latest @echo "Tools installed successfully" -# Install go 1.25.7 system-wide and setup GOPATH/bin +# Install go 1.26.0 system-wide and setup GOPATH/bin install-go: - @echo "Installing go 1.25.7 and gopls (requires sudo)" - sudo ./scripts/install-go-1.25.6.sh + @echo "Installing go 1.26.0 and gopls (requires sudo)" + sudo ./scripts/install-go-1.26.0.sh # Clear Go and gopls caches clear-go-cache: diff --git a/README.md b/README.md index 57ecdd79..5b175030 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,7 @@ docker run -d \ **Requirements:** -- **go 1.25.7+** — Download from [go.dev/dl](https://go.dev/dl/) +- **go 1.26.0+** — Download from [go.dev/dl](https://go.dev/dl/) - **Node.js 20+** and npm - Docker 20.10+ @@ -302,7 +302,7 @@ See [GORM Security Scanner Documentation](docs/implementation/gorm_security_scan See [CONTRIBUTING.md](CONTRIBUTING.md) for complete development environment setup. -**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.25.7, even if your system has an older version installed. For local development, ensure you have go 1.25.7+ installed. +**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.26.0, even if your system has an older version installed. For local development, ensure you have go 1.26.0+ installed. ### Environment Configuration diff --git a/SECURITY.md b/SECURITY.md index 654783ef..4e8cd0f2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -490,7 +490,7 @@ Charon maintains transparency about security issues and their resolution. Below ### Third-Party Dependencies -**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with go 1.25.7+. +**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with go 1.26.0+. **Impact**: Low. These vulnerabilities are in CrowdSec's third-party binaries, not in Charon's application code. They affect HTTP/2, TLS certificate handling, and archive parsing—areas not directly exposed to attackers through Charon's interface. diff --git a/docs/github-setup.md b/docs/github-setup.md index 0b0fe4b7..9f211530 100644 --- a/docs/github-setup.md +++ b/docs/github-setup.md @@ -173,7 +173,7 @@ If the secret is missing or invalid, the workflow will fail with a clear error m **Prerequisites:** -- go 1.25.7+ (automatically managed via `GOTOOLCHAIN: auto` in CI) +- go 1.26.0+ (automatically managed via `GOTOOLCHAIN: auto` in CI) - Node.js 20+ for frontend builds **Triggers when:** diff --git a/docs/implementation/SUPPLY_CHAIN_REMEDIATION_PLAN.md b/docs/implementation/SUPPLY_CHAIN_REMEDIATION_PLAN.md index 1a546910..c9c6a817 100644 --- a/docs/implementation/SUPPLY_CHAIN_REMEDIATION_PLAN.md +++ b/docs/implementation/SUPPLY_CHAIN_REMEDIATION_PLAN.md @@ -28,7 +28,7 @@ CI supply chain scans detected 4 HIGH-severity vulnerabilities in CrowdSec binar **Root Cause**: CrowdSec v1.6.5 compiled with Go 1.25.1 (vulnerable) -**Resolution**: Upgrade to CrowdSec v1.6.6+ (compiled with Go 1.25.2+) +**Resolution**: Upgrade to CrowdSec v1.6.6+ (compiled with Go 1.26.0+) ## Action Items @@ -56,7 +56,7 @@ docker run --rm charon:local /usr/local/bin/crowdsec version docker run --rm charon:local /usr/local/bin/cscli version ``` -**Expected Output**: Should show Go 1.25.2 or later +**Expected Output**: Should show Go 1.26.0 or later **Assignee**: @qa-team **Effort**: 10 minutes diff --git a/docs/implementation/WORKSTREAM_C_CROWDSEC_GO_VERSION_FIX.md b/docs/implementation/WORKSTREAM_C_CROWDSEC_GO_VERSION_FIX.md index 241f3082..2baad3fa 100644 --- a/docs/implementation/WORKSTREAM_C_CROWDSEC_GO_VERSION_FIX.md +++ b/docs/implementation/WORKSTREAM_C_CROWDSEC_GO_VERSION_FIX.md @@ -2,7 +2,7 @@ **Date:** 2026-01-10 **Issue:** CrowdSec binaries built with Go 1.25.1 containing 4 HIGH CVEs -**Solution:** Pin CrowdSec builder to Go 1.25.5+ +**Solution**: Pin CrowdSec builder to Go 1.26.0+ ## Problem @@ -17,7 +17,7 @@ The CrowdSec builder stage in the Dockerfile was using `golang:1.25-alpine`, whi ## Solution -Updated the `CrowdSec Builder` stage in the Dockerfile to explicitly pin to Go 1.25.5: +Updated the `CrowdSec Builder` stage in the Dockerfile to explicitly pin to Go 1.26.0: ```dockerfile # Before: @@ -63,7 +63,7 @@ After this change, the following validations should be performed: 3. **Expected outcome:** - Trivy image scan should report **0 HIGH/CRITICAL** vulnerabilities - - CrowdSec binaries should be built with Go 1.25.5+ + - CrowdSec binaries should be built with Go 1.26.0+ - All CrowdSec functionality should remain operational ## Related diff --git a/go.work b/go.work index 9d280119..ca05e7d8 100644 --- a/go.work +++ b/go.work @@ -1,3 +1,3 @@ -go 1.25.7 +go 1.26.0 use ./backend diff --git a/scripts/install-go-1.25.7.sh b/scripts/install-go-1.25.7.sh old mode 100755 new mode 100644 index e4ecb48b..5b0039fc --- a/scripts/install-go-1.25.7.sh +++ b/scripts/install-go-1.25.7.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash set -euo pipefail -# Script to install go 1.25.7 to /usr/local/go -# Usage: sudo ./scripts/install-go-1.25.7.sh +# Script to install go 1.26.0 to /usr/local/go +# Usage: sudo ./scripts/install-go-1.26.0.sh -GO_VERSION="1.25.7" +GO_VERSION="1.26.0" ARCH="linux-amd64" TARFILE="go${GO_VERSION}.${ARCH}.tar.gz" TMPFILE="/tmp/${TARFILE}" diff --git a/scripts/install-go-1.26.0.sh b/scripts/install-go-1.26.0.sh new file mode 100755 index 00000000..5b0039fc --- /dev/null +++ b/scripts/install-go-1.26.0.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Script to install go 1.26.0 to /usr/local/go +# Usage: sudo ./scripts/install-go-1.26.0.sh + +GO_VERSION="1.26.0" +ARCH="linux-amd64" +TARFILE="go${GO_VERSION}.${ARCH}.tar.gz" +TMPFILE="/tmp/${TARFILE}" +# Ensure GOPATH is set +: ${GOPATH:=$HOME/go} +: ${GOBIN:=${GOPATH}/bin} + +# Download +if [ ! -f "$TMPFILE" ]; then + echo "Downloading go${GO_VERSION}..." + curl -sSfL -o "$TMPFILE" "https://go.dev/dl/${TARFILE}" +fi + +# Remove existing installation +if [ -d "/usr/local/go" ]; then + echo "Removing existing /usr/local/go..." + sudo rm -rf /usr/local/go +fi + +# Extract +echo "Extracting to /usr/local..." +sudo tar -C /usr/local -xzf "$TMPFILE" + +# Setup system PATH via /etc/profile.d +echo "Creating /etc/profile.d/go.sh to export /usr/local/go/bin and GOPATH/bin" +sudo tee /etc/profile.d/go.sh > /dev/null <<'EOF' +export PATH=/usr/local/go/bin:$GOPATH/bin:$PATH +EOF +sudo chmod +x /etc/profile.d/go.sh + +# Update current session PATH +export PATH=/usr/local/go/bin:$GOPATH/bin:$PATH + +# Verify +echo "Installed go: $(go version)" + +# Optionally install gopls +echo "Installing gopls..." +# renovate: datasource=go depName=golang.org/x/tools +go install golang.org/x/tools/gopls@v0.41.0 + +GOPLS_PATH="$GOPATH/bin/gopls" +if [ -f "$GOPLS_PATH" ]; then + echo "gopls installed at $GOPLS_PATH" + $GOPLS_PATH version || true +else + echo "gopls not installed in GOPATH/bin" +fi + +cat <<'EOF' +Done. Please restart your shell or run: + source /etc/profile.d/go.sh +and restart your editor's Go language server (Go: Restart Language Server in VS Code) +EOF