akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: clean .gitignore cache

Browse Source
This commit is contained in:
GitHub Actions
2026-01-26 19:22:05 +00:00
parent e5f0fec5db
commit f64e3feef8
1448 changed files with 468101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
docs/implementation/WORKSTREAM_C_CROWDSEC_GO_VERSION_FIX.md Normal file
View File

@@ -0,0 +1,80 @@
# Workstream C: CrowdSec Go Version Fix
**Date:** 2026-01-10
**Issue:** CrowdSec binaries built with Go 1.25.1 containing 4 HIGH CVEs
**Solution:** Pin CrowdSec builder to Go 1.25.5+
## Problem
Trivy scan identified that the CrowdSec binaries (`crowdsec` and `cscli`) embedded in the container image were built with Go 1.25.1, which has 4 HIGH severity CVEs:
- CVE-2025-58183
- CVE-2025-58186
- CVE-2025-58187
- CVE-2025-61729
The CrowdSec builder stage in the Dockerfile was using `golang:1.25-alpine`, which resolved to the vulnerable Go 1.25.1 version.
## Solution
Updated the `CrowdSec Builder` stage in the Dockerfile to explicitly pin to Go 1.25.5:
```dockerfile
# Before:
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS crowdsec-builder
# After:
# renovate: datasource=docker depName=golang versioning=docker
FROM --platform=$BUILDPLATFORM golang:1.25.5-alpine AS crowdsec-builder
```
## Changes Made
### File: `Dockerfile`
**Line ~275-279:** Updated the CrowdSec builder stage base image
- Changed from: `golang:1.25-alpine` (resolves to 1.25.1)
- Changed to: `golang:1.25.5-alpine` (fixed version)
- Added Renovate annotation to track future Go version updates
## Impact
- **Security:** Eliminates 4 HIGH CVEs in the CrowdSec binaries
- **Build Process:** No changes to build logic, only base image version
- **CrowdSec Version:** Remains at v1.7.4 (no version change needed)
- **Compatibility:** No breaking changes; CrowdSec functionality unchanged
## Verification
After this change, the following validations should be performed:
1. **Rebuild the image** (no-cache recommended):
```bash
# Use task: Build & Run: Local Docker Image No-Cache
```
2. **Run Trivy scan** on the rebuilt image:
```bash
# Use task: Security: Trivy Scan
```
3. **Expected outcome:**
- Trivy image scan should report **0 HIGH/CRITICAL** vulnerabilities
- CrowdSec binaries should be built with Go 1.25.5+
- All CrowdSec functionality should remain operational
## Related
- **Plan:** [docs/plans/current_spec.md](../plans/current_spec.md) - Workstream C
- **CVE List:** Go 1.25.1 stdlib vulnerabilities (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
- **Dependencies:** CrowdSec v1.7.4 (no change)
- **Next Step:** QA validation after image rebuild
## Notes
- The Backend Builder stage already uses `golang:1.25-alpine` but may resolve to a patched minor version. If needed, it can be pinned similarly.
- Renovate will track the pinned `golang:1.25.5-alpine` image and suggest updates when newer patch versions are available.
- The explicit version pin ensures reproducible builds and prevents accidental rollback to vulnerable versions.