Skip to content

ROB-547 Pin azure-cli-mcp Go builder to 1.26.4 (fix CVE-2026-42504/-27145/-42507)#33

Open
Avi-Robusta wants to merge 2 commits into
masterfrom
avi/rob-547-azure-cli-mcp-go-1264
Open

ROB-547 Pin azure-cli-mcp Go builder to 1.26.4 (fix CVE-2026-42504/-27145/-42507)#33
Avi-Robusta wants to merge 2 commits into
masterfrom
avi/rob-547-azure-cli-mcp-go-1264

Conversation

@Avi-Robusta

Copy link
Copy Markdown
Contributor

What

Pin servers/azure/Dockerfile builder golang:1.26-alpinegolang:1.26.4-alpine, bump image version 1.0.5 → 1.0.6.

Why

The latest mcp/azure-cli-mcp image (built 2026-05-07) ships Go stdlib 1.26.2 — the floating 1.26-alpine tag resolved to 1.26.2 at build time and was baked into the azure-api-mcp binary. docker scout flags CVE-2026-42504 (HIGH), CVE-2026-27145, CVE-2026-42507 (+ <1.26.3 stdlib CVEs). Go 1.26.4 clears them.

Note: the 2026-07-02 Vanta report wrongly listed this as "Fixed in Latest Image" — a scanner false-negative (single docker scout call missed the CVE). Tracked in ROB-547.

Verification

Rebuilt locally and re-scanned — stdlib CVEs gone (see PR comment / checks).

Follow-up

Rebuild + push mcp/azure-cli-mcp:1.0.6 via servers/azure/build-push.sh, then re-point/re-scan in Vanta. Also harden the scanner verification (ROB-547).

Linear: ROB-547

🤖 Generated with Claude Code

Avi-Robusta and others added 2 commits July 2, 2026 13:07
…7145/-42507)

The azure-api-mcp binary was built with the floating golang:1.26-alpine tag,
which baked Go stdlib 1.26.2 into the shipped image (built 2026-05-07). Pin
golang:1.26.4-alpine so the stdlib CVEs (CVE-2026-42504 HIGH, CVE-2026-27145,
CVE-2026-42507, and the <1.26.3 stdlib CVEs) are cleared, and bump the image
version to 1.0.6 so build-push.sh publishes a fresh tag for Vanta to re-scan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant