Skip to content

Commit 94d8900

Browse files
committed
fix(security): use Go 1.24.9 for building container binary
Fix CVE-2025-58187 by explicitly using go_1_24 for building the gitlab-runner-kubevirt binary instead of the default pkgs.go. Root cause analysis: - devShell correctly used go_1_24 (version 1.24.9) for development - However, buildGoModule used default pkgs.go (version 1.25.2 - VULNERABLE) - The container included the binary built with Go 1.25.2 - Trivy scanned the embedded Go stdlib in the binary and reported CVE Fix: - Override buildGoModule to explicitly use pkgs.go_1_24 - Binary now embeds Go 1.24.9 stdlib (verified with go version -m) - Container scan will now detect patched version Verification: $ go version -m ./result/bin/gitlab-runner-kubevirt ./result/bin/gitlab-runner-kubevirt: go1.24.9 CVE Details: - Package: stdlib - Severity: HIGH - Fixed Versions: 1.24.9, 1.25.3 - Link: CVE-2025-58187
1 parent 744693b commit 94d8900

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

flake.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@
7878
packages = {
7979
default = self.packages.${system}.gitlab-runner-kubevirt;
8080

81-
gitlab-runner-kubevirt = pkgs.buildGoModule {
81+
gitlab-runner-kubevirt = pkgs.buildGoModule.override { go = pkgs.go_1_24; } {
8282
pname = "gitlab-runner-kubevirt";
8383
inherit version;
8484

0 commit comments

Comments
 (0)