Commit 94d8900
committed
fix(security): use Go 1.24.9 for building container binary
Fix CVE-2025-58187 by explicitly using go_1_24 for building the
gitlab-runner-kubevirt binary instead of the default pkgs.go.
Root cause analysis:
- devShell correctly used go_1_24 (version 1.24.9) for development
- However, buildGoModule used default pkgs.go (version 1.25.2 - VULNERABLE)
- The container included the binary built with Go 1.25.2
- Trivy scanned the embedded Go stdlib in the binary and reported CVE
Fix:
- Override buildGoModule to explicitly use pkgs.go_1_24
- Binary now embeds Go 1.24.9 stdlib (verified with go version -m)
- Container scan will now detect patched version
Verification:
$ go version -m ./result/bin/gitlab-runner-kubevirt
./result/bin/gitlab-runner-kubevirt: go1.24.9
CVE Details:
- Package: stdlib
- Severity: HIGH
- Fixed Versions: 1.24.9, 1.25.3
- Link: CVE-2025-581871 parent 744693b commit 94d8900
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
78 | 78 | | |
79 | 79 | | |
80 | 80 | | |
81 | | - | |
| 81 | + | |
82 | 82 | | |
83 | 83 | | |
84 | 84 | | |
| |||
0 commit comments