Skip to content

PatchPilot: remediate CVEs#8

Closed
moolen wants to merge 1 commit into
mainfrom
patchpilot/remediate-cves
Closed

PatchPilot: remediate CVEs#8
moolen wants to merge 1 commit into
mainfrom
patchpilot/remediate-cves

Conversation

@moolen

@moolen moolen commented Mar 29, 2026

Copy link
Copy Markdown
Owner

CVE audit - ghcr.io/moolen/skouter:1

Image build evidence

  • Build definition: Root Dockerfile is what CI uses (.github/workflows/ci.yml -> docker/build-push-action with context: ., push to ghcr.io/moolen/skouter).
  • Current pins: BASEIMAGE=golang:1.19 (build), RUNIMAGE=alpine:3.14 (runtime), apk add curl on runtime.
  • go.mod: go 1.19; direct golang.org/x/net v0.5.0; indirect golang.org/x/oauth2, google.golang.org/protobuf per module graph.

Recommended remediation (safest path - not applied here)

  • Builder: Bump BASEIMAGE to a registry-listed current golang tag (keep official Debian-based golang family). Target Go >= 1.26.1 or >= 1.25.8 to satisfy the newest stdlib advisories in the scan (e.g. CVE-2026-25679 / CVE-2026-27139); list tags from the registry and pick a patch, do not guess tag names.
  • Runtime: Replace EOL Alpine 3.14 with a listed supported alpine tag (same family). Refresh packages so curl/libcurl and OpenSSL are not the vulnerable versions pinned in the scan (Alpine 3.14 uses OpenSSL 1.1 - migrate to newer Alpine with OpenSSL 3). Pin apk versions after verifying package indexes.
  • Modules: Raise golang.org/x/net to >= v0.38.0 (max GHSA requirement in the set), golang.org/x/oauth2 to >= v0.27.0, google.golang.org/protobuf to >= v1.33.0; align go directive and Kubernetes/client-go stack as needed for compatibility; go mod tidy / vendor refresh.
  • CI: Update .github/workflows/release.yml goversion tarball for kubectl-blame to match the chosen Go toolchain.
  • Post-change: go build ./..., go test ./..., govulncheck ./..., rebuild image, rescan.

Fixed findings

  • None - audit-only rollout; only .patchpilot/output.json may be modified.

Actions taken (this run)

  • Read .patchpilot/input/cve-remediation.json, Dockerfile, go.mod, .github/workflows/ci.yml, .github/workflows/release.yml.
  • Mapped each finding to the owning file (Dockerfile build vs runtime vs go.mod).

Outcome

  • No further fixes possible in this rollout - policy forbids modifying repository source; operators must apply Dockerfile / go.mod / CI updates in a follow-up change.

Validation steps performed

  • Static review of repo layout and workflows; did not run go build, go test, govulncheck, or Docker build (Go/Docker CLIs not available in this environment).

Notes

  • What worked well: Structured input in .patchpilot/input/cve-remediation.json matched the scan report; repository has a single root Dockerfile clearly tied to CI image publish.
  • What was difficult: No go/jq/python in PATH here - used awk/sed to assemble the full findings table; cannot verify builds or list registry tags locally.
  • Missing for future runs: Working Go toolchain and Docker or crane for go build, govulncheck, and tag listing; optional automated dedupe of redundant stdlib CVE rows in operator-facing output.

Unresolved findings (99) - full table

CVE ID Package File location Status Reason
CVE-2023-44487 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-qppj-fm5r-hxr3 golang.org/x/net go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2023-45288 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-4v7x-pqxf-cx7m golang.org/x/net go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2024-24787 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-24784 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-24791 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-24785 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-0464 libcrypto1.1 Dockerfile (runtime: alpine:3.14 base image) Open Audit-only; no repo changes applied
CVE-2023-0464 libssl1.1 Dockerfile (runtime: alpine:3.14 base image) Open Audit-only; no repo changes applied
CVE-2023-24538 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-24531 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-24783 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-29405 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-45289 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-45290 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-0465 libcrypto1.1 Dockerfile (runtime: alpine:3.14 base image) Open Audit-only; no repo changes applied
CVE-2023-0465 libssl1.1 Dockerfile (runtime: alpine:3.14 base image) Open Audit-only; no repo changes applied
CVE-2023-24540 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-34156 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-vvpx-j8f3-3w6h golang.org/x/net go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2022-41723 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-29406 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-8r3f-844c-mc37 google.golang.org/protobuf go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2024-24790 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-22871 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-27533 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-27533 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-45287 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-34158 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-29402 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-23914 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-23914 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
GHSA-4374-p667-p6c8 golang.org/x/net go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2023-24534 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-6v2p-p543-phr9 golang.org/x/oauth2 go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2024-45336 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-29404 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-45341 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-39326 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-vvgc-356p-c3xw golang.org/x/net go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2023-29409 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
GHSA-2wrh-6pvc-2jm9 golang.org/x/net go.mod / go.sum Open Audit-only; no repo changes applied
CVE-2023-23916 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-23916 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-39318 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-39319 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-24536 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-27534 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-27534 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-24539 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2022-41725 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-39323 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-45285 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2024-34155 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-29400 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2023-27535 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-27535 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-23915 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-23915 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-27537 curl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2023-27537 libcurl Dockerfile (runtime: RUNIMAGE=alpine:3.14; apk add curl) Open Audit-only; no repo changes applied
CVE-2025-61726 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2026-25679 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-61725 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-61723 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-61729 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-47906 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-68121 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2022-41724 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only; no repo changes applied
CVE-2025-58186 stdlib Dockerfile (build stage: BASEIMAGE=golang:1.19) Open Audit-only

... agent summary truncated for GitHub output ...

Human intervention requested by agent: true

Network Audit

  • traffic mode: proxy
  • network mode: audit
  • domains observed: 3
  • api2.cursor.sh attempts=13 result=allowed port=443 seen=connect
  • localhost attempts=5 result=upstream_error port=80 seen=http error="dial tcp [::1]:80: connect: connection refused"
  • repo42.cursor.sh attempts=14 result=allowed port=443 seen=connect

Agent Logs

cve-remediation stdout 
Audit-only run is done: only `.patchpilot/output.json` was added/updated (no `Dockerfile`, `go.mod`, or CI edits).

**Findings from inspection**
- **Published image** `ghcr.io/moolen/skouter` is built from the repo root **`Dockerfile`** via `.github/workflows/ci.yml` (`docker/build-push-action`, `context: .`).
- **`Dockerfile`**: `BASEIMAGE=golang:1.19` (scanner’s `go1.19.5` stdlib), `RUNIMAGE=alpine:3.14` plus `apk add curl` (matches `curl`/`libcurl` and OpenSSL 1.1 issues).
- **`go.mod`**: `go 1.19`, `golang.org/x/net v0.5.0`, plus indirect `oauth2` / `protobuf` as in the scan.

**Output**
- **`pr_summary`** includes: image evidence, a concise **safest remediation plan** (bump builder/runtime from listed registry tags, module floors, CI `goversion` alignment, post-change validation), **Fixed findings: none**, **actions taken**, **outcome**, **validation**, the required **Notes** block (`<!-- patchpilot agent notes -->` … `<!-- patchpilot agent notes end -->`), and a **full 99-row unresolved table** (CVE ID, Package, File location, Status, Reason).
- **`human_intervention_needed`**: `true` (audit policy blocks source changes; operators must apply the plan in a later PR).

File: `.patchpilot/output.json`.

@moolen

moolen commented Mar 29, 2026

Copy link
Copy Markdown
Owner Author

Agent Log Assets

Network Audit

  • traffic mode: proxy
  • network mode: audit
  • domains observed: 3
  • api2.cursor.sh attempts=13 result=allowed port=443 seen=connect
  • localhost attempts=5 result=upstream_error port=80 seen=http error="dial tcp [::1]:80: connect: connection refused"
  • repo42.cursor.sh attempts=14 result=allowed port=443 seen=connect

@moolen moolen closed this Mar 29, 2026
@moolen moolen deleted the patchpilot/remediate-cves branch March 29, 2026 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@moolen