Skip to content

fix: remediate gobinary vulnerabilities in scanner-trivy#46

Merged
yuzichen12123 merged 3 commits into
alauda-v0.34.2from
fix/trivy-vuln-remediation-go1.26.2
Apr 21, 2026
Merged

fix: remediate gobinary vulnerabilities in scanner-trivy#46
yuzichen12123 merged 3 commits into
alauda-v0.34.2from
fix/trivy-vuln-remediation-go1.26.2

Conversation

@yuzichen12123

@yuzichen12123 yuzichen12123 commented Apr 21, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • upgrade vulnerable dependencies in Go modules
  • remove legacy go-containerregistry replace and move to upstream v0.21.4
  • adjust SBOM artifact type detection for new go-containerregistry API
  • refresh module metadata in go.sum

Verification

  • go test ./...
  • go test -tags=component ./test/component/... -run TestDoesNotExist
  • trivy rootfs --scanners vuln --skip-db-update --skip-java-db-update

Result

  • scanner-trivy gobinary scan result: 0 vulnerabilities

@yuzichen12123
fix: remediate trivy scanner gobinary vulnerabilities
3111d8b 
- bump Go directive to 1.26.2\n- upgrade vulnerable modules (docker/cli, docker, go-redis, x/net, containerregistry)\n- remove legacy go-containerregistry replace\n- adapt SBOM artifact detection to new go-containerregistry API\n- update related unit test for manifest artifact type handling
@alaudabot

alaudabot commented Apr 21, 2026
edited
Loading

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 0
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/harbor-scanner-trivy/pr-review.md
Alauda Skills ✅ base-authoring, base-m365, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-publish-errata, builders-story-split, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-write-user-docs, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go
Reviewed at 2026-04-21 08:43:31 UTC

Summary

This PR upgrades vulnerable Go dependencies and removes the custom go-containerregistry fork in favor of upstream v0.21.4. Key changes include Go 1.24.0→1.26.2, Trivy v0.48.3→v0.70.0, and API adjustments for the new go-containerregistry that moves from Manifest.ArtifactType to partial.ArtifactType(). The changes appear necessary and correct for the dependency upgrades.

Review Statistics

Category Count
Critical Issues 0
Warnings 2
Suggestions 1
Files Reviewed 6

Warnings

  • [go.mod:2] Go version upgrade from 1.24.0 to 1.26.2 is a significant jump. Ensure comprehensive testing passes with the new Go version.
  • [Makefile:32] Trivy version upgrade from v0.48.3 to v0.70.0 is a major version jump (22 minor versions). Please verify no breaking changes in the release notes.

Suggestions

  • [pkg/trivy/wrapper_test.go:194] Consider adding a test case that sets Manifest.ArtifactType directly (if supported by the new API) to ensure full coverage of the partial.ArtifactType() code path.

Positive Feedback

  • Good job removing the custom go-containerregistry fork replace and moving to upstream v0.21.4.
  • The API migration from m.ArtifactType to partial.ArtifactType() is correctly implemented.
  • Test updates properly handle the new API and added compatibility fixes for layer metadata differences.
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: 32955711ef1af066b0af463dc0cecc5ccc39be41
  • No repository-specific prompt configured
  • Alauda skills: base-authoring, base-m365, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-publish-errata, builders-story-split, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-write-user-docs, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go

alaudabot
alaudabot reviewed Apr 21, 2026
View reviewed changes
Comment thread go.mod
@@ -1,23 +1,23 @@
module github.com/aquasecurity/harbor-scanner-trivy

@alaudabot alaudabot Apr 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning (bug/compatibility): Go version upgrade from 1.24.0 to 1.26.2 is a significant jump. Ensure comprehensive testing passes with the new Go version.

Comment thread Makefile
setup:
curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s v1.21.0
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.70.0

@alaudabot alaudabot Apr 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning (bug/compatibility): Trivy version upgrade from v0.48.3 to v0.70.0 is a major version jump (22 minor versions). Please verify no breaking changes in the scanner functionality.

Comment thread pkg/trivy/wrapper_test.go
fakeImage := &fake.FakeImage{}
fakeImage.ManifestReturns(&v1.Manifest{
ArtifactType: "application/vnd.goharbor.harbor.sbom.v1",
Config: v1.Descriptor{

@alaudabot alaudabot Apr 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion (test/coverage): Consider adding a test case that sets Manifest.ArtifactType directly to ensure full coverage of the partial.ArtifactType function behavior, not just the Config.MediaType fallback path.

@yuzichen12123
test: fix integration API compatibility with go-containerregistry v0.21
14c48aa 
- replace removed mutate.ArtifactType with mutate.ConfigMediaType\n- normalize layer metadata in SBOM vulnerability assertion to avoid version-specific DiffID drift
@yuzichen12123 yuzichen12123 merged commit be923e4 into alauda-v0.34.2 Apr 21, 2026
2 checks passed
@yuzichen12123 yuzichen12123 deleted the fix/trivy-vuln-remediation-go1.26.2 branch April 21, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yuzichen12123 @alaudabot