From 9345865e01f5a43b0a22263c533e4671bba6618e Mon Sep 17 00:00:00 2001 From: Timur Olzhabayev Date: Fri, 22 May 2026 12:10:43 +0200 Subject: [PATCH 1/3] chore(deps): bump osv-scanner to v2.3.3 and golangci-lint to v2.12.2 Stay on osv-scanner v2.3.3 (last release still compatible with Go 1.25) to avoid the v2.3.4+ jump to Go 1.26, which golangci-lint cannot lint against until a Go-1.26-built release ships. Bump golangci-lint to the current latest (v2.12.2) at the same time. --- Dockerfile | 2 +- go.mod | 31 ++++++++++++------------ go.sum | 70 ++++++++++++++++++++++++++++-------------------------- 3 files changed, 53 insertions(+), 50 deletions(-) diff --git a/Dockerfile b/Dockerfile index 89e918e6..f923ef50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG GOLANGCI_LINT_VERSION=v2.5.0 +ARG GOLANGCI_LINT_VERSION=v2.12.2 ARG GOSEC_VERSION=v2.22.8 ARG SEMGREP_VERSION=1.84.1 diff --git a/go.mod b/go.mod index d61ebbbd..b301948c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/grafana/plugin-validator -go 1.25.5 +go 1.25.7 require ( github.com/Masterminds/semver/v3 v3.4.0 @@ -9,14 +9,14 @@ require ( github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964 github.com/fatih/color v1.18.0 github.com/go-enry/go-license-detector/v4 v4.3.1 - github.com/google/osv-scanner/v2 v2.3.1 + github.com/google/osv-scanner/v2 v2.3.3 github.com/hashicorp/go-version v1.8.0 github.com/jarcoal/httpmock v1.4.1 github.com/magefile/mage v1.15.0 github.com/mattn/go-shellwords v1.0.12 github.com/modelcontextprotocol/go-sdk v1.4.1 github.com/openai/openai-go v1.12.0 - github.com/ossf/osv-schema/bindings/go v0.0.0-20251230224438-88c48750ddae + github.com/ossf/osv-schema/bindings/go v0.0.0-20260114034825-230b4a2f4d73 github.com/r3labs/diff/v3 v3.0.2 github.com/smartystreets/goconvey v1.8.1 github.com/sourcegraph/go-diff-patch v0.0.0-20240223163233-798fd1e94a8e @@ -32,13 +32,13 @@ require ( require ( dario.cat/mergo v1.0.2 // indirect - github.com/BurntSushi/toml v1.5.0 // indirect + github.com/BurntSushi/toml v1.6.0 // indirect github.com/CycloneDX/cyclonedx-go v0.9.3 // indirect github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 // indirect github.com/cyphar/filepath-securejoin v0.6.1 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f // indirect - github.com/jedib0t/go-pretty/v6 v6.7.5 // indirect + github.com/jedib0t/go-pretty/v6 v6.7.8 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/package-url/packageurl-go v0.1.3 // indirect github.com/rivo/uniseg v0.4.7 // indirect @@ -56,12 +56,12 @@ require ( cloud.google.com/go/auth v0.16.2 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect cyphar.com/go-pathrs v0.2.1 // indirect - deps.dev/api/v3 v3.0.0-20251127011616-f763ce91ff53 // indirect - deps.dev/api/v3alpha v0.0.0-20251127011616-f763ce91ff53 // indirect - deps.dev/util/maven v0.0.0-20251127011616-f763ce91ff53 // indirect + deps.dev/api/v3 v3.0.0-20260112033243-1270359b191b // indirect + deps.dev/api/v3alpha v0.0.0-20260112033243-1270359b191b // indirect + deps.dev/util/maven v0.0.0-20260112033243-1270359b191b // indirect deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b // indirect - deps.dev/util/resolve v0.0.0-20251127011616-f763ce91ff53 // indirect - deps.dev/util/semver v0.0.0-20251127011616-f763ce91ff53 // indirect + deps.dev/util/resolve v0.0.0-20260112033243-1270359b191b // indirect + deps.dev/util/semver v0.0.0-20260112033243-1270359b191b // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect @@ -121,7 +121,7 @@ require ( github.com/google/go-cmp v0.7.0 // indirect github.com/google/go-containerregistry v0.20.6 // indirect github.com/google/jsonschema-go v0.4.2 // indirect - github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036 // indirect + github.com/google/osv-scalibr v0.4.3-0.20260204140443-347932c398c6 // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect @@ -129,6 +129,7 @@ require ( github.com/gopherjs/gopherjs v1.17.2 // indirect github.com/gorilla/websocket v1.5.3 // indirect github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect + github.com/icholy/digest v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jdkato/prose v1.2.1 // indirect github.com/jtolds/gls v4.20.0+incompatible // indirect @@ -218,17 +219,17 @@ require ( golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect gonum.org/v1/gonum v0.16.0 // indirect google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260112192933-99fd39fd28a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect google.golang.org/grpc v1.79.3 // indirect - gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/ini.v1 v1.67.1 // indirect gopkg.in/neurosnap/sentences.v1 v1.0.7 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect modernc.org/libc v1.66.3 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect modernc.org/sqlite v1.38.0 // indirect - osv.dev/bindings/go v0.0.0-20251208025524-721e0912c3f8 // indirect + osv.dev/bindings/go v0.0.0-20260119002423-9eebd248ed28 // indirect sigs.k8s.io/yaml v1.6.0 // indirect www.velocidex.com/golang/go-ntfs v0.2.0 // indirect www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 // indirect diff --git a/go.sum b/go.sum index 4a356863..4424b3a4 100644 --- a/go.sum +++ b/go.sum @@ -11,18 +11,18 @@ cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8= cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= -deps.dev/api/v3 v3.0.0-20251127011616-f763ce91ff53 h1:l84kdMBUvxFDhMFluQiCR7VS8BHIba9MuGaQJ/abRLs= -deps.dev/api/v3 v3.0.0-20251127011616-f763ce91ff53/go.mod h1:MntdDuD/RI8T19XT1AG/4ymbtIbjWJDQdqc+oT0Wmp4= -deps.dev/api/v3alpha v0.0.0-20251127011616-f763ce91ff53 h1:XZbybcbgofrqMwkp6yHwv6r29Gbzo/qRuKFDqrK2Tqo= -deps.dev/api/v3alpha v0.0.0-20251127011616-f763ce91ff53/go.mod h1:0yskUBLVTOXiUGJeGMm/fu91hEIwlPjtkGmT/aGpvUA= -deps.dev/util/maven v0.0.0-20251127011616-f763ce91ff53 h1:cfORtGtLQX0tKq0CO/S6Ez9ENs9pKCcB8xno3ek0ZmM= -deps.dev/util/maven v0.0.0-20251127011616-f763ce91ff53/go.mod h1:eGrXziwI7scSGrwIj+5EBHtTeSxAZD/yi8Hb3nFXesA= +deps.dev/api/v3 v3.0.0-20260112033243-1270359b191b h1:NkVNC+Ut/+D9qQgeDnQqz+14vPRqA93+qCZRjLOab/0= +deps.dev/api/v3 v3.0.0-20260112033243-1270359b191b/go.mod h1:6VsNv87KDxqV8qxAlLtSdsjy7kOUvpxJdwaKwXW1VyQ= +deps.dev/api/v3alpha v0.0.0-20260112033243-1270359b191b h1:DB4ivwN8dXDMnvsa1CWmHEmKlsefoHFkPi+FSV1B8wI= +deps.dev/api/v3alpha v0.0.0-20260112033243-1270359b191b/go.mod h1:zl7tW8SaLfMWvGWU3YDc4t6S8kW/MpZvfPp3PJkRoug= +deps.dev/util/maven v0.0.0-20260112033243-1270359b191b h1:AaII17gX8rkxZZdz4/0D4mrm2PGkQkK3NCpcdTtCpJA= +deps.dev/util/maven v0.0.0-20260112033243-1270359b191b/go.mod h1:eGrXziwI7scSGrwIj+5EBHtTeSxAZD/yi8Hb3nFXesA= deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b h1:67FfxwUt82PEMle2FKlW4DZvzcfSODDoTnSGOT1bYtY= deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b/go.mod h1:qmA0z/Lsfa1FMtuLd9JmVZLMHR3GBX/EmbM6z1X3EDU= -deps.dev/util/resolve v0.0.0-20251127011616-f763ce91ff53 h1:Wma6mvXem6ksOFt4xhKcPpNEfXKhADA8rqB5vI8lAeg= -deps.dev/util/resolve v0.0.0-20251127011616-f763ce91ff53/go.mod h1:KTvVyZikz2Vcjl5qOblwBvuAXCkeQKjpO7y754qeyNc= -deps.dev/util/semver v0.0.0-20251127011616-f763ce91ff53 h1:U9z9Wd2vt57vrBG6WvP0OCM5ESeDht0eZsPj1vYrH+M= -deps.dev/util/semver v0.0.0-20251127011616-f763ce91ff53/go.mod h1:jjJweVqtuMQ7Q4zlTQ/kCHpboojkRvpMYlhy/c93DVU= +deps.dev/util/resolve v0.0.0-20260112033243-1270359b191b h1:xkPjtB7KoTjpBhjyZwgFN7TFKHwsl2jcNzN1OQXlfN0= +deps.dev/util/resolve v0.0.0-20260112033243-1270359b191b/go.mod h1:u6Udh2TQmZyBeNRCEjPDEwgWQZqjM4Z2ibtfxOmjO9o= +deps.dev/util/semver v0.0.0-20260112033243-1270359b191b h1:W6kx/8UDb0ztJpcL5vLKe+0y8fterK7B/WNGbklZk48= +deps.dev/util/semver v0.0.0-20260112033243-1270359b191b/go.mod h1:jjJweVqtuMQ7Q4zlTQ/kCHpboojkRvpMYlhy/c93DVU= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa h1:x6kFzdPgBoLbyoNkA/jny0ENpoEz4wqY8lPTQL2DPkg= @@ -30,8 +30,8 @@ github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa/go.mod github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= -github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= +github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI= github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg= github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI= @@ -174,8 +174,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= -github.com/gkampitakis/go-snaps v0.5.18 h1:oZaQoonWI4KX3c9LNSWsxby8SM6EL+mex4KgLjzfIWg= -github.com/gkampitakis/go-snaps v0.5.18/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= +github.com/gkampitakis/go-snaps v0.5.19 h1:hUJlCQOpTt1M+kSisMwioDWZDWpDtdAvUhvWCx1YGW0= +github.com/gkampitakis/go-snaps v0.5.19/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4= github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0= github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= @@ -210,8 +210,8 @@ github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9L github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/goccy/go-yaml v1.19.0 h1:EmkZ9RIsX+Uq4DYFowegAuJo8+xdX3T/2dwNPXbxEYE= -github.com/goccy/go-yaml v1.19.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= +github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= +github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gohugoio/hashstructure v0.5.0 h1:G2fjSBU36RdwEJBWJ+919ERvOVqAg9tfcYp47K9swqg= @@ -250,10 +250,10 @@ github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEE github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y= github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8= github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE= -github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036 h1:a+w+8ZQYYybXPWI1yJD+mXri5fMLcThlP41rIB7XNns= -github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036/go.mod h1:9Ze2W6nQmu1WX2s95ezOAVZhPDbcA6ZGuEHgFT/sQEU= -github.com/google/osv-scanner/v2 v2.3.1 h1:97NVCr8QNdS9deD8zxB0cIPI7vmcqAm8YJhclnXETu8= -github.com/google/osv-scanner/v2 v2.3.1/go.mod h1:quqGNQmjxXajI5boUGbnbjrh06/s2a7vXpQ5aQQ/obg= +github.com/google/osv-scalibr v0.4.3-0.20260204140443-347932c398c6 h1:NvsjChpuS0lgaS0iA8vtylMK93VrIIk4BQY7iTCwfV4= +github.com/google/osv-scalibr v0.4.3-0.20260204140443-347932c398c6/go.mod h1:+4bTgeaPiKtZrJqYEnVB//YJw95dUXMjeqW+HKEWEkM= +github.com/google/osv-scanner/v2 v2.3.3 h1:Ix65CEncchDlgzEbG4jx2QkWv0jwYYrLKKWo0hczY5k= +github.com/google/osv-scanner/v2 v2.3.3/go.mod h1:ydWzvWYWR5RULK3HRsINRHUXjcoQA9S4DrFjtKVHz8M= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= @@ -277,14 +277,16 @@ github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b h1:Jdu2tbAxkRouSILp2E github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b/go.mod h1:HmaZGXHdSwQh1jnUlBGN2BeEYOHACLVGzYOXCbsLvxY= github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f h1:Fnl4pzx8SR7k7JuzyW8lEtSFH6EQ8xgcypgIn8pcGIE= github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= +github.com/icholy/digest v1.1.0 h1:HfGg9Irj7i+IX1o1QAmPfIBNu/Q5A5Tu3n/MED9k9H4= +github.com/icholy/digest v1.1.0/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y= github.com/jarcoal/httpmock v1.4.1 h1:0Ju+VCFuARfFlhVXFc2HxlcQkfB+Xq12/EotHko+x2A= github.com/jarcoal/httpmock v1.4.1/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jdkato/prose v1.2.1 h1:Fp3UnJmLVISmlc57BgKUzdjr0lOtjqTZicL3PaYy6cU= github.com/jdkato/prose v1.2.1/go.mod h1:AiRHgVagnEx2JbQRQowVBKjG0bcs/vtkGCH1dYAL1rA= -github.com/jedib0t/go-pretty/v6 v6.7.5 h1:9dJSWTJnsXJVVAbvxIFxeHf/JxoJd7GUl5o3UzhtuiM= -github.com/jedib0t/go-pretty/v6 v6.7.5/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= +github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o= +github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= @@ -370,8 +372,8 @@ github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84= github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s= -github.com/ossf/osv-schema/bindings/go v0.0.0-20251230224438-88c48750ddae h1:nvfTerE/hSYc/TQ3JUZYeL7DuVhjPkBeOGxicPzoJmc= -github.com/ossf/osv-schema/bindings/go v0.0.0-20251230224438-88c48750ddae/go.mod h1:Eo7R19vlnflsCRdHW1ynyNUyoRwxdaTmTWD9MtKnJTc= +github.com/ossf/osv-schema/bindings/go v0.0.0-20260114034825-230b4a2f4d73 h1:4MhPgj2Ro1qUDoUXFC1gH1DJkLWmKpA7Vpe5pFAGM10= +github.com/ossf/osv-schema/bindings/go v0.0.0-20260114034825-230b4a2f4d73/go.mod h1:Eo7R19vlnflsCRdHW1ynyNUyoRwxdaTmTWD9MtKnJTc= github.com/owenrumney/go-sarif/v3 v3.3.0 h1:p5oSxEV0uPWBRpAspTmwWr4t1YZyKUpdoFzSB7WE90A= github.com/owenrumney/go-sarif/v3 v3.3.0/go.mod h1:72MaugkExDexbSauRuPq6BvUAAqAX0TwoNYMIQyZCMw= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= @@ -660,10 +662,10 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 h1:FGOcxvKlJgRBVbXeugjljCfCgfKWhC42FBoYmTCWVBs= google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:249YoW4b1INqFTEop2T4aJgiO7UBYJrpejsaLvjWfI8= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= -google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/genproto/googleapis/api v0.0.0-20260112192933-99fd39fd28a9 h1:4DKBrmaqeptdEzp21EfrOEh8LE7PJ5ywH6wydSbOfGY= +google.golang.org/genproto/googleapis/api v0.0.0-20260112192933-99fd39fd28a9/go.mod h1:dd646eSK+Dk9kxVBl1nChEOhJPtMXriCcVb4x3o6J+E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= @@ -686,8 +688,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= -gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k= +gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss= gopkg.in/neurosnap/sentences.v1 v1.0.6/go.mod h1:YlK+SN+fLQZj+kY3r8DkGDhDr91+S3JmTb5LSxFRQo0= gopkg.in/neurosnap/sentences.v1 v1.0.7 h1:gpTUYnqthem4+o8kyTLiYIB05W+IvdQFYR29erfe8uU= gopkg.in/neurosnap/sentences.v1 v1.0.7/go.mod h1:YlK+SN+fLQZj+kY3r8DkGDhDr91+S3JmTb5LSxFRQo0= @@ -699,8 +701,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= -gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= +gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= +gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM= @@ -729,8 +731,8 @@ modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= -osv.dev/bindings/go v0.0.0-20251208025524-721e0912c3f8 h1:XEG7YZ+GPiq9V7S4Sl9RnO0T4IWWcpnyVRuc4SnGgLc= -osv.dev/bindings/go v0.0.0-20251208025524-721e0912c3f8/go.mod h1:PBb6Z8M4PWwLJZ0P1wIFPHexCr/v5IcOxeMrPVbT4Fo= +osv.dev/bindings/go v0.0.0-20260119002423-9eebd248ed28 h1:+DliG2/XFCfGsiw1Uw4hQeSQGz66Q9igzudGNlCfpSo= +osv.dev/bindings/go v0.0.0-20260119002423-9eebd248ed28/go.mod h1:KMQkRiH+XQsxMvsRJfn/JdGDWi+sk0Z4/f4RbB51KTs= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= From 16cb369ef22f3325e8876ec984c695f87d55c6c0 Mon Sep 17 00:00:00 2001 From: Timur Olzhabayev Date: Fri, 22 May 2026 12:14:08 +0200 Subject: [PATCH 2/3] fix(docker): pin golangci-lint install.sh to release tag The install.sh on master hard-codes a checksum for the latest release, so passing an older version arg causes a sha256 mismatch. Pin the script to the same tag as the requested version. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f923ef50..3d4cece2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,7 @@ RUN freshclam RUN git clone https://github.com/magefile/mage --depth 1 && \ cd mage && \ go run bootstrap.go && \ - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION} && \ + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/${GOLANGCI_LINT_VERSION}/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION} && \ curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b /usr/local/bin ${GOSEC_VERSION} && \ python3 -m pip install semgrep==${SEMGREP_VERSION} --ignore-installed --break-system-packages From f30eb8bb2eab4400d6d994fed04d3f46067b57a8 Mon Sep 17 00:00:00 2001 From: Timur Olzhabayev Date: Fri, 22 May 2026 12:20:31 +0200 Subject: [PATCH 3/3] chore(docker): bump golang base image to provide go 1.25.7+ osv-scanner v2.3.3 requires go >= 1.25.7, but the previous pinned digest of golang:1.25-alpine3.22 shipped go 1.25.6. Refresh the digest to the current floating tag (go 1.25.10). --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3d4cece2..60426c7f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG GOLANGCI_LINT_VERSION=v2.12.2 ARG GOSEC_VERSION=v2.22.8 ARG SEMGREP_VERSION=1.84.1 -FROM golang:1.25-alpine3.22@sha256:fa3380ab0d73b706e6b07d2a306a4dc68f20bfc1437a6a6c47c8f88fe4af6f75 AS builder +FROM golang:1.25-alpine3.22@sha256:26b4d7113039cd51356bd7930ecafd1031d2975dc3b6940ec8ed09457e17cf95 AS builder ARG GOLANGCI_LINT_VERSION ARG GOSEC_VERSION