Skip to content

fix(security): remediate CVE vulnerabilities#311

Open
ulucinar wants to merge 2 commits intorelease-0.10from
fix/cve-remediation-release-0.10-20260507-095733
Open

fix(security): remediate CVE vulnerabilities#311
ulucinar wants to merge 2 commits intorelease-0.10from
fix/cve-remediation-release-0.10-20260507-095733

Conversation

@ulucinar
Copy link
Copy Markdown
Collaborator

@ulucinar ulucinar commented May 7, 2026

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
GHSA-mh2q-q3fh-2475 High go.opentelemetry.io/otel v1.41.0

Changes Made

  • Updated go.opentelemetry.io/otel from v1.39.0 to v1.41.0 in go.mod
  • Updated go.opentelemetry.io/otel/trace from v1.39.0 to v1.41.0 in go.mod
  • Ran go mod tidy to update dependencies

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
303dd92 
- Update go.opentelemetry.io/otel to v1.41.0 (fixes GHSA-mh2q-q3fh-2475)

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar
Copy link
Copy Markdown
Collaborator Author

ulucinar commented May 7, 2026

Build Failure Analysis

Check: build (arm64)
Status: Failed
Analyzed: 2026-05-07T10:30:00Z

Summary

The build (arm64) check failed because the Crossplane CLI installation script could not download the requested version.

Root Cause

The workflow is configured to download Crossplane CLI with:

  • XP_CHANNEL: master
  • XP_VERSION: current

However, the "current" version identifier is not available on the "master" channel. The install script failed with: "Failed to download Crossplane CLI. Please make sure version current exists on channel master."

Error Details

Failed to download Crossplane CLI. Please make sure version current exists on channel master.
##[error]Process completed with exit code 1.

Recommendation

Fix required: Update .github/workflows/ci.yml to use XP_CHANNEL: stable instead of master. The stable channel supports the current version identifier. See the remediation plan for detailed steps.

This analysis was generated by the build-failure-analyze skill.

@ulucinar
fix(ci): use stable Crossplane CLI channel
d0470d5 
The master channel does not support the 'current' version identifier.
Switch to the stable channel which does support it.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phisco phisco phisco approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@negz negz Awaiting requested review from negz negz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ulucinar @phisco