Skip to content

fix: mitigate CVEs based on report 2026-06-29#136

Merged
diafour merged 7 commits into
v1.6.2-virtualizationfrom
dvp/cve-migitation-2026-06-29
Jul 6, 2026
Merged

fix: mitigate CVEs based on report 2026-06-29#136
diafour merged 7 commits into
v1.6.2-virtualizationfrom
dvp/cve-migitation-2026-06-29

Conversation

@diafour

@diafour diafour commented Jun 29, 2026

Copy link
Copy Markdown
Member

What this PR does

Mitigate Trivy-reported High/Critical vulnerabilities in KubeVirt fork dependencies.

Updated CVE-related replacements

  • golang.org/x/crypto -> v0.52.0
  • golang.org/x/net -> v0.55.0
  • golang.org/x/oauth2 -> v0.34.0

References

See deckhouse/virtualization#2557

Why we need it and why it was done in this way

The following tradeoffs were made:

The following alternatives were considered:

Links to places where the discussion took place:

Special notes for your reviewer

Huge removes

Large line deletions in this PR are mostly caused by dependency and generated code refresh, not by removing product functionality.

The majority of removed lines come from:

  • vendored Go/Kubernetes dependencies (golang.org/x, k8s.io/api, k8s.io/client-go)
  • regenerated protobuf/OpenAPI/client files
  • cleanup of obsolete API testdata snapshots in staging/src/.../apitesting/testdata
  • Most changed files:
    • vendor/golang.org/x/tools/internal/stdlib/manifest.go — 17092 removed - regeneration for the new Go version
    • Remove obsolete Unicode/IDNA tables:
      • x/text/unicode/norm/tables9.0.0.go — 7637
      • tables10.0.0.go — 7657
      • tables11.0.0.go — 7693
      • tables12.0.0.go — 7710
      • x/text/unicode/bidi/tables9/10/11/12/13...
      • x/net/idna/tables9/10/11/12/13...

This is consistent with the changes already present in the upstream main, where KubeVirt was updated to a newer Go version and the same dependency set was bumped. As part of that update, older
generated tables, deprecated API variants, and outdated vendored artifacts were removed or replaced with newer generated versions.

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

Release note


Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added 5 commits June 29, 2026 20:02
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@LopatinDmitr LopatinDmitr self-requested a review July 3, 2026 12:19
@diafour diafour merged commit 241de8c into v1.6.2-virtualization Jul 6, 2026
2 checks passed
@diafour diafour deleted the dvp/cve-migitation-2026-06-29 branch July 6, 2026 10:42
diafour added a commit that referenced this pull request Jul 6, 2026
Backport for release 1.9.

* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit that referenced this pull request Jul 9, 2026
Backport for release 1.9.

* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit that referenced this pull request Jul 9, 2026
Backport for release 1.9.

* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants