stacklok / toolhive / 26881398633

Build # 26881398633

Build Type

push

github

Committed by web-flow

Commit Message

Ignore go1.26.4 stdlib vulns in govulncheck until toolchain bump (#5425)

The daily Security Scan and every open PR started failing on 2026-06-03
after three Go standard-library advisories were published on 2026-06-02:

  GO-2026-5037 (CVE-2026-27145, crypto/x509 VerifyHostname)
  GO-2026-5038 (CVE-2026-42504, mime WordDecoder.DecodeHeader)
  GO-2026-5039 (CVE-2026-42507, net/textproto error messages)

All three are stdlib DoS / log-injection issues (no RCE) fixed in
go1.26.4 / go1.25.11. CI builds with `setup-go: stable`, which still
resolves to go1.26.3 because the actions/go-versions manifest lags the
release, so govulncheck flags them on code we do not control.

Add the three OSV IDs to the documented IGNORED_VULNS exclusion list to
unblock CI. This is temporary and should be removed once CI builds on
go1.26.4 or later.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Coverage Stats

66405 of 100827 relevant lines covered (65.86%)

63.94 hits per line

Source File

Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available