• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

opendefensecloud / solution-arsenal / 28590323071
76%

Build:
DEFAULT BRANCH: main
Ran 02 Jul 2026 12:49PM UTC
Jobs 1
Files 65
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

02 Jul 2026 12:33PM UTC coverage: 75.987% (+0.2%) from 75.763%
28590323071

push

github

web-flow
fix(deps): resolve new CVEs flagged by osv-scanner (#675)

## What
Fix the failing osv-scanner scan by bumping the two fixable sigstore
dependencies and ignoring the one unfixable vulnerability with a
documented justification.

## Why
The scheduled osv-scan started failing after three new CVEs were
published: [GHSA-f5mr-q85p-6hh6](https://osv.dev/GHSA-f5mr-q85p-6hh6)
(fulcio, High),
[GHSA-9c54-x2g4-v92j](https://osv.dev/GHSA-9c54-x2g4-v92j)
(timestamp-authority, Medium), and
[GHSA-fxhp-mv3v-67qp](https://osv.dev/GHSA-fxhp-mv3v-67qp) (oras-go/v2,
High). The first two are fixed by bumping to `fulcio v1.8.6` and
`timestamp-authority/v2 v2.1.0`. The oras-go vulnerability has no fixed
release yet (v2.6.1 is both the latest and the last affected version),
so it is added to `IgnoredVulns` in `.osv-scanner.toml`.

Ignoring GHSA-fxhp-mv3v-67qp is safe: the vulnerability is a hardlink
path escape in the tar-extraction code of
`oras.land/oras-go/v2/content/file`, and that package is not part of
solar's build graph at all (verified via `go list -deps ./...`) — we
only link `registry/remote` and `content/memory`. The ignore entry
carries a comment saying to remove it once a fixed oras-go release
ships.

## Testing
- `make scan` passes locally (previously failed with the three CVEs)
- `go build ./...` succeeds after the dependency bumps

## Checklist
- [x] ~~Tests added/updated~~ n/a
- [x] No breaking changes (or upgrade path documented above)
- [x] Readable commit history (squashed and cleaned up as desired)
- [x] AI code review considered and comments resolved


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Updated several project dependencies to newer versions.
* Added a security exception for a vulnerability that does not affect
shipped binaries.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

4060 of 5343 relevant lines covered (75.99%)

51.14 hits per line

Jobs
ID Job ID Ran Files Coverage
1 28590323071.1 02 Jul 2026 12:49PM UTC 65
75.99
GitHub Action Run
Source Files on build 28590323071
  • Tree
  • List 65
  • Changed 3
  • Source Changed 0
  • Coverage Changed 3
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28590323071
  • c7334a51 on github
  • Prev Build on main (#28571001187)
  • Next Build on main (#28812142978)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc