Bump Go version to 1.25.8 for govulncheck to avoid false alarms

XMLWordPrintableJSON

    • Type: Build Failure
    • Resolution: Fixed
    • Priority: Unknown
    • 2.6.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • None
    • Go Drivers
    • Not Needed
    • None
    • None
    • None
    • None
    • None
    • None

      Name of Failure:

      govulncheck

      Link to task:

      https://spruce.corp.mongodb.com/task/mongo_go_driver_static_analysis_govulncheck_patch_f33dca86c386c7f57dc2183ce96096c7d6f698f2_69b039c42a768c0007efa859_26_03_10_15_33_25/logs?execution=0

      Context of when and why the failure occurred:

      Need to bump the GO_VERSION in etc/govulncheck.sh
      Consider using a github bot.

      Stack trace:

      === Symbol Results ===
      [2026/03/10 15:37:11.831] Vulnerability #1: GO-2026-4602
      [2026/03/10 15:37:11.831] FileInfo can escape from a Root in os
      [2026/03/10 15:37:11.831] More info: https://pkg.go.dev/vuln/GO-2026-4602
      [2026/03/10 15:37:11.831] Standard library
      [2026/03/10 15:37:11.831] Found in: os@go1.25.7
      [2026/03/10 15:37:11.831] Fixed in: os@go1.25.8
      [2026/03/10 15:37:11.831] Example traces found:
      [2026/03/10 15:37:11.831] #1: internal/cmd/build-oss-fuzz-corpus/main.go:38:32: build.findJSONFilesInDir calls ioutil.ReadDir, which calls os.File.Readdir
      [2026/03/10 15:37:11.831] #2: internal/spectest/spectest.go:25:28: spectest.FindJSONFilesInDir calls os.ReadDir
      [2026/03/10 15:37:11.831] Vulnerability #2: GO-2026-4601
      [2026/03/10 15:37:11.831] Incorrect parsing of IPv6 host literals in net/url
      [2026/03/10 15:37:11.832] More info: https://pkg.go.dev/vuln/GO-2026-4601
      [2026/03/10 15:37:11.832] Standard library
      [2026/03/10 15:37:11.832] Found in: net/url@go1.25.7
      [2026/03/10 15:37:11.832] Fixed in: net/url@go1.25.8
      [2026/03/10 15:37:11.832] Example traces found:
      [2026/03/10 15:37:11.832] #1: internal/credproviders/assume_role_provider.go:94:29: credproviders.AssumeRoleProvider.RetrieveWithContext calls http.NewRequest, which eventually calls url.Parse
      [2026/03/10 15:37:11.832] #2: internal/credproviders/assume_role_provider.go:102:30: credproviders.AssumeRoleProvider.RetrieveWithContext calls http.Client.Do, which eventually calls url.URL.Parse
      [2026/03/10 15:37:11.832] === Package Results ===
      [2026/03/10 15:37:11.832] No other vulnerabilities found.
      [2026/03/10 15:37:11.832] === Module Results ===
      [2026/03/10 15:37:11.832] Vulnerability #1: GO-2026-4603
      [2026/03/10 15:37:11.832] URLs in meta content attribute actions are not escaped in html/template
      [2026/03/10 15:37:11.832] More info: https://pkg.go.dev/vuln/GO-2026-4603
      [2026/03/10 15:37:11.832] Standard library
      [2026/03/10 15:37:11.832] Found in: stdlib@go1.25.7
      [2026/03/10 15:37:11.832] Fixed in: stdlib@go1.25.8

      AC

      • Update the GO_VERSION in etc/govulncheck.sh to resolve the persistent failure
      • File a follow-up spike ticket to investigate using dependabot (or another automated method) to keep this dependency up to date

            Assignee:
            Qingyang Hu
            Reporter:
            Qingyang Hu
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: