From 77ea812fbe096848dc5c2d2b37007cc5d4fee116 Mon Sep 17 00:00:00 2001 From: cx-adar-zandberg Date: Wed, 28 Jan 2026 09:04:10 +0200 Subject: [PATCH 1/4] Fix CVE-2026-24137 by upgrading sigstore to v1.10.4 Mitigate CVE-2026-24137 affecting github.com/sigstore/sigstore through transitive dependency chain: github.com/sylabs/sif/v2@v2.21.1 -> github.com/sigstore/sigstore@v1.8.15 The vulnerability is fixed in sigstore v1.10.4. Using a replace directive to force the patched version without requiring Go 1.25 upgrade. --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 78d86aa..558b905 100644 --- a/go.mod +++ b/go.mod @@ -289,5 +289,6 @@ require ( replace ( github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.4 github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.3 + github.com/sigstore/sigstore => github.com/sigstore/sigstore v1.10.4 google.golang.org/protobuf => google.golang.org/protobuf v1.33.0 ) From 450cd5692ae6bc94b8d4e41a16d839aaab151877 Mon Sep 17 00:00:00 2001 From: cx-adar-zandberg Date: Wed, 28 Jan 2026 11:59:17 +0200 Subject: [PATCH 2/4] Empty commit From df85e8de0a913ab6971e4e182861caef0a3faabe Mon Sep 17 00:00:00 2001 From: Adar Zandberg Date: Thu, 29 Jan 2026 11:04:12 +0200 Subject: [PATCH 3/4] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ab2a608..9d17c70 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ + # containers-resolver This Go module simplifies the process of analyzing images by providing tools to extract images from various file formats and resolve the software packages within them. It enables users to gain insights into the contents of Docker images, facilitating tasks such as vulnerability assessments and software inventory management. With support for debugging and flexible extraction methods, it's a valuable resource for developers, DevOps engineers, and security professionals working with containerized environments. From cb133916e6df95e9d490e1d50373908e4662ff2e Mon Sep 17 00:00:00 2001 From: cx-adar-zandberg Date: Thu, 29 Jan 2026 11:56:43 +0200 Subject: [PATCH 4/4] fix: update dependencies to address SCA vulnerabilities Fixed CVEs: - CVE-2026-24137: sigstore updated to v1.10.4 - CVE-2025-64329, CVE-2024-25621: containerd/v2 updated to v2.1.5 - CVE-2025-31133, CVE-2025-52881, CVE-2025-52565: runc updated to v1.3.3 - CVE-2025-46569: OPA updated to v1.4.0 - CVE-2025-22868: lestrrat-go/jwx updated to v1.2.31 Not a vulnerability: - CVE-2019-25210: Helm project officially rejected this CVE Known unfixable (require major version upgrades): - CVE-2025-11579: rardecode v1 has no fix, requires v2 - CVE-2025-27144: go-jose.v2 has no fix, requires v4 --- go.mod | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 558b905..dbf9ea1 100644 --- a/go.mod +++ b/go.mod @@ -287,8 +287,15 @@ require ( ) replace ( - github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.4 + // CVE-2025-64329, CVE-2024-25621 - fixed in v2.1.5 + github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.5 + // CVE-2025-22868 - fixed in v1.2.31 + github.com/lestrrat-go/jwx => github.com/lestrrat-go/jwx v1.2.31 + // CVE-2025-46569 - fixed in v1.4.0 + github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v1.4.0 + // CVE-2025-31133, CVE-2025-52881, CVE-2025-52565 - fixed in v1.3.3 github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.3 + // CVE-2026-24137 - fixed in v1.10.4 github.com/sigstore/sigstore => github.com/sigstore/sigstore v1.10.4 google.golang.org/protobuf => google.golang.org/protobuf v1.33.0 )