fix: bump go to 1.22.12 to fix vulns CF-2302#196
Conversation
Codacy's Analysis Summary0 new issues (≤ 1 medium issue) ✅ +0.00% coverage variation (-0.50%) Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
|
Codacy's Analysis Summary0 new issue (≤ 1 medium issue)
|
There was a problem hiding this comment.
Pull request overview
This PR updates the module’s declared Go version in go.mod as part of addressing reported vulnerabilities (CF-2302).
Changes:
- Bump the
godirective ingo.modfrom1.22.4to1.24.13.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
manufacturist
force-pushed
the
fix/cf-2302-vuln
branch
from
9c55224 to
f65b6d2
Compare
manufacturist
changed the title
manufacturist
force-pushed
the
fix/cf-2302-vuln
branch
from
f65b6d2 to
0752e26
Compare
There was a problem hiding this comment.
Pull request overview
Updates the module’s declared Go version to a patched 1.22.x release to address reported vulnerabilities (CF-2302).
Changes:
- Bump
godirective ingo.modfrom1.22.4to1.22.12.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Go toolchain version (per PR title: vulnerability remediation) and adjusts integration-test fixtures for generated Codacy configuration outputs.
Changes:
- Bumps the Go version in
go.modto1.22.12. - Updates integration-test expected
codacy.yamltool entries/versions (notably opengrep/semgrep and trivy). - Adds
.codacy/codacy.yamlfiles inside integration-test directories.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| integration-tests/init-without-token/expected/codacy.yaml | Updates expected tool list/versions for local init output. |
| integration-tests/init-without-token/.codacy/codacy.yaml | Adds a repo-tracked .codacy config inside the test directory. |
| integration-tests/init-with-token/expected/codacy.yaml | Updates expected opengrep version for token-based init output. |
| integration-tests/init-with-token/.codacy/codacy.yaml | Adds a repo-tracked .codacy config inside the test directory. |
| integration-tests/config-discover/expected/codacy.yaml | Updates expected opengrep version for local config discover output. |
| go.mod | Bumps Go version to 1.22.12. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| @@ -12,4 +12,4 @@ tools: | |||
| - pmd@7.11.0 | |||
| - pylint@3.3.6 | |||
| - revive@1.7.0 | |||
| - trivy@0.69.3 | |||
| - trivy@0.69.3 No newline at end of file | |||
| - eslint@8.57.0 | ||
| - lizard@1.17.31 | ||
| - opengrep@1.16.2 | ||
| - opengrep@1.16.4 |
| runtimes: | ||
| - dart@3.7.2 | ||
| - go@1.22.3 | ||
| - java@17.0.10 | ||
| - node@22.2.0 | ||
| - python@3.11.11 | ||
| tools: | ||
| - dartanalyzer@3.7.2 | ||
| - eslint@8.57.0 | ||
| - lizard@1.17.31 | ||
| - pmd@7.11.0 | ||
| - pylint@3.3.6 | ||
| - revive@1.7.0 | ||
| - semgrep@1.78.0 | ||
| - trivy@0.66.0 |
| @@ -0,0 +1,15 @@ | |||
| runtimes: | |||
| - dart@3.7.2 | |||
| - go@1.22.3 | |||
| runtimes: | ||
| - java@17.0.10 | ||
| - node@22.2.0 | ||
| - python@3.11.11 | ||
| tools: | ||
| - eslint@8.57.0 | ||
| - lizard@1.17.31 | ||
| - opengrep@1.16.4 | ||
| - pmd@6.55.0 | ||
| - pylint@3.3.9 | ||
| - trivy@0.69.3 |
heliocodacy
force-pushed
the
fix/cf-2302-vuln
branch
from
3b5415c to
95c4495
Compare
There was a problem hiding this comment.
Pull request overview
Updates runtime/tool versions and refreshes test fixtures used by the CLI’s tool/integration test suites.
Changes:
- Bump Go version in
go.mod(1.22.4 → 1.22.12). - Bump Opengrep default/test version (1.16.2 → 1.16.4) and update related expected outputs/config snapshots.
- Refresh expected SARIF outputs for Trivy/Revive and update integration-test language/tool snapshots.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
go.mod |
Bumps the Go version used by the module. |
.codacy/codacy.yaml |
Updates repo-level Codacy tool list (adds opengrep 1.16.4) and removes flutter/dartanalyzer entries. |
plugins/tools/opengrep/plugin.yaml |
Updates Opengrep default version to 1.16.4. |
plugins/tools/opengrep/test/src/.codacy/codacy.yaml |
Updates Opengrep version used in the Opengrep plugin test fixture. |
plugins/tools/opengrep/test/expected.sarif |
Updates the expected SARIF for Opengrep tool tests. |
plugins/tools/trivy/test/src/.codacy/codacy.yaml |
Adjusts the Trivy plugin test Codacy config. |
plugins/tools/trivy/test/expected.sarif |
Refreshes Trivy expected SARIF output. |
plugins/tools/revive/test/expected.sarif |
Refreshes Revive expected SARIF output ordering/content. |
integration-tests/init-without-token/expected/tools-configs/languages-config.yaml |
Updates expected tool language/extension mappings (ordering/entries). |
integration-tests/init-with-token/expected/tools-configs/languages-config.yaml |
Updates expected tool language/extension mappings (adds TS to some tools, moves opengrep). |
integration-tests/init-with-token/expected/codacy.yaml |
Bumps Opengrep version in the expected init output. |
integration-tests/config-discover/expected/tools-configs/languages-config.yaml |
Updates expected tool language/extension mappings for config-discover integration test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| "tool": { | ||
| "driver": { | ||
| "name": "Opengrep OSS", | ||
| "rules": null, | ||
| "semanticVersion": "1.16.4" |
| name: opengrep | ||
| description: Opengrep is an open-source static analysis tool and community fork of Semgrep for finding bugs and enforcing code standards. | ||
| default_version: 1.16.2 | ||
| default_version: 1.16.4 |
| "message": { | ||
| "text": "Package: ajv\nInstalled Version: 6.12.6\nVulnerability CVE-2025-69873\nSeverity: MEDIUM\nFixed Version: 8.18.0, 6.14.0\nLink: [CVE-2025-69873](https://avd.aquasec.com/nvd/cve-2025-69873)" | ||
| "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2021-33203\nSeverity: MEDIUM\nFixed Version: 2.2.24, 3.1.12, 3.2.4\nLink: [CVE-2021-33203](https://avd.aquasec.com/nvd/cve-2021-33203)" | ||
| }, | ||
| "ruleId": "CVE-2025-69873", | ||
| "ruleIndex": 0 | ||
| "ruleId": "CVE-2021-33203", | ||
| "ruleIndex": 12 |
| - java@17.0.10 | ||
| - node@22.2.0 | ||
| - python@3.11.11 | ||
| - flutter@3.7.2 | ||
| tools: | ||
| - eslint@9.38.0 | ||
| - lizard@1.17.31 | ||
| - opengrep@1.16.4 | ||
| - pmd@6.55.0 | ||
| - pylint@3.3.9 | ||
| - revive@1.12.0 | ||
| - opengrep@1.16.2 | ||
| - trivy@0.69.3 |
| runtimes: null | ||
| tools: | ||
| - trivy@0.69.3 | ||
| - trivy@0.69.3 No newline at end of file |
Might need to bump to a higher version, e.g.
1.24.13