Skip to content

Fix critical CVEs: build go-replace from source with Go 1.22+ instead of pre-built Go 1.19.1 binary#568

Draft
Kanti with Copilot wants to merge 3 commits into
masterfrom
copilot/fix-critical-cves-webdevops-php-nginx
Draft

Fix critical CVEs: build go-replace from source with Go 1.22+ instead of pre-built Go 1.19.1 binary#568
Kanti with Copilot wants to merge 3 commits into
masterfrom
copilot/fix-critical-cves-webdevops-php-nginx

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown

The bundled go-replace binary (v22.10.0) was compiled with Go 1.19.1, exposing all images that include it to three critical CVEs in html/template and net/netip (CVE-2023-24538, CVE-2023-24540, CVE-2024-24790). No newer pre-built release exists, so the fix is to compile from source with the current Go toolchain.

Changes

  • template/Dockerfile/tools.jinja2 — Rewrites the goreplace macro to build from source using Alpine's go package (1.22+ on alpine:latest) with a virtual build dep that is removed post-install, rather than downloading a pre-built binary:
{% macro goreplace(path="/usr/local/bin", version="22.10.0") -%}
    ## Install go-replace (build from source to ensure up-to-date Go stdlib, fixing CVEs in pre-built binaries)
    && apk add --no-cache --virtual .build-deps-go go \
    && GOPATH=/tmp/go-build GOCACHE=/tmp/go-cache GOARCH=$TARGETARCH GOOS=linux CGO_ENABLED=0 go install "github.com/webdevops/go-replace@{{ version }}" \
    && (mv "/tmp/go-build/bin/linux_${TARGETARCH}/go-replace" "{{ path }}/go-replace" 2>/dev/null || mv /tmp/go-build/bin/go-replace "{{ path }}/go-replace") \
    && apk del .build-deps-go \
    && rm -rf /tmp/go-build /tmp/go-cache \
    && chmod +x "{{ path }}/go-replace" \
    && "{{ path }}/go-replace" --version
{%- endmacro %}

The binary path fallback (linux_${TARGETARCH} → generic) handles both cross-compilation and native builds correctly.

  • docker/toolbox/latest/Dockerfile — Regenerated to reflect the updated macro output.

Copilot AI added 2 commits July 7, 2026 08:22
…d of pre-built binary

The pre-built go-replace binary v22.10.0 was compiled with Go v1.19.1 which contains
critical CVEs: CVE-2023-24538, CVE-2023-24540, CVE-2024-24790.

Update the goreplace macro in tools.jinja2 and the generated toolbox Dockerfile to build
go-replace from source using Alpine's Go package (1.22+ on alpine:latest), which fixes
the vulnerable stdlib by compiling with an up-to-date Go toolchain.

Closes #567
Use explicit mv with fallback for architecture-specific vs generic bin paths:
- Cross-compile (e.g., amd64 host building arm64): binary at /tmp/go-build/bin/linux_${TARGETARCH}/go-replace
- Native compile: binary at /tmp/go-build/bin/go-replace

The or-pattern (try arch-specific first, fall back to generic) handles both cases
explicitly rather than relying on find's silent failure behavior.
Copilot AI changed the title [WIP] Fix critical CVEs in webdevops/php-nginx:8.4-alpine Fix critical CVEs: build go-replace from source with Go 1.22+ instead of pre-built Go 1.19.1 binary Jul 7, 2026
Copilot finished work on behalf of Kanti July 7, 2026 08:24
Copilot AI requested a review from Kanti July 7, 2026 08:24
@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Critical CVEs in webdevops/php-nginx:8.4-alpine - golang stdlib v1.19.1 in go-replace binary

2 participants