From e627168123d9781fa64191169071a8d2897ef375 Mon Sep 17 00:00:00 2001 From: Benjamin Borbe Date: Thu, 9 Jul 2026 16:48:56 +0200 Subject: [PATCH 1/2] exclude no-fix advisory GO-2026-5932 in checker templates --- CHANGELOG.md | 4 ++++ templates/Makefile.library | 16 ++++++++++++++-- templates/Makefile.service | 16 ++++++++++++++-- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c8576b..37eb9fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ Please choose versions by [Semantic Versioning](http://semver.org/). * MINOR version when you add functionality in a backwards-compatible manner, and * PATCH version when you make backwards-compatible bug fixes. +## Unreleased + +- fix: checker templates exclude no-fix advisory GO-2026-5932 (`golang.org/x/crypto/openpgp`, unmaintained) — add it to `VULNCHECK_IGNORE` in `Makefile.library`/`Makefile.service`, and introduce a shared `TRIVY_IGNORE` baseline merged with any repo-local `.trivyignore` via a temp ignorefile (upgrades `Makefile.service`'s bare `trivy` target to honor an ignorefile). Propagates the exclusion to all consuming repos across both scanners. + ## v0.30.0 - feat: rewrite `/coding:self-improve` Step 5 routing to artifact-first, CLAUDE.md-last — routing table now leads with existing artifacts (command/agent/skill repair, runbooks, guides) and demotes memory files to last resort with a mandatory "which artifacts were checked" justification; adds a −1 scoring signal for proposals that route to a `CLAUDE.md` an existing artifact could own. Counters the observed bias of every session proposing new memory rules. diff --git a/templates/Makefile.library b/templates/Makefile.library index 3aa02f0..9f9923b 100644 --- a/templates/Makefile.library +++ b/templates/Makefile.library @@ -54,8 +54,14 @@ errcheck: # GO-2026-5037/5038/5039 are Go 1.26.3 stdlib vulns (crypto/x509, mime, net/textproto), # fixed in 1.26.4 — remove from this list once all CI runners and base images are on 1.26.4+. +# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained (no fix will ship) — the advisory +# deprecates the package, it is not an exploitable call path. Revisit if the dependency is dropped. VULNCHECK_IGNORE ?= GO-2026-4923 GO-2026-4514 GO-2022-0470 GO-2026-4772 GO-2026-4771 \ - GO-2026-5037 GO-2026-5038 GO-2026-5039 + GO-2026-5037 GO-2026-5038 GO-2026-5039 GO-2026-5932 + +# Shared trivy ignore baseline, merged with any repo-local .trivyignore in the trivy target. +# GO-2026-5932: see VULNCHECK_IGNORE note above (no-fix unmaintained x/crypto/openpgp). +TRIVY_IGNORE ?= GO-2026-5932 # Known-benign govulncheck failure modes we swallow. golang.org/x/tools v0.46.0 # panics on packages containing generic *types.TypeParam during SSA analysis @@ -104,11 +110,17 @@ osv-scanner: gosec: go run github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION) -exclude=G104 ./... +# Build an ignorefile = shared TRIVY_IGNORE baseline + any repo-local .trivyignore +# (repo dir, then $(ROOTDIR)), so the shared no-fix exclusions always apply on top of repo-local ones. .PHONY: trivy trivy: + @IGN=$$(mktemp); \ + trap 'rm -f "$$IGN"' EXIT INT TERM; \ + printf '%s\n' $(TRIVY_IGNORE) > "$$IGN"; \ + for f in .trivyignore $(ROOTDIR)/.trivyignore; do [ -f "$$f" ] && cat "$$f" >> "$$IGN"; done; \ trivy fs \ --db-repository ghcr.io/aquasecurity/trivy-db \ - $(if $(wildcard .trivyignore),--ignorefile .trivyignore,$(if $(wildcard $(ROOTDIR)/.trivyignore),--ignorefile $(ROOTDIR)/.trivyignore,)) \ + --ignorefile "$$IGN" \ $(if $(wildcard .trivy-secret.yaml),--secret-config .trivy-secret.yaml,$(if $(wildcard $(ROOTDIR)/.trivy-secret.yaml),--secret-config $(ROOTDIR)/.trivy-secret.yaml,)) \ --scanners vuln,secret \ --skip-dirs vendor \ diff --git a/templates/Makefile.service b/templates/Makefile.service index 39d8615..9631dd2 100644 --- a/templates/Makefile.service +++ b/templates/Makefile.service @@ -61,8 +61,14 @@ errcheck: # GO-2026-5037/5038/5039 are Go 1.26.3 stdlib vulns (crypto/x509, mime, net/textproto), # fixed in 1.26.4 — remove from this list once all CI runners and base images are on 1.26.4+. +# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained (no fix will ship) — the advisory +# deprecates the package, it is not an exploitable call path. Revisit if the dependency is dropped. VULNCHECK_IGNORE ?= GO-2026-4923 GO-2026-4514 GO-2022-0470 GO-2026-4772 GO-2026-4771 \ - GO-2026-5037 GO-2026-5038 GO-2026-5039 + GO-2026-5037 GO-2026-5038 GO-2026-5039 GO-2026-5932 + +# Shared trivy ignore baseline, merged with any repo-local .trivyignore in the trivy target. +# GO-2026-5932: see VULNCHECK_IGNORE note above (no-fix unmaintained x/crypto/openpgp). +TRIVY_IGNORE ?= GO-2026-5932 # Known-benign govulncheck failure modes we swallow. golang.org/x/tools v0.46.0 # panics on packages containing generic *types.TypeParam during SSA analysis @@ -111,9 +117,15 @@ osv-scanner: gosec: go run github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION) -exclude=G104 ./... +# Build an ignorefile = shared TRIVY_IGNORE baseline + any repo-local .trivyignore +# (repo dir, then $(ROOTDIR)), so the shared no-fix exclusions always apply on top of repo-local ones. .PHONY: trivy trivy: - trivy fs --scanners vuln,secret --quiet --no-progress --disable-telemetry --exit-code 1 . + @IGN=$$(mktemp); \ + trap 'rm -f "$$IGN"' EXIT INT TERM; \ + printf '%s\n' $(TRIVY_IGNORE) > "$$IGN"; \ + for f in .trivyignore $(ROOTDIR)/.trivyignore; do [ -f "$$f" ] && cat "$$f" >> "$$IGN"; done; \ + trivy fs --ignorefile "$$IGN" --scanners vuln,secret --quiet --no-progress --disable-telemetry --exit-code 1 . .PHONY: addlicense addlicense: From 0586e847a39eeba32d9901455479d2ad064b9f77 Mon Sep 17 00:00:00 2001 From: Benjamin Borbe Date: Thu, 9 Jul 2026 16:55:22 +0200 Subject: [PATCH 2/2] align Makefile.service trivy flags with Makefile.library --- CHANGELOG.md | 2 +- templates/Makefile.service | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37eb9fc..5a53b59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ Please choose versions by [Semantic Versioning](http://semver.org/). ## Unreleased -- fix: checker templates exclude no-fix advisory GO-2026-5932 (`golang.org/x/crypto/openpgp`, unmaintained) — add it to `VULNCHECK_IGNORE` in `Makefile.library`/`Makefile.service`, and introduce a shared `TRIVY_IGNORE` baseline merged with any repo-local `.trivyignore` via a temp ignorefile (upgrades `Makefile.service`'s bare `trivy` target to honor an ignorefile). Propagates the exclusion to all consuming repos across both scanners. +- fix: checker templates exclude no-fix advisory GO-2026-5932 (`golang.org/x/crypto/openpgp`, unmaintained) — add it to `VULNCHECK_IGNORE` in `Makefile.library`/`Makefile.service`, and introduce a shared `TRIVY_IGNORE` baseline merged with any repo-local `.trivyignore` via a temp ignorefile, and align `Makefile.service`'s `trivy` target with `Makefile.library`'s full flag set (`--db-repository`, `--ignorefile`, `--secret-config`, `--skip-dirs vendor`). Propagates the exclusion to all consuming repos across both scanners. ## v0.30.0 diff --git a/templates/Makefile.service b/templates/Makefile.service index 9631dd2..50db4d3 100644 --- a/templates/Makefile.service +++ b/templates/Makefile.service @@ -125,7 +125,16 @@ trivy: trap 'rm -f "$$IGN"' EXIT INT TERM; \ printf '%s\n' $(TRIVY_IGNORE) > "$$IGN"; \ for f in .trivyignore $(ROOTDIR)/.trivyignore; do [ -f "$$f" ] && cat "$$f" >> "$$IGN"; done; \ - trivy fs --ignorefile "$$IGN" --scanners vuln,secret --quiet --no-progress --disable-telemetry --exit-code 1 . + trivy fs \ + --db-repository ghcr.io/aquasecurity/trivy-db \ + --ignorefile "$$IGN" \ + $(if $(wildcard .trivy-secret.yaml),--secret-config .trivy-secret.yaml,$(if $(wildcard $(ROOTDIR)/.trivy-secret.yaml),--secret-config $(ROOTDIR)/.trivy-secret.yaml,)) \ + --scanners vuln,secret \ + --skip-dirs vendor \ + --quiet \ + --no-progress \ + --disable-telemetry \ + --exit-code 1 . .PHONY: addlicense addlicense: