CVEs: Release-1.8 and Release-1.9 have CVEs that can only be resolved by upgrading to Go 1.23

[cprivitere]

The weekly security scan task has found two modules that have CVEs in our codebase.

• golang.org/x/crypto
• golang.org/x/net

To bump these to the fixed version (0.35 for crypto and 0.38 for net), we would need to bump the project to use 1.23. We don't generally do this as it'd force anyone consuming the module downstream to upgrade their go as well and that might not work for their projects or timelines.

This issue is to decide and document whether we should bump 1.8 and 1.9 to Go 1.23 or leave it as is.

[cprivitere]

I ran govulncheck with verbose output against the release-1.8 branch and got the following:

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

Vulnerability #1: GO-2025-3595
    Incorrect Neutralization of Input During Web Page Generation in x/net in
    golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2025-3595
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.33.0
    Fixed in: golang.org/x/net@v0.38.0

Vulnerability #2: GO-2025-3503
    HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2025-3503
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.33.0
    Fixed in: golang.org/x/net@v0.36.0

=== Module Results ===

Vulnerability #1: GO-2025-3488
    Unexpected memory consumption during token parsing in golang.org/x/oauth2
  More info: https://pkg.go.dev/vuln/GO-2025-3488
  Module: golang.org/x/oauth2
    Found in: golang.org/x/oauth2@v0.21.0
    Fixed in: golang.org/x/oauth2@v0.27.0

Vulnerability #2: GO-2025-3487
    Potential denial of service in golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2025-3487
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.31.0
    Fixed in: golang.org/x/crypto@v0.35.0

Your code is affected by 0 vulnerabilities.
This scan also found 2 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

Meanwhile the trivy scan found these vulnerabilities, but does not tell you if they're called or not:

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-22869 │ HIGH     │ fixed  │ v0.31.0           │ 0.35.0        │ golang.org/x/crypto/ssh: Denial of Service in the Key    │
│                     │                │          │        │                   │               │ Exchange of golang.org/x/crypto/ssh                      │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22869               │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2025-22872 │ MEDIUM   │        │ v0.33.0           │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input │
│                     │                │          │        │                   │               │ During Web Page Generation in x/net in...                │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872               │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

CVE-2025-22869 is the same as GO-2025-3487.
CVE-2025-22872 is the same as GO-2025-3595.

So I believe the question is now this:

Since govulncheck has identified the same issues as trivy along with two others (GO-2025-3503 and GO-2025-3488), and says all of them are not in code that's called by this project, do we trust govulncheck and ignore these CVEs?

[sbueringer]

do we trust govulncheck and ignore these CVEs?

I would say yes.

@chrischdi @fabriziopandini?

I think if govulncheck determines we don't use the affected code we can't justify the breaking change of a go minor version bump in go.mod on release branches

[chrischdi]

Yes we trust govulncheck. Otherwise we should never have added it.

[sbueringer]

@chrischdi Do you remember if we ever excluded CVE's in trivy and how to do it? (so we can get the action back to green)

[chrischdi]

Yes, for trivy we can add a file like this:

https://github.com/k8s-infra-cherrypick-robot/cluster-api-provider-vsphere/blob/3da90355cb46cbe2a7f3365f2542150c9d152d22/.trivyignore

[sbueringer]

Great! @cprivitere I think we can go ahead and add a .trivyignore file on the branches where it's needed

[cprivitere]

/triage accepted