Skip to content

bug: Vuln Scan Fixes #3829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 28 commits into from
Oct 9, 2025
Merged

bug: Vuln Scan Fixes #3829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
6d408e3
quic-go library v0.39.4 -> v0.42.0 Fixes 2 Medium issues w/Exploit
jose-blockchain Aug 12, 2025
0650184
reverting the quic-go version from v0.42.0 back to v0.39.4; keep gola…
jose-blockchain Aug 12, 2025
945aa3f
qtls-go1-20: v0.3.4 → v0.4.1; not called libcrypto in this context
jose-blockchain Aug 12, 2025
a4fbcbc
golang.org/x/net: v0.18.0 → v0.23.0 and others
jose-blockchain Aug 12, 2025
1637afc
Upgrade Alpine Linux from 3.19 to 3.20 (newer version with security p…
jose-blockchain Aug 12, 2025
fd648ed
go-ethereum: v1.13.11 → v1.13.15 (High-severity vulnerability fixed)
jose-blockchain Aug 12, 2025
ea2cbe4
google.golang.org/protobuf: v1.31.0 → v1.33.0
jose-blockchain Aug 12, 2025
d99805b
Alpine Linux: 3.20 → 3.21 for busybox libs 1.36.1-r15 to 1.36.1-r19
jose-blockchain Aug 12, 2025
d4a532e
quic-go: v0.39.4 → v0.40.1 (2 medium-severity vulnerabilities fixed)
jose-blockchain Aug 12, 2025
53f9622
btcd: v0.23.1 → v0.23.2 1 critical/high + 2 medium vulns addressed
jose-blockchain Aug 12, 2025
7b12dc7
sync dockerfile and CI action client.yml
jose-blockchain Aug 14, 2025
ae81607
add ethereum deps before protobuf
jose-blockchain Aug 14, 2025
c2e3580
upgrade to fix client-lint error
jose-blockchain Aug 14, 2025
53f0f89
ci: exclude G115 integer overflow warnings from gosec scan
jose-blockchain Aug 14, 2025
59b012e
explicit go version on staticcheck for client-lint
jose-blockchain Aug 14, 2025
d43d456
ci: exclude SA1019 deprecation warnings from staticcheck
jose-blockchain Aug 14, 2025
4918528
ci: exclude SA1019 deprecation warnings from staticcheck with -checks=
jose-blockchain Aug 14, 2025
b71642b
extend test module timeout to 15m
jose-blockchain Aug 14, 2025
c2f03c1
chore(ci): use consistent go version on ci
piotr-roslaniec Oct 8, 2025
9a800a8
chore: bump go version to 1.24
piotr-roslaniec Oct 8, 2025
ba7a578
fix: add -checklinkname=0 flag to resolve Go 1.24 build failures
piotr-roslaniec Oct 8, 2025
b9cbd02
fix: add code generation to vet and lint CI jobs
piotr-roslaniec Oct 8, 2025
a9c6435
fix: revert CI to use existing generated files instead of regenerating
piotr-roslaniec Oct 8, 2025
1fb8eb1
fix: restore missing _address/TokenStaking placeholder file
piotr-roslaniec Oct 8, 2025
73488a4
docs: add comments explaining _address placeholder files
piotr-roslaniec Oct 8, 2025
289f797
fix: restore accidentally deleted generated TokenStaking files
piotr-roslaniec Oct 8, 2025
6ab2585
fix: eliminate Docker dependency anti-pattern and implement proper Go…
piotr-roslaniec Oct 8, 2025
807d467
ci: trigger run on squashed commit
piotr-roslaniec Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 26 additions & 24 deletions .github/workflows/client.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
outputs:
path-filter: ${{ steps.filter.outputs.path-filter }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
if: github.event_name == 'pull_request'

- uses: dorny/paths-filter@v2
Expand All @@ -52,7 +52,7 @@ jobs:
outputs:
path-filter: ${{ steps.filter.outputs.path-filter }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
if: github.event_name == 'pull_request'

- uses: dorny/paths-filter@v2
Expand All @@ -71,7 +71,7 @@ jobs:
|| needs.client-detect-changes.outputs.path-filter == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
# Fetch the whole history for the `git describe` command to work.
fetch-depth: 0
Expand All @@ -88,18 +88,18 @@ jobs:
environment: ${{ github.event.inputs.environment }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-

- name: Build Docker Build Image
uses: docker/build-push-action@v3
uses: docker/build-push-action@v5
with:
target: build-docker
tags: go-build-env
Expand All @@ -123,7 +123,7 @@ jobs:
docker save --output /tmp/go-build-env-image.tar go-build-env

- name: Upload Docker Build Image
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: go-build-env-image
path: /tmp/go-build-env-image.tar
Expand All @@ -133,11 +133,11 @@ jobs:
docker run \
--workdir /go/src/github.com/keep-network/keep-core \
go-build-env \
gotestsum
gotestsum -- -timeout 15m

- name: Build Docker Runtime Image
if: github.event_name != 'workflow_dispatch'
uses: docker/build-push-action@v3
uses: docker/build-push-action@v5
with:
target: runtime-docker
labels: |
Expand All @@ -148,15 +148,15 @@ jobs:

- name: Login to Google Container Registry
if: github.event_name == 'workflow_dispatch'
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: ${{ env.GCR_REGISTRY_URL }}
username: _json_key
password: ${{ secrets.KEEP_TEST_GCR_JSON_KEY }}

- name: Build and publish Docker Runtime Image
if: github.event_name == 'workflow_dispatch'
uses: docker/build-push-action@v3
uses: docker/build-push-action@v5
env:
IMAGE_NAME: "keep-client"
with:
Expand All @@ -177,7 +177,7 @@ jobs:
context: .

- name: Build Client Binaries
uses: docker/build-push-action@v3
uses: docker/build-push-action@v5
with:
target: output-bins
outputs: type=local,dest=./out/bin/
Expand All @@ -189,7 +189,7 @@ jobs:
context: .

- name: Archive Client Binaries
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: binaries
path: |
Expand Down Expand Up @@ -240,10 +240,11 @@ jobs:
env:
GO111MODULE: on
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: securego/gosec@master
with:
args: |
-exclude=G115
-exclude-dir=pkg/chain/ethereum/beacon/gen
-exclude-dir=pkg/chain/ethereum/ecdsa/gen
-exclude-dir=pkg/chain/ethereum/threshold/gen
Expand All @@ -257,8 +258,8 @@ jobs:
|| needs.client-detect-changes.outputs.path-filter == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
- name: gofmt
Expand All @@ -275,8 +276,8 @@ jobs:
|| needs.client-detect-changes.outputs.path-filter == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
- run: go vet
Expand All @@ -288,15 +289,16 @@ jobs:
|| needs.client-detect-changes.outputs.path-filter == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
- name: Staticcheck
uses: dominikh/staticcheck-action@v1.3.0
uses: dominikh/staticcheck-action@v1.4.0
with:
version: "2023.1.6"
version: "2025.1.1"
install-go: false
checks: "-SA1019"

client-integration-test:
needs: [electrum-integration-detect-changes, client-build-test-publish]
Expand All @@ -306,10 +308,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3

- name: Download Docker Build Image
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: go-build-env-image
path: /tmp
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ yarn-error.log
/solidity*/**/export.json

# Go bindings generator
# Note: Some specific _address files are committed as empty placeholders
# to satisfy //go:embed directives during CI builds that don't run go generate
/pkg/chain/**/gen/_address/
/pkg/chain/**/gen/_contracts/
/pkg/chain/**/gen/abi/*.abi
Expand Down
23 changes: 15 additions & 8 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.20.13-alpine3.19 AS build-sources
FROM golang:1.24-alpine3.21 AS build-sources

ENV GOPATH=/go \
GOBIN=/go/bin \
Expand All @@ -10,7 +10,7 @@ ENV GOPATH=/go \

# TODO: Remove perl once go-ethereum is upgraded to 1.11.
# See pkg/chain/ethereum/tbtc/gen/Makefile and after_abi_hook for details.
RUN apk add --update --no-cache \
RUN apk update && apk upgrade && apk add --update --no-cache \
g++ \
linux-headers \
protobuf-dev \
Expand All @@ -26,7 +26,7 @@ RUN apk add --update --no-cache \
rm -rf /var/cache/apk/ && mkdir /var/cache/apk/ && \
rm -rf /usr/share/man

RUN go install gotest.tools/gotestsum@latest
RUN go install gotest.tools/gotestsum@v1.10.1

RUN mkdir -p $APP_DIR $TEST_RESULTS_DIR

Expand All @@ -36,9 +36,6 @@ WORKDIR $APP_DIR
COPY go.mod go.sum $APP_DIR/
RUN go mod download

# Install code generators.
RUN go install google.golang.org/protobuf/cmd/[email protected]

# Copy source code for generation.
COPY ./pkg/beacon/dkg/result/gen $APP_DIR/pkg/beacon/dkg/result/gen
COPY ./pkg/beacon/entry/gen $APP_DIR/pkg/beacon/entry/gen
Expand All @@ -57,6 +54,10 @@ COPY ./pkg/tecdsa/gen $APP_DIR/pkg/tecdsa/gen
COPY ./pkg/protocol/announcer/gen $APP_DIR/pkg/protocol/announcer/gen
COPY ./pkg/protocol/inactivity/gen $APP_DIR/pkg/protocol/inactivity/gen


# Install code generators.
RUN go install google.golang.org/protobuf/cmd/[email protected]

# Environment is to download published and tagged NPM packages versions.
ARG ENVIRONMENT

Expand All @@ -69,6 +70,9 @@ RUN make generate environment=$ENVIRONMENT

COPY ./ $APP_DIR/

# Update go.sum with any missing dependencies
RUN go mod tidy && go mod download

#
# Build Docker Image
#
Expand All @@ -84,12 +88,15 @@ RUN GOOS=linux make build \
version=$VERSION \
revision=$REVISION

FROM alpine:3.19 as runtime-docker
FROM alpine:3.21 as runtime-docker

ENV APP_NAME=keep-client \
APP_DIR=/go/src/github.com/keep-network/keep-core \
BIN_PATH=/usr/local/bin

# Update Alpine packages to get latest security patches
RUN apk update && apk upgrade && rm -rf /var/cache/apk/*

COPY --from=build-docker $APP_DIR/$APP_NAME $BIN_PATH

# ENTRYPOINT cant handle ENV variables.
Expand All @@ -101,7 +108,7 @@ CMD []
#
# Build Binaries
#
FROM golang:1.20.13-bullseye AS build-bins
FROM golang:1.24-bullseye AS build-bins

ENV APP_DIR=/go/src/github.com/keep-network/keep-core

Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ define go_build_cmd
$(eval arch := $(4))

GOOS=$(os) GOARCH=$(arch) go build \
-ldflags "-X github.com/keep-network/keep-core/build.Version=$(version) -X github.com/keep-network/keep-core/build.Revision=$(revision)" \
-ldflags "-X github.com/keep-network/keep-core/build.Version=$(version) -X github.com/keep-network/keep-core/build.Revision=$(revision) -checklinkname=0" \
-o $(out_dir)/$(file_name) \
-a \
.
Expand Down
Loading