[TT-16142] fix CVEs for v5.10.1 #7543
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
🎯 Recommended Merge TargetsBased on JIRA ticket TT-16142: High CVE's on 5.10.1 release Fix Version: Tyk 5.10.1Required:
📋 Workflow
|
Contributor
🚨 Jira Linter FailedCommit: The Jira linter failed to validate your PR. Please check the error details below: 🔍 Click to view error detailsNext Steps
This comment will be automatically deleted once the linter passes. |
Contributor
|
API Changes no api changes detected |
🔍 Code Analysis ResultsPR OverviewThis PR addresses security vulnerabilities (CVEs) by updating several Go dependencies in Files Changed Analysis
Architecture & Impact AssessmentWhat this PR accomplishes: Key technical changes introduced:
Affected system components:
graph TD
subgraph Test Environment
Dockertest --> Runc[runc v1.3.3]
end
subgraph Application
Coprocess[Coprocess gRPC] --> Protobuf[protobuf v1.36.5]
Auth[Auth Layer] --> JWT_Lib[Some JWT Lib] --> Jose2Go[jose2go v1.8.0]
end
TykGateway[Tyk Gateway] --> Coprocess
TykGateway --> Auth
Scope Discovery & Context ExpansionThe scope of this change is limited to dependency updates and does not alter application logic directly. The primary impact is on the security and stability of components that rely on these libraries:
Metadata
Powered by Visor from Probelabs Last updated: 2025-11-18T09:22:14.433Z | Triggered by: opened | Commit: 0ae7d42 💡 TIP: You can chat with Visor using |
🔍 Code Analysis Results✅ Security Check PassedNo security issues found – changes LGTM. ✅ Architecture Check PassedNo architecture issues found – changes LGTM. ✅ Performance Check PassedNo performance issues found – changes LGTM. Quality Issues (1)
✅ Dependency Check PassedNo dependency issues found – changes LGTM. ✅ Connectivity Check PassedNo connectivity issues found – changes LGTM. Powered by Visor from Probelabs Last updated: 2025-11-18T09:22:15.867Z | Triggered by: opened | Commit: 0ae7d42 💡 TIP: You can chat with Visor using |
|
ilijabojanovic
approved these changes
Nov 18, 2025
lghiur
approved these changes
Nov 18, 2025
Member
|
/release to release-5.10.1 |
probelabs bot
pushed a commit
that referenced
this pull request
Nov 18, 2025
<!-- Provide a general summary of your changes in the Title above --> ## Description <!-- Describe your changes in detail --> ## Related Issue <!-- This project only accepts pull requests related to open issues. --> <!-- If suggesting a new feature or change, please discuss it in an issue first. --> <!-- If fixing a bug, there should be an issue describing it with steps to reproduce. --> <!-- OSS: Please link to the issue here. Tyk: please create/link the JIRA ticket. --> ## Motivation and Context <!-- Why is this change required? What problem does it solve? --> ## How This Has Been Tested <!-- Please describe in detail how you tested your changes --> <!-- Include details of your testing environment, and the tests --> <!-- you ran to see how your change affects other areas of the code, etc. --> <!-- This information is helpful for reviewers and QA. --> ## Screenshots (if appropriate) ## Types of changes <!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality) ## Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply --> <!-- If there are no documentation updates required, mark the item as checked. --> <!-- Raise up any additional concerns not covered by the checklist. --> - [ ] I ensured that the documentation is up to date - [ ] I explained why this PR updates go.mod in detail with reasoning why it's required - [ ] I would like a code coverage CI quality gate exception and have explained why <!---TykTechnologies/jira-linter starts here--> ### Ticket Details <details> <summary> <a href="https://tyktech.atlassian.net/browse/TT-16142" title="TT-16142" target="_blank">TT-16142</a> </summary> | | | |---------|----| | Status | Open | | Summary | High CVE's on 5.10.1 release | Generated at: 2025-11-18 09:19:48 </details> <!---TykTechnologies/jira-linter ends here--> (cherry picked from commit b1e1142)
|
✅ Cherry-pick successful. A PR was created: #7545 |
7 tasks
Contributor
Author
|
/release to release-5.10 |
Contributor
Author
|
/release to release-5.8 |
probelabs bot
pushed a commit
that referenced
this pull request
Nov 18, 2025
<!-- Provide a general summary of your changes in the Title above --> ## Description <!-- Describe your changes in detail --> ## Related Issue <!-- This project only accepts pull requests related to open issues. --> <!-- If suggesting a new feature or change, please discuss it in an issue first. --> <!-- If fixing a bug, there should be an issue describing it with steps to reproduce. --> <!-- OSS: Please link to the issue here. Tyk: please create/link the JIRA ticket. --> ## Motivation and Context <!-- Why is this change required? What problem does it solve? --> ## How This Has Been Tested <!-- Please describe in detail how you tested your changes --> <!-- Include details of your testing environment, and the tests --> <!-- you ran to see how your change affects other areas of the code, etc. --> <!-- This information is helpful for reviewers and QA. --> ## Screenshots (if appropriate) ## Types of changes <!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality) ## Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply --> <!-- If there are no documentation updates required, mark the item as checked. --> <!-- Raise up any additional concerns not covered by the checklist. --> - [ ] I ensured that the documentation is up to date - [ ] I explained why this PR updates go.mod in detail with reasoning why it's required - [ ] I would like a code coverage CI quality gate exception and have explained why <!---TykTechnologies/jira-linter starts here--> ### Ticket Details <details> <summary> <a href="https://tyktech.atlassian.net/browse/TT-16142" title="TT-16142" target="_blank">TT-16142</a> </summary> | | | |---------|----| | Status | Open | | Summary | High CVE's on 5.10.1 release | Generated at: 2025-11-18 09:19:48 </details> <!---TykTechnologies/jira-linter ends here--> (cherry picked from commit b1e1142)
|
✅ Cherry-pick successful. A PR was created: #7547 |
7 tasks
|
|
andrei-tyk
added a commit
that referenced
this pull request
Nov 18, 2025
### **User description** [TT-16142] fix CVEs for v5.10.1 (#7543) <!-- Provide a general summary of your changes in the Title above --> ## Description <!-- Describe your changes in detail --> ## Related Issue <!-- This project only accepts pull requests related to open issues. --> <!-- If suggesting a new feature or change, please discuss it in an issue first. --> <!-- If fixing a bug, there should be an issue describing it with steps to reproduce. --> <!-- OSS: Please link to the issue here. Tyk: please create/link the JIRA ticket. --> ## Motivation and Context <!-- Why is this change required? What problem does it solve? --> ## How This Has Been Tested <!-- Please describe in detail how you tested your changes --> <!-- Include details of your testing environment, and the tests --> <!-- you ran to see how your change affects other areas of the code, etc. --> <!-- This information is helpful for reviewers and QA. --> ## Screenshots (if appropriate) ## Types of changes <!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality) ## Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply --> <!-- If there are no documentation updates required, mark the item as checked. --> <!-- Raise up any additional concerns not covered by the checklist. --> - [ ] I ensured that the documentation is up to date - [ ] I explained why this PR updates go.mod in detail with reasoning why it's required - [ ] I would like a code coverage CI quality gate exception and have explained why <!---TykTechnologies/jira-linter starts here--> ### Ticket Details <details> <summary> <a href="https://tyktech.atlassian.net/browse/TT-16142" title="TT-16142" target="_blank">TT-16142</a> </summary> | | | |---------|----| | Status | Open | | Summary | High CVE's on 5.10.1 release | Generated at: 2025-11-18 09:19:48 </details> <!---TykTechnologies/jira-linter ends here--> [TT-16142]: https://tyktech.atlassian.net/browse/TT-16142?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ ___ ### **PR Type** Enhancement, Bug fix ___ ### **Description** - Bump `runc` to v1.3.3 to address CVEs - Upgrade `jose2go` to v1.8.0 security release - Update `protobuf` to v1.36.5 patch - Refresh go.sum to match new versions ___ ### Diagram Walkthrough ```mermaid flowchart LR deps["Dependency versions"] runc["opencontainers/runc v1.1.14 -> v1.3.3"] jose["dvsekhvalnov/jose2go v1.6.0 -> v1.8.0"] proto["google.golang.org/protobuf v1.36.4 -> v1.36.5"] sum["go.sum updated"] deps -- "upgrade" --> runc deps -- "upgrade" --> jose deps -- "upgrade" --> proto runc -- "reflect in" --> sum jose -- "reflect in" --> sum proto -- "reflect in" --> sum ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Dependencies</strong></td><td><table> <tr> <td> <details> <summary><strong>go.mod</strong><dd><code>Bump security-sensitive dependencies in go.mod</code> </dd></summary> <hr> go.mod <ul><li>Upgrade <code>google.golang.org/protobuf</code> to v1.36.5.<br> <li> Bump <code>github.com/dvsekhvalnov/jose2go</code> to v1.8.0 (indirect).<br> <li> Bump <code>github.com/opencontainers/runc</code> to v1.3.3 (indirect).</ul> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/7547/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6">+3/-3</a> </td> </tr> <tr> <td> <details> <summary><strong>go.sum</strong><dd><code>Refresh go.sum for upgraded dependencies</code> </dd></summary> <hr> go.sum <ul><li>Update checksums for <code>jose2go</code> v1.8.0.<br> <li> Update checksums for <code>runc</code> v1.3.3.<br> <li> Update checksums for <code>protobuf</code> v1.36.5.</ul> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/7547/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63">+6/-6</a> </td> </tr> </table></td></tr></tr></tbody></table> </details> ___ Co-authored-by: andrei-tyk <97896463+andrei-tyk@users.noreply.github.com>
ilijabojanovic
pushed a commit
that referenced
this pull request
Nov 18, 2025
…7545) ### **User description** [TT-16142] fix CVEs for v5.10.1 (#7543) <!-- Provide a general summary of your changes in the Title above --> ## Description <!-- Describe your changes in detail --> ## Related Issue <!-- This project only accepts pull requests related to open issues. --> <!-- If suggesting a new feature or change, please discuss it in an issue first. --> <!-- If fixing a bug, there should be an issue describing it with steps to reproduce. --> <!-- OSS: Please link to the issue here. Tyk: please create/link the JIRA ticket. --> ## Motivation and Context <!-- Why is this change required? What problem does it solve? --> ## How This Has Been Tested <!-- Please describe in detail how you tested your changes --> <!-- Include details of your testing environment, and the tests --> <!-- you ran to see how your change affects other areas of the code, etc. --> <!-- This information is helpful for reviewers and QA. --> ## Screenshots (if appropriate) ## Types of changes <!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality) ## Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply --> <!-- If there are no documentation updates required, mark the item as checked. --> <!-- Raise up any additional concerns not covered by the checklist. --> - [ ] I ensured that the documentation is up to date - [ ] I explained why this PR updates go.mod in detail with reasoning why it's required - [ ] I would like a code coverage CI quality gate exception and have explained why <!---TykTechnologies/jira-linter starts here--> ### Ticket Details <details> <summary> <a href="https://tyktech.atlassian.net/browse/TT-16142" title="TT-16142" target="_blank">TT-16142</a> </summary> | | | |---------|----| | Status | Open | | Summary | High CVE's on 5.10.1 release | Generated at: 2025-11-18 09:19:48 </details> <!---TykTechnologies/jira-linter ends here--> [TT-16142]: https://tyktech.atlassian.net/browse/TT-16142?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ ___ ### **PR Type** Enhancement, Bug fix ___ ### **Description** - Bump `runc` to v1.3.3 for CVEs - Upgrade `jose2go` to v1.8.0 - Update `protobuf` to v1.36.5 - Refresh go.sum for new versions ___ ### Diagram Walkthrough ```mermaid flowchart LR deps["Dependencies (go.mod)"] runc["opencontainers/runc v1.3.3"] jose["dvsekhvalnov/jose2go v1.8.0"] proto["google.golang.org/protobuf v1.36.5"] gosum["go.sum updates"] deps -- "bump" --> runc deps -- "bump" --> jose deps -- "bump" --> proto runc -- "reflect in" --> gosum jose -- "reflect in" --> gosum proto -- "reflect in" --> gosum ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Dependencies</strong></td><td><table> <tr> <td> <details> <summary><strong>go.mod</strong><dd><code>Dependency bumps addressing security CVEs</code> </dd></summary> <hr> go.mod <ul><li>Update <code>google.golang.org/protobuf</code> to v1.36.5.<br> <li> Upgrade <code>github.com/dvsekhvalnov/jose2go</code> to v1.8.0 (indirect).<br> <li> Bump <code>github.com/opencontainers/runc</code> to v1.3.3 (indirect).</ul> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/7545/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6">+3/-3</a> </td> </tr> <tr> <td> <details> <summary><strong>go.sum</strong><dd><code>Checksum updates for bumped dependencies</code> </dd></summary> <hr> go.sum <ul><li>Sync checksums for <code>jose2go</code> v1.8.0.<br> <li> Sync checksums for <code>runc</code> v1.3.3.<br> <li> Sync checksums for <code>protobuf</code> v1.36.5.</ul> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/7545/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63">+6/-6</a> </td> </tr> </table></td></tr></tr></tbody></table> </details> ___ Co-authored-by: andrei-tyk <97896463+andrei-tyk@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Related Issue
Motivation and Context
How This Has Been Tested
Screenshots (if appropriate)
Types of changes
Checklist
Ticket Details
TT-16142
Generated at: 2025-11-18 09:19:48