fix cve-2026-42499: Upgrade Go to 1.26.3

[fghanmi]

Fixes:

• https://nvd.nist.gov/vuln/detail/CVE-2026-42499
• https://nvd.nist.gov/vuln/detail/cve-2026-39820
• https://nvd.nist.gov/vuln/detail/CVE-2026-33811

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 1228d122-7a26-440a-8cea-b9d9a0e14843

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[qodo-for-conforma]

PR Summary by Qodo

Fix CVE-2026-42499 by upgrading Go toolchain to 1.26.3
🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 10 minutes

Description

• Bump Go toolchain to 1.26.3 to address referenced CVEs.
• Update container build images to Go 1.26.3 equivalents.
• Align module Go version in go.mod with the new toolchain.

Diagram

graph TD
  B["Container build"] --> DF["Dockerfile"] --> GI[("golang:1.26.3")] --> OUT["conforma CLI"]
  B --> DFD["Dockerfile.dist"] --> UBI[("ubi9 go-toolset 9.8") ] --> OUT
  B --> GM["go.mod (go 1.26.3)"] --> OUT

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Pin the upstream golang image by digest in Dockerfile

• ➕ Improves supply-chain security and build reproducibility (immutable base image).
• ➕ Reduces risk of silently picking up future tag changes.
• ➖ Requires periodic digest refreshes and potential tooling support (renovate/dependabot).
• ➖ Slightly more friction when testing quick version bumps.

2. Add an explicit `toolchain go1.26.3` directive in go.mod

• ➕ Ensures the exact toolchain is used even when developers have older Go installed.
• ➕ Makes local/CI builds more consistent across environments.
• ➖ Requires Go 1.21+ tooling behavior familiarity; may surprise contributors not expecting auto-download.
• ➖ Might be redundant if CI/build containers fully control the toolchain already.

Recommendation: The PR’s approach (bumping the build images and go directive) is the right baseline fix for the CVEs. If reproducibility/supply-chain hardening is a priority, consider also pinning docker.io/library/golang by digest (as already done for the UBI image) and optionally adding a toolchain go1.26.3 directive to enforce the exact toolchain across developer machines.

Files changed (3) +3 / -3

Other (3) +3 / -3

DockerfileUpdate build stage to golang:1.26.3 +1/-1

Update build stage to golang:1.26.3

• Bumps the upstream golang base image used for the build stage from 1.25.9 to 1.26.3 to pick up security fixes.

Dockerfile

Dockerfile.distSwitch UBI go-toolset build image to a newer 9.8 release +1/-1

Switch UBI go-toolset build image to a newer 9.8 release

• Updates the Red Hat UBI go-toolset image reference (tag and digest) used for distribution builds to the newer Go toolset level aligned with the CVE fix.

Dockerfile.dist

go.modBump module Go version to 1.26.3 +1/-1

Bump module Go version to 1.26.3

• Updates the module 'go' version directive from 1.25.9 to 1.26.3 so builds and tooling align with the upgraded toolchain.

go.mod

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:40 AM UTC · Completed 11:48 AM UTC
Commit: 47d3320 · View workflow run →

[qodo-for-conforma]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Context used

✅ Compliance rules (platform): 27 rules

1. Asdf Go version mismatch 🐞 Bug ☼ Reliability

Description

The PR raises the minimum Go version to 1.26.3 in the root module, but .tool-versions still pins
golang 1.25.9. Environments that honor .tool-versions (e.g., asdf) will select Go 1.25.9 and
then fail to build/test this repo because go.mod requires Go 1.26.3.

Code

go.mod[3]

+go 1.26.3

Relevance

⭐⭐⭐ High

Past Go bumps synced .tool-versions with go.mod/Dockerfiles (PRs #3052, #3108, #2651); mismatch
likely fixed.

PR-#3052
PR-#3108
PR-#2651

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

go.mod now requires Go 1.26.3, while .tool-versions still pins Go 1.25.9; this is an explicit
version conflict within the repo configuration.

.tool-versions[1-1]
go.mod[1-4]
acceptance/go.mod[1-4]
tools/go.mod[1-4]
tools/kubectl/go.mod[1-6]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Root `go.mod` now requires Go `1.26.3`, but `.tool-versions` still pins `golang 1.25.9`, which makes asdf-managed environments pick an incompatible Go toolchain.

### Issue Context
This PR is explicitly a Go toolchain upgrade for CVE remediation; leaving the repo’s version-manager pin behind both breaks workflows and can keep contributors building with the old (vulnerable) version.

### Fix Focus Areas
- .tool-versions[1-1]
- go.mod[1-4]
- acceptance/go.mod[1-4]
- tools/go.mod[1-4]
- tools/kubectl/go.mod[1-6]

### Expected change
- Update `.tool-versions` to `golang 1.26.3`.
- (Optional, but recommended for consistency) Update the `go` directive in the other modules (`acceptance/`, `tools/`, `tools/kubectl/`) to `1.26.3` as well, since CI runs `go mod download` inside those modules.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[fullsend-ai-review]

Review

Findings

High

• [protected-path] Dockerfile:19 — This PR modifies Dockerfile, which is a protected infrastructure file requiring human approval. The PR has no linked issue to authorize the change. While the PR description references CVE-2026-42499, CVE-2026-39820, and CVE-2026-33811 as motivation, protected-path changes require a linked issue for traceability. Human approval is required regardless of context.
  Remediation: Link an issue authorizing this Dockerfile change, or obtain explicit human maintainer approval.

---

Labels: PR bumps Go toolchain version across Dockerfiles, go.mod files, and build tooling to fix CVEs

Previous run

Looks good to me

Previous run (2)

Review

Findings

Medium

• [stale-reference] tools/go.mod:3 — The go directive in tools/go.mod, tools/kubectl/go.mod, and acceptance/go.mod still specifies go 1.25.8, while the root go.mod is being updated to go 1.26.3. No toolchain directive exists in any of these modules. If any sub-module is built independently or its go.mod is used as a go-version-file source, it will use the older, unpatched Go toolchain, leaving the CVE fix incomplete.
  Remediation: Update the go directive in tools/go.mod, tools/kubectl/go.mod, and acceptance/go.mod to go 1.26.3 to match the root module.

Low

• [edge-case] Dockerfile.dist:19 — The base image tag changed from a Go-version-aligned tag (go-toolset:1.25.8) to a UBI build number tag (go-toolset:9.8-1781757851). While the image is pinned by SHA256 digest (ensuring reproducibility), the tag no longer encodes the Go version, making it harder to verify at a glance that the image ships Go 1.26.3.

Info

• [missing-authorization] go.mod:4 — No linked issue. Authorization inferred from the mechanical nature of the change (Go toolchain CVE remediation). The PR title and body reference specific CVEs as justification.

Previous run (3)

Review

Findings

Medium

• [incomplete version update] tools/go.mod:3 — The Go version in tools/go.mod remains at 1.25.8 while the root go.mod is updated to 1.26.3. This creates an inconsistency across modules in the repository. While the Dockerfile (which controls the CI build image) is updated, the go directive should be kept consistent across all modules.
  Remediation: Update the go directive in tools/go.mod to 1.26.3 and run go mod tidy.

• [incomplete version update] tools/kubectl/go.mod:3 — The Go version in tools/kubectl/go.mod remains at 1.25.8 while the root go.mod is updated to 1.26.3. The actual compiler used in CI is determined by the Dockerfile build image (which is updated), but the go directive should be consistent.
  Remediation: Update the go directive in tools/kubectl/go.mod to 1.26.3 and run go mod tidy.

• [incomplete version update] .tool-versions:1 — The .tool-versions file still references golang 1.25.8. Developers using asdf/mise for local Go toolchain management will get the old version instead of 1.26.3.
  Remediation: Update .tool-versions to golang 1.26.3.

Low

• [incomplete version update] acceptance/go.mod:3 — The Go version in acceptance/go.mod remains at 1.25.8 while the root go.mod is updated to 1.26.3. This is an inconsistency in test code, not production-shipped code.
  Remediation: Update the go directive in acceptance/go.mod to 1.26.3 and run go mod tidy.

Info

• [sub-agent-failure] The intent-coherence sub-agent did not return findings: model unavailable (claude-sonnet-4-5@20250929 not available on vertex deployment).

• [sub-agent-failure] The style-conventions sub-agent did not return findings: model unavailable (claude-sonnet-4-5@20250929 not available on vertex deployment).

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:53 AM UTC · Completed 11:59 AM UTC
Commit: 47d3320 · View workflow run →

[simonbaird]

This version change seems unusual. Is it really going from 1.15.9 to 9.8?

[fghanmi]

seems the naming convention was somehow changed, maybe ?
I took the image from https://catalog.redhat.com/en/software/containers/ubi9/go-toolset/61e5c00b4ec9945c18787690#overview

go version go1.26.3 (Red Hat 1.26.3-1.el9_8) linux/amd64

[fghanmi]

I will update with the correct tag:
registry.access.redhat.com/ubi9/go-toolset:1.26.3-1781757851@sha256:1503a8227c00a1934e3c1a4a88e0be785786a2d9e2f62a9334e75ff2fadca2fe

[simonbaird]

I think Renovate works better with the short tag, i.e.:

Suggested change

	FROM registry.access.redhat.com/ubi9/go-toolset:9.8-1781757851@sha256:1503a8227c00a1934e3c1a4a88e0be785786a2d9e2f62a9334e75ff2fadca2fe AS build
	FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3@sha256:1503a8227c00a1934e3c1a4a88e0be785786a2d9e2f62a9334e75ff2fadca2fe AS build

In theory, renovate could generate a PR to update the digest if a newer 1.26.3 appears.

[simonbaird]

Is there a particular reason to not use the latest 1.26.3? I'd probably use this digest:

$ skopeo inspect --raw docker://registry.access.redhat.com/ubi9/go-toolset:1.26.3 | sha256sum
17c888d75753f128f6cbdc5587932c3abd2632ca8e0931aa27b9a60c7a75ac62  -

[fghanmi]

you're right! done. Thank you!
one more thing, I am not sure I can debug the EC build issue, I don't have permissions to have a look.

[simonbaird]

/ok-to-test

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:10 PM UTC · Completed 1:16 PM UTC
Commit: 47d3320 · View workflow run →

[simonbaird]

/ok-to-test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	54.86% <ø> (-0.01%)	⬇️
generative	18.14% <ø> (ø)
integration	26.99% <ø> (ø)
unit	68.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:22 PM UTC · Completed 10:28 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] protected-path

This PR modifies Dockerfile, which is a protected infrastructure file requiring human approval. The PR has no linked issue to authorize the change. While the PR description references CVE-2026-42499, CVE-2026-39820, and CVE-2026-33811 as motivation, protected-path changes require a linked issue for traceability.

Suggested fix: Link an issue authorizing this Dockerfile change, or obtain explicit human maintainer approval.