Skip to content

(fix) grpc and go versions have been updated to 1.79.3 and to 1.24 #489

Merged
ChanukaUOJ merged 1 commit into
LDFLK:mainfrom
ChanukaUOJ:fix/CVE-2026-33186
Jul 1, 2026
Merged

(fix) grpc and go versions have been updated to 1.79.3 and to 1.24 #489
ChanukaUOJ merged 1 commit into
LDFLK:mainfrom
ChanukaUOJ:fix/CVE-2026-33186

Conversation

@ChanukaUOJ

@ChanukaUOJ ChanukaUOJ commented Jul 1, 2026

Copy link
Copy Markdown
Member

Problem

There is a vulnerability(CVE-2026-33186) issue in core layer with grpc version 1.72.1. This is caught by choreo Container (Trivy) Vulnerability Scan and the container log is reported below. As the solution the grpc and go version need to updated to versions 1.79.3 and 1.24 respectively.


app/opengin/core-api/core-service (gobinary)
============================================
Total: 1 (CRITICAL: 1)

┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ CVE-2026-33186 │ CRITICAL │ fixed  │ v1.72.1           │ 1.79.3        │ google.golang.org/grpc/grpc-go:                             │
│                        │                │          │        │                   │               │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass │
│                        │                │          │        │                   │               │ due to improper HTTP/2 path validation                      │
│                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
└────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/core-service (gobinary)
=====================================
Total: 1 (CRITICAL: 1)

┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ CVE-2026-33186 │ CRITICAL │ fixed  │ v1.72.1           │ 1.79.3        │ google.golang.org/grpc/grpc-go:                             │
│                        │                │          │        │                   │               │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass │
│                        │                │          │        │                   │               │ due to improper HTTP/2 path validation                      │
│                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
└────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘```

### Solution
- `grpc` version has been updated to `1.79.3`
- `go` version has been updated in the core layer to `1.24` (the compatible version)

### Testing
- All the `e2e` tests are parsing

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go runtime environment and various dependencies for the core-api service. Specifically, it upgrades the Go version from 1.23 to 1.24 in both the Dockerfiles and the go.mod file, updates the Go toolchain to 1.24.3, and bumps several key dependencies including gRPC, Protobuf, and various golang.org/x packages to their latest versions. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@ChanukaUOJ ChanukaUOJ changed the title [FIX] grpc version has been updated to 1.79.3 and the go version to 1.24 [FIX] grpc and go versions have been updated to 1.79.3 and to 1.24 Jul 1, 2026
@ChanukaUOJ ChanukaUOJ requested a review from zaeema-n July 1, 2026 10:39
@ChanukaUOJ ChanukaUOJ changed the title [FIX] grpc and go versions have been updated to 1.79.3 and to 1.24 (fix) grpc and go versions have been updated to 1.79.3 and to 1.24 Jul 1, 2026

@zaeema-n zaeema-n left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ChanukaUOJ ChanukaUOJ merged commit b85611f into LDFLK:main Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants