fix: upgrade vulnerable dependencies (AST-108828,AST-116271,AST-120967,AST-123298,AST-123300,AST-123302,AST-123980,AST-123981,AST-132239,AST-134898) by cx-adar-zandberg · Pull Request #40 · Checkmarx/containers-resolver

cx-adar-zandberg · 2026-03-04T18:38:43Z

Fixed Vulnerabilities

Ticket	CVE	Severity	Component
AST-108828	CVE-2025-46569	HIGH	github.com/open-policy-agent/opa
AST-116271	CVE-2025-27144	-	gopkg.in/go-jose/go-jose.v2
AST-120967	CVE-2024-25621	-	github.com/containerd/containerd/v2
AST-123298	CVE-2025-52881	HIGH	github.com/opencontainers/runc
AST-123300	CVE-2025-52565	HIGH	github.com/opencontainers/runc
AST-123302	CVE-2025-31133	HIGH	github.com/opencontainers/runc
AST-123980	CVE-2025-64329	-	github.com/containerd/containerd/v2
AST-123981	CVE-2019-25210	-	helm.sh/helm/v3
AST-132239	CVE-2026-24137	-	github.com/sigstore/sigstore
AST-134898	CVE-2026-25934	-	github.com/go-git/go-git/v5

Changes Made

OPA: v0.70.0 → v1.14.0 (fixes CVE-2025-46569 Rego injection/DoS)
containerd/v2: v2.1.4 → v2.2.1 (fixes CVE-2024-25621, CVE-2025-64329)
runc: v1.3.3 → v1.4.0 (fixes CVE-2025-52881, CVE-2025-52565, CVE-2025-31133)
helm: v3.19.2 → v3.20.0 (fixes CVE-2019-25210)
sigstore: v1.8.15 → v1.10.4 (fixes CVE-2026-24137)
go-git: v5.14.0 → v5.17.0 (fixes CVE-2026-25934)
go-jose: v3/v4 already at fixed versions; gopkg.in/go-jose.v2 remains transitive from k8s

Compatibility pins: tablewriter v0.0.5 (syft), runtime-spec v1.2.1 (containerd compatibility).

Made with Cursor

…967, AST-123298, AST-123300, AST-123302, AST-123980, AST-123981, AST-132239, AST-134898) Made-with: Cursor

cx-shaked-karta · 2026-03-04T18:41:06Z

Checkmarx One – Scan Summary & Details – 92a8abdd-951c-417e-9007-b5a4fb1e7770

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2026-25934~~	Go-github.com/go-git/go-git/v5-v5.14.0

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

Downgrade helm.sh/helm/v3 from v3.20.0 back to v3.19.2. CVE-2019-25210 only affects helm's --dry-run flag which this codebase never uses, so upgrading solely to address it provides no security benefit. Go directive kept at 1.24.13; go.sum updated accordingly. Made-with: Cursor

fix: upgrade vulnerable dependencies (AST-108828, AST-116271, AST-120…

88cb402

…967, AST-123298, AST-123300, AST-123302, AST-123980, AST-123981, AST-132239, AST-134898) Made-with: Cursor

cx-adar-zandberg changed the title ~~fix: upgrade vulnerable dependencies~~ fix: upgrade vulnerable dependencies (AST-108828,AST-116271,AST-120967,AST-123298,AST-123300,AST-123302,AST-123980,AST-123981,AST-132239,AST-134898) Mar 4, 2026

cx-adar-zandberg added 3 commits March 7, 2026 14:13

revert go to 1.24

f0e48af

remove vuls fix file

4946ddb

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: upgrade vulnerable dependencies (AST-108828,AST-116271,AST-120967,AST-123298,AST-123300,AST-123302,AST-123980,AST-123981,AST-132239,AST-134898)#40

fix: upgrade vulnerable dependencies (AST-108828,AST-116271,AST-120967,AST-123298,AST-123300,AST-123302,AST-123980,AST-123981,AST-132239,AST-134898)#40
cx-adar-zandberg wants to merge 4 commits intomainfrom
fix/security-vulnerabilities-AST-108828-AST-123298-and-more

cx-adar-zandberg commented Mar 4, 2026

Uh oh!

cx-shaked-karta commented Mar 4, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

cx-adar-zandberg commented Mar 4, 2026

Fixed Vulnerabilities

Changes Made

Uh oh!

cx-shaked-karta commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

cx-shaked-karta commented Mar 4, 2026 •

edited

Loading