Skip to content

fix(cve): CVE-2026-48702 - sigstore/rekor v1.5.0 → v1.5.2#1777

Closed
jkhelil wants to merge 1 commit into
mainfrom
fix/SRVKP-12759-CVE-2026-48702-sigstore-rekor-main-attempt-1
Closed

fix(cve): CVE-2026-48702 - sigstore/rekor v1.5.0 → v1.5.2#1777
jkhelil wants to merge 1 commit into
mainfrom
fix/SRVKP-12759-CVE-2026-48702-sigstore-rekor-main-attempt-1

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 9, 2026

Copy link
Copy Markdown
Member

Changes

Update github.com/sigstore/rekor from v1.5.0 to v1.5.2 to address CVE-2026-48702 (GHSA-47q9-m4ww-924m).

CVE Details

Field Value
CVE ID CVE-2026-48702
GHSA GHSA-47q9-m4ww-924m
Severity IMPORTANT (CVSS 7.5)
Component github.com/sigstore/rekor
Affected version v1.5.0
Fixed version v1.5.2

Fix Summary

  • Updated github.com/sigstore/rekor from v1.5.0 → v1.5.2
  • Updated gocloud.dev from v0.43.0 → v0.45.0 (required by rekor v1.5.2)
  • Updated transitive indirect deps: IBM/sarama, google/wire, xdg-go/scram, gopkg.in/ini.v1
  • Vendored updated source for all affected modules
  • Fixed vendor/modules.txt explicit markers for pre-existing consistency drift

Test Results

Tests PASSED (go test -mod=vendor ./... — all packages pass)

Lint: Could not run (environment issue — CI will verify).

Breaking Changes

No breaking changes. The rekor client API is unchanged between v1.5.0 and v1.5.2.

Jira References

Jira: SRVKP-12759

Risk Assessment

Low — Patch-level dependency update. Rekor client API unchanged. All unit tests pass.

Submitter Checklist

  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards
Update sigstore/rekor to v1.5.2 to address CVE-2026-48702 (GHSA-47q9-m4ww-924m).

- Update github.com/sigstore/rekor from v1.5.0 to v1.5.2
- Update gocloud.dev from v0.43.0 to v0.45.0 (required by rekor v1.5.2)
- Update gocloud.dev/docstore/mongodocstore and pubsub/kafkapubsub to v0.45.0
- Update transitive indirect deps: IBM/sarama, google/wire, xdg-go/scram, gopkg.in/ini.v1
- Vendor updated source for all affected modules
- Fix vendor/modules.txt explicit markers for pre-existing consistency drift

Resolves: SRVKP-12759

Signed-off-by: CVE Fixer Bot <noreply@anthropic.com>
Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@linux-foundation-easycla

Copy link
Copy Markdown

CLA Not Signed

@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/tektoncd/chains/pkg/chains/storage/docdb 70.66% (+0.60%) 👍

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/tektoncd/chains/pkg/chains/storage/docdb/docdb.go 70.66% (+0.60%) 167 118 (+1) 49 (-1) 👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

@jkhelil jkhelil closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants