Fixing CVE-2026-25679

[npecka]

Updating golang to 1.25.8 to fix cve-2026-25679

Summary by CodeRabbit

• Chores
  • Updated base container images used in build and test infrastructure to newer versions for improved security and stability.

[coderabbitai]

Walkthrough

Base image tags are incremented across the project: CI configuration builds use image-v8.3.6, the main build Dockerfile uses updated boilerplate and UBI minimal runtime images, the OLM registry uses the newer UBI minimal tag, and the E2E test builder uses RHEL 9 version 1.25.8.

Changes

Image Dependencies

Layer / File(s)	Summary
Base image version bumps .ci-operator.yaml, build/Dockerfile, build/Dockerfile.olm-registry, test/e2e/Dockerfile	CI build root image bumped from image-v8.3.4 to image-v8.3.6; build Dockerfile's boilerplate and UBI minimal runtime images updated to newer tags; OLM registry base image updated from 9.7-1778562320 to 9.8-1777460003; E2E test builder image bumped from rhel_9_1.25 to rhel_9_1.25.8.

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/splunk-forwarder-operator#431: Updates the same build/Dockerfile and build/Dockerfile.olm-registry base UBI9 minimal image tags.

Suggested labels

area/dependency, ok-to-test, lgtm

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	fips.go init() function contains fmt.Println() writing to stdout, violating OTE Binary Stdout Contract that requires JSON-only stdout for openshift-tests communication.	Remove fmt.Println() from fips.go init() or route it to stderr via klog/controller-runtime logger, as process-level stdout must be JSON-only.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New e2e test file added with external registry reference (quay.io) at line 413. Test "validates comprehensive index configuration" will fail in disconnected IPv6-only CI jobs.	Replace hardcoded quay.io image reference with cluster-internal registry or image stream. Add [Skipped:Disconnected] tag if external connectivity is unavoidable.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Fixing CVE-2026-25679' directly matches the PR description, which states 'Updating golang to 1.25.8 to fix CVE-2026-25679.' The changes (Dockerfile base image updates from Go 1.25 to 1.25.8, and UBI minimal image updates) are consistent with addressing this specific CVE.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 11 Ginkgo test cases in test/e2e/splunk_forwarder_operator_tests.go use stable, hardcoded test names. No dynamic values, UUIDs, timestamps, pods, or runtime content found in test titles.
Test Structure And Quality	✅ Passed	PR contains no test code modifications; only Dockerfile/configuration updates for CVE fix. Custom check for test quality is not applicable to this PR scope.
Microshift Test Compatibility	✅ Passed	New e2e tests only use MicroShift-compatible APIs: standard Kubernetes, SecurityContextConstraints, and custom CRD. No unsupported OpenShift APIs or features referenced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The 11 new Ginkgo e2e tests use DaemonSets but contain no multi-node assumptions, node affinity rules, or topology constraints. DaemonSets work correctly on SNO by scheduling one pod per node.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only build-time Dockerfile and CI/CD config updates (base image versions) with no changes to deployment manifests, operator code, or controllers. No scheduling constraints are introduced.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: npecka

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [npecka]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.44%. Comparing base (5726253) to head (2e299d4).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #433   +/-   ##
=======================================
  Coverage   72.44%   72.44%           
=======================================
  Files          11       11           
  Lines         704      704           
=======================================
  Hits          510      510           
  Misses        173      173           
  Partials       21       21           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

The content of OWNERS_ALIASES is invalid.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Around line 123-133: The header comment above the pre-commit hook is
misleading: the text says "warn-only" but the hook with id "rbac-wildcard-check"
runs "entry: bash -c 'make rbac-wildcard-check'" and will block on non‑zero
exit; update the comment to reflect that this hook is blocking (or,
alternatively, change the hook to a non‑blocking configuration if intended).
Specifically, edit the comment block that references "RBAC WILDCARD CHECK" so it
no longer claims "warn-only" and instead documents that "rbac-wildcard-check"
will fail the commit on non‑zero exit, ensuring the description aligns with the
hook id and entry command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 82f66471-c72b-4eaf-aca7-5f5e940690a6

📥 Commits

Reviewing files that changed from the base of the PR and between 6258e4d and 806c4d7.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry

✅ Files skipped from review due to trivial changes (2)

• .ci-operator.yaml
• build/Dockerfile.olm-registry

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

build/Dockerfile (1)

6-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the runtime image as non-root.

The final stage has no USER directive, so it runs as root by default. That weakens container hardening.

🔧 Suggested hardening patch

 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1777460003
 ENV OPERATOR_PATH=/go/src/github.com/openshift/splunk-forwarder-operator \
     OPERATOR_BIN=splunk-forwarder-operator

-WORKDIR /root/
+WORKDIR /tmp
 COPY --from=builder /go/src/github.com/openshift/splunk-forwarder-operator/build/_output/bin/${OPERATOR_BIN} /usr/local/bin/${OPERATOR_BIN}
+USER 1001
 LABEL io.openshift.managed.name="splunk-forwarder-operator" \
       io.openshift.managed.description="This operator will be responsible for deploying the splunk forwarder."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 6 - 11, The final Docker stage runs as root;
add a non-root user and switch to it to harden the container: create a
user/group (e.g., appuser), chown the copied binary referenced by OPERATOR_BIN
and any needed WORKDIR contents, set HOME/WORKDIR to a non-root path rather than
/root if appropriate, and add a USER appuser directive before the image is
finalized so the splunk-forwarder-operator binary runs unprivileged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@build/Dockerfile`:
- Around line 6-11: The final Docker stage runs as root; add a non-root user and
switch to it to harden the container: create a user/group (e.g., appuser), chown
the copied binary referenced by OPERATOR_BIN and any needed WORKDIR contents,
set HOME/WORKDIR to a non-root path rather than /root if appropriate, and add a
USER appuser directive before the image is finalized so the
splunk-forwarder-operator binary runs unprivileged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 17bf7078-efa8-45d5-89b2-887e1004e939

📥 Commits

Reviewing files that changed from the base of the PR and between 806c4d7 and 2e299d4.

⛔ Files ignored due to path filters (2)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**

📒 Files selected for processing (3)

• .ci-operator.yaml
• build/Dockerfile
• build/Dockerfile.olm-registry

✅ Files skipped from review due to trivial changes (1)

• .ci-operator.yaml

[openshift-ci]

@npecka: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/validate	2e299d4	link	true	/test validate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.