ROX-33925: bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0 by vladbologa · Pull Request #19689 · stackrox/stackrox

vladbologa · 2026-03-30T16:29:07Z

Description

Bump github.com/russellhaering/goxmldsig to 1.6.0 to fix CVE-2026-33487

Note that Stackrox is not affected by CVE-2026-33487 because it uses go > 1.22, but patching this will nevertheless help to not get flagged incorrectly by scanners.

Related to ROX-33870 ROX-33871 ROX-33872 ROX-33873

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

CI is sufficient.

rhacs-bot · 2026-03-30T17:03:04Z

Images are ready for the commit at 150266b.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.5-rc.2-1-g150266bdd3.

codecov · 2026-03-30T17:08:10Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.87%. Comparing base (48fb384) to head (150266b).

Additional details and impacted files

@@               Coverage Diff               @@
##           release-4.9   #19689      +/-   ##
===============================================
- Coverage        48.87%   48.87%   -0.01%     
===============================================
  Files             2719     2719              
  Lines           202912   202912              
===============================================
- Hits             99182    99175       -7     
- Misses           95961    95968       +7     
  Partials          7769     7769

Flag	Coverage Δ
go-unit-tests	`48.87% <ø> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-03-30T17:50:52Z

/konflux-retest main-on-push

github-actions · 2026-03-30T17:51:48Z

/konflux-retest operator-bundle-on-push

github-actions · 2026-03-30T17:58:43Z

/konflux-retest operator-bundle-on-push

github-actions · 2026-03-30T18:05:59Z

/konflux-retest operator-bundle-on-push

openshift-ci · 2026-03-31T00:36:58Z

@vladbologa: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/gke-qa-e2e-tests	`150266b`	link	false	`/test gke-qa-e2e-tests`
ci/prow/ocp-4-21-nongroovy-e2e-tests	`150266b`	link	false	`/test ocp-4-21-nongroovy-e2e-tests`
ci/prow/ocp-next-candidate-nongroovy-e2e-tests	`150266b`	link	false	`/test ocp-next-candidate-nongroovy-e2e-tests`
ci/prow/gke-nongroovy-compatibility-tests	`150266b`	link	false	`/test gke-nongroovy-compatibility-tests`
ci/prow/ocp-dev-preview-nongroovy-e2e-tests	`150266b`	link	false	`/test ocp-dev-preview-nongroovy-e2e-tests`
ci/prow/ocp-4-12-nongroovy-e2e-tests	`150266b`	link	false	`/test ocp-4-12-nongroovy-e2e-tests`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

ROX-33871: bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0

150266b

vladbologa requested a review from a team as a code owner March 30, 2026 16:29

github-actions bot added the backport PR to backport changes from master to release branch label Mar 30, 2026

vladbologa changed the title ~~ROX-33871: bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0~~ chore(deps): bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0 Mar 30, 2026

vladbologa changed the title ~~chore(deps): bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0~~ ROX-33925: bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0 Mar 31, 2026

janisz approved these changes Apr 1, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROX-33925: bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0#19689

ROX-33925: bump github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0#19689
vladbologa wants to merge 1 commit intorelease-4.9from
vb/bump-goxmldsig

vladbologa commented Mar 30, 2026 •

edited

Loading

Uh oh!

rhacs-bot commented Mar 30, 2026

Uh oh!

codecov bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

openshift-ci bot commented Mar 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

vladbologa commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

rhacs-bot commented Mar 30, 2026

Uh oh!

codecov bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026

Uh oh!

openshift-ci bot commented Mar 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

vladbologa commented Mar 30, 2026 •

edited

Loading

codecov bot commented Mar 30, 2026 •

edited

Loading