SREP-1985 : Fix Go vulnerabilities CVES updating to UBI9 Go toolset 1.24.6 (#433)

MitaliBhalla · web-flow · commit 9e7ae18dffe4 · 2025-11-03T05:12:36.000Z
* Fix Go vulnerabilities CVE-2025-47907/47906 by updating to UBI9 Go toolset 1.24.6 * Fix e2e Dockerfile permissions for UBI9 Go toolset non-root user * Use specific version tag (1.24) instead of latest for UBI9 Go toolset
diff --git a/boilerplate/openshift/golang-osd-e2e/update b/boilerplate/openshift/golang-osd-e2e/update
@@ -21,7 +21,7 @@ OPERATOR_NAME_CAMEL_CASE=${OPERATOR_PROPER_NAME// /}
 
 mkdir -p "${E2E_SUITE_DIRECTORY}"
 
-E2E_SUITE_BUILDER_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.24-openshift-4.21
+E2E_SUITE_BUILDER_IMAGE=registry.access.redhat.com/ubi9/go-toolset:1.24
 if [[ -n ${KONFLUX_BUILDS} ]]; then
 	E2E_SUITE_BUILDER_IMAGE="brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24"
 fi
@@ -30,12 +30,12 @@ echo "syncing ${E2E_SUITE_DIRECTORY}/Dockerfile"
 tee "${E2E_SUITE_DIRECTORY}/Dockerfile" <<EOF
 # THIS FILE IS GENERATED BY BOILERPLATE. DO NOT EDIT.
 FROM ${E2E_SUITE_BUILDER_IMAGE} as builder
-WORKDIR /go/src/github.com/openshift/$OPERATOR_NAME/
+WORKDIR /opt/app-root/src
 COPY . .
-RUN  CGO_ENABLED=0 GOFLAGS="-mod=mod" go test ./test/e2e -v -c --tags=osde2e -o /e2e.test
+RUN  CGO_ENABLED=0 GOFLAGS="-mod=mod" go test ./test/e2e -v -c --tags=osde2e -o e2e.test
 
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
-COPY --from=builder ./e2e.test e2e.test
+COPY --from=builder /opt/app-root/src/e2e.test e2e.test
 ENTRYPOINT [ "/e2e.test" ]
 EOF
 
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,20 +1,21 @@
-ARG BASE_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.24-openshift-4.21
+ARG BASE_IMAGE=registry.access.redhat.com/ubi9/go-toolset:1.24
 FROM ${BASE_IMAGE} AS builder
 
-RUN mkdir -p /workdir
-WORKDIR /workdir
+WORKDIR /opt/app-root/src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
-RUN make build
+RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOFLAGS=-mod=mod \
+    go build -buildvcs=false -gcflags="all=-trimpath=/opt/app-root/src" -asmflags="all=-trimpath=/opt/app-root/src" -tags="fips_enabled" \
+    -o webhooks ./cmd
 
 ####
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 ENV USER_UID=1001 \
     USER_NAME=webhooks
 
-COPY --from=builder /workdir/build/_output/webhooks /usr/local/bin/
+COPY --from=builder /opt/app-root/src/webhooks /usr/local/bin/
 
 COPY build/bin /usr/local/bin
 RUN  /usr/local/bin/user_setup
diff --git a/test/e2e/Dockerfile b/test/e2e/Dockerfile
@@ -1,9 +1,9 @@
 # THIS FILE IS GENERATED BY BOILERPLATE. DO NOT EDIT.
-FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.24-openshift-4.21 as builder
-WORKDIR /go/src/github.com/openshift/validation-webhook/
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24 as builder
+WORKDIR /opt/app-root/src
 COPY . .
-RUN  CGO_ENABLED=0 GOFLAGS="-mod=mod" go test ./test/e2e -v -c --tags=osde2e -o /e2e.test
+RUN  CGO_ENABLED=0 GOFLAGS="-mod=mod" go test ./test/e2e -v -c --tags=osde2e -o e2e.test
 
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
-COPY --from=builder ./e2e.test e2e.test
+COPY --from=builder /opt/app-root/src/e2e.test e2e.test
 ENTRYPOINT [ "/e2e.test" ]
