From 19c4fb8652a029510d040979a9774decaad486db Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Mon, 9 Mar 2026 11:49:39 +0100 Subject: [PATCH 1/2] build: update dependencies and base images to fix CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses 70 vulnerabilities (65 base image + 5 Go binary) found by Trivy in ghcr.io/sysdiglabs/sysdig-mcp-server:latest. Base image (RHEL 9.7) CVEs addressed by nixpkgs bump: - curl-minimal: CVE-2025-14017, CVE-2024-11053, CVE-2024-7264, CVE-2024-9681 - glib2: CVE-2025-14087, CVE-2025-14512, CVE-2026-1484, CVE-2026-1489, CVE-2023-32636, CVE-2025-3360, CVE-2025-7039, CVE-2026-0988, CVE-2026-1485 - glibc: CVE-2026-0915, CVE-2025-15281, CVE-2026-0861 - gnupg2: CVE-2025-68972, CVE-2022-3219, CVE-2025-30258, CVE-2026-24883 - coreutils-single: CVE-2025-5278 Go binary CVEs addressed by dependency updates: - mcp-go v0.44.1 → v0.45.0 - golang.org/x/sync v0.19.0 → v0.20.0 - golang.org/x/sys v0.41.0 → v0.42.0 --- flake.lock | 6 +++--- go.mod | 8 ++++---- go.sum | 12 ++++++------ package.nix | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index e9abe24..861b7f0 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1772479524, - "narHash": "sha256-u7nCaNiMjqvKpE+uZz9hE7pgXXTmm5yvdtFaqzSzUQI=", + "lastModified": 1772927210, + "narHash": "sha256-FdRDRoV0jRTiPK5ID22BaUX5P0wdsclpxtIOjaEy9Lo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4215e62dc2cd3bc705b0a423b9719ff6be378a43", + "rev": "0e6cdd5be64608ef630c2e41f8d51d484468492f", "type": "github" }, "original": { diff --git a/go.mod b/go.mod index a1787a4..b03187e 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,9 @@ module github.com/sysdiglabs/sysdig-mcp-server -go 1.26.0 +go 1.26 require ( - github.com/mark3labs/mcp-go v0.44.1 + github.com/mark3labs/mcp-go v0.45.0 github.com/oapi-codegen/runtime v1.2.0 github.com/onsi/ginkgo/v2 v2.28.1 github.com/onsi/gomega v1.39.1 @@ -33,8 +33,8 @@ require ( go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/mod v0.33.0 // indirect golang.org/x/net v0.51.0 // indirect - golang.org/x/sync v0.19.0 // indirect - golang.org/x/sys v0.41.0 // indirect + golang.org/x/sync v0.20.0 // indirect + golang.org/x/sys v0.42.0 // indirect golang.org/x/text v0.34.0 // indirect golang.org/x/tools v0.42.0 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect diff --git a/go.sum b/go.sum index 6036209..6833588 100644 --- a/go.sum +++ b/go.sum @@ -45,8 +45,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8= github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= -github.com/mark3labs/mcp-go v0.44.1 h1:2PKppYlT9X2fXnE8SNYQLAX4hNjfPB0oNLqQVcN6mE8= -github.com/mark3labs/mcp-go v0.44.1/go.mod h1:YnJfOL382MIWDx1kMY+2zsRHU/q78dBg9aFb8W6Thdw= +github.com/mark3labs/mcp-go v0.45.0 h1:s0S8qR/9fWaQ3pHxz7pm1uQ0DrswoSnRIxKIjbiQtkc= +github.com/mark3labs/mcp-go v0.45.0/go.mod h1:YnJfOL382MIWDx1kMY+2zsRHU/q78dBg9aFb8W6Thdw= github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE= @@ -94,10 +94,10 @@ golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8= golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= -golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= -golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= -golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= -golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= +golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k= diff --git a/package.nix b/package.nix index 7597ee7..45ec294 100644 --- a/package.nix +++ b/package.nix @@ -1,10 +1,10 @@ { buildGo126Module, versionCheckHook }: buildGo126Module (finalAttrs: { pname = "sysdig-mcp-server"; - version = "1.0.3"; + version = "1.0.4"; src = ./.; # This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`. - vendorHash = "sha256-IjVs+Mm9kV9pXoEOE3En2u+/jd/ITXZi0kp2+L92Mso="; + vendorHash = "sha256-Snb0kLN7ItduIXG1XVc2XOlXUaAqQILR4c2jvVXAVHk="; subPackages = [ "cmd/server" From 344367cd94baec178d397943a4ca48655a074c85 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Mon, 9 Mar 2026 14:28:14 +0100 Subject: [PATCH 2/2] build: release v1.0.5 --- package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.nix b/package.nix index 45ec294..9faca9d 100644 --- a/package.nix +++ b/package.nix @@ -1,7 +1,7 @@ { buildGo126Module, versionCheckHook }: buildGo126Module (finalAttrs: { pname = "sysdig-mcp-server"; - version = "1.0.4"; + version = "1.0.5"; src = ./.; # This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`. vendorHash = "sha256-Snb0kLN7ItduIXG1XVc2XOlXUaAqQILR4c2jvVXAVHk=";