[https://nvbugs/6467684][fix] Bump the golang image tag to 1.23 and the license_checker pin to v0.3.1…#16531
[https://nvbugs/6467684][fix] Bump the golang image tag to 1.23 and the license_checker pin to v0.3.1…#16531trtllm-agent wants to merge 1 commit into
1.23 and the license_checker pin to v0.3.1…#16531Conversation
… >= 0.55.0 The Jenkins release-check pod pinned golang:1.22 (Go 1.22 bundles the vulnerable golang.org/x/net@v0.51.0, CVE-2026-39821) and installed license_checker@v0.3.0 built against that toolchain. Bump both pins: - golang image tag 1.22 -> 1.23 (Go 1.23 ships x/net >= 0.55.0) - license_checker@v0.3.0 -> v0.3.1 (rebuilt against the newer toolchain so the transitive x/net pin lands >= 0.55.0) Signed-off-by: trtllm-agent <296075020+trtllm-agent@users.noreply.github.com>
📝 WalkthroughWalkthroughRelease-Check now installs ChangesRelease-Check
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@jenkins/L0_MergeRequest.groovy`:
- Line 525: Update the image assignment in the release-check pod configuration
to use a supported Go image instead of the pinned golang:1.23 private image; if
retaining that image, document its security backports and license_checker
compatibility.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 2e6d56f5-638c-4594-9456-3eadf5009554
📒 Files selected for processing (1)
jenkins/L0_MergeRequest.groovy
| } | ||
|
|
||
| def image = "urm.nvidia.com/docker/golang:1.22" | ||
| def image = "urm.nvidia.com/docker/golang:1.23" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the referenced line and nearby context.
sed -n '480,560p' jenkins/L0_MergeRequest.groovy
# Find other Go image pins and any license_checker compatibility references.
rg -n "golang:1\.23|license_checker|Go 1\.23|golang:" -S jenkins . || trueRepository: NVIDIA/TensorRT-LLM
Length of output: 4625
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n### jenkins/L0_MergeRequest.groovy (around line 525)\n'
sed -n '500,545p' jenkins/L0_MergeRequest.groovy
printf '\n### repository matches\n'
rg -n "urm\.nvidia\.com/docker/golang:1\.23|license_checker|golang:" -S jenkins . || trueRepository: NVIDIA/TensorRT-LLM
Length of output: 3070
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Repo-wide Go version references and toolchain declarations.
rg -n --hidden --glob '!**/.git/**' '\bgo1?\.23\b|\bgolang:1\.23\b|\bGo 1\.23\b|\bGOVERSION\b|\btoolchain\b|\bgo\s+[0-9]+\.[0-9]+' -S .
printf '\n### Relevant version files\n'
git ls-files | rg '(^|/)(go\.mod|go\.work|Makefile|README|Dockerfile|.*\.md|.*\.yml|.*\.yaml|.*\.groovy)$' || trueRepository: NVIDIA/TensorRT-LLM
Length of output: 50375
🌐 Web query:
Go release policy two latest versions supported July 2026 Go 1.26 1.25 official
💡 Result:
As of July 17, 2026, the official Go release policy dictates that each major Go release is supported until there are two newer major releases [1][2]. Under this policy, the two latest major versions of Go currently supported are Go 1.26 and Go 1.25 [3]. Go 1.26 is the most recent major release (initially released February 10, 2026), and Go 1.25 (released August 12, 2025) remains under support [1][2][3]. Previous versions, such as Go 1.24, have reached their end-of-life and are no longer receiving security updates or patches [3]. Active support for these versions includes the issuance of minor revisions to address critical stability or security issues [1][4].
Citations:
- 1: https://go.dev/doc/devel/release
- 2: https://tip.golang.org/doc/devel/release
- 3: https://eosl.date/eol/product/go/
- 4: https://go.dev/wiki/Go-Release-Cycle
Bump the release-check pod to a supported Go image. If the private image stays pinned, document the security backports and license_checker compatibility.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@jenkins/L0_MergeRequest.groovy` at line 525, Update the image assignment in
the release-check pod configuration to use a supported Go image instead of the
pinned golang:1.23 private image; if retaining that image, document its security
backports and license_checker compatibility.
Summary
docker/golang:1.22andlicense_checker@v0.3.0, both of which transitively bundle the vulnerablegolang.org/x/net@v0.51.0(CVE-2026-39821).1.23and thelicense_checkerpin tov0.3.1so both artifacts pull x/net >= 0.55.0.Test plan
Links
Summary by CodeRabbit