From d6098255e915fb13fb31e03268cd08023dbcb6d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Dec 2025 10:19:50 +0000 Subject: [PATCH 1/4] chore(deps): bump github.com/jackc/pgx/v5 from 5.7.5 to 5.8.0 Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.7.5 to 5.8.0. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](https://github.com/jackc/pgx/compare/v5.7.5...v5.8.0) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 10 +++++----- go.sum | 16 ++++++++-------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index f7574dc..ebebaac 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,12 @@ module github.com/spandigital/cel2sql/v3 -go 1.24 +go 1.24.0 require ( github.com/google/cel-go v0.26.0 - github.com/jackc/pgx/v5 v5.7.5 + github.com/jackc/pgx/v5 v5.8.0 github.com/lib/pq v1.10.9 - github.com/stretchr/testify v1.10.0 + github.com/stretchr/testify v1.11.1 github.com/testcontainers/testcontainers-go v0.38.0 github.com/testcontainers/testcontainers-go/modules/postgres v0.38.0 google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 @@ -70,9 +70,9 @@ require ( go.opentelemetry.io/otel/trace v1.35.0 // indirect golang.org/x/crypto v0.37.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/sync v0.15.0 // indirect + golang.org/x/sync v0.17.0 // indirect golang.org/x/sys v0.32.0 // indirect - golang.org/x/text v0.26.0 // indirect + golang.org/x/text v0.29.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/grpc v1.73.0 // indirect google.golang.org/protobuf v1.36.6 // indirect diff --git a/go.sum b/go.sum index c19e1d5..006050a 100644 --- a/go.sum +++ b/go.sum @@ -61,8 +61,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.7.5 h1:JHGfMnQY+IEtGM63d+NGMjoRpysB2JBwDr5fsngwmJs= -github.com/jackc/pgx/v5 v5.7.5/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M= +github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo= +github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -123,8 +123,8 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/testcontainers/testcontainers-go v0.38.0 h1:d7uEapLcv2P8AvH8ahLqDMMxda2W9gQN1nRbHS28HBw= github.com/testcontainers/testcontainers-go v0.38.0/go.mod h1:C52c9MoHpWO+C4aqmgSU+hxlR5jlEayWtgYrb8Pzz1w= github.com/testcontainers/testcontainers-go/modules/postgres v0.38.0 h1:KFdx9A0yF94K70T6ibSuvgkQQeX1xKlZVF3hEagXEtY= @@ -173,8 +173,8 @@ golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= -golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -190,8 +190,8 @@ golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o= golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= +golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 456233bc97694099b0f984f8f6b78a33a4397083 Mon Sep 17 00:00:00 2001 From: Richard Wooding Date: Thu, 8 Jan 2026 11:25:04 +0200 Subject: [PATCH 2/4] fix: correct OSV Scanner command syntax MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The --lockfile parameter doesn't exist in OSV Scanner's API. Changed to use the correct 'scan source -r' subcommand which will properly scan the directory for go.mod and other package files. This fixes the security scan failures in CI/CD that have been masked by continue-on-error: true since July 2025. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index aa85911..acbaaf4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -52,7 +52,7 @@ jobs: run: go install github.com/google/osv-scanner/cmd/osv-scanner@latest - name: Run OSV Scanner - run: osv-scanner --lockfile=go.mod . + run: osv-scanner scan source -r . gosec: name: Go Security Analysis From 4828e1a1b7158890e55843c3cabd683184706d86 Mon Sep 17 00:00:00 2001 From: Richard Wooding Date: Thu, 8 Jan 2026 11:35:09 +0200 Subject: [PATCH 3/4] fix: use full path for all security scanning tools MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The security scanning tools (govulncheck, osv-scanner, gosec) were failing with exit code 127 (command not found) because binaries installed via 'go install' are placed in $(go env GOPATH)/bin, which is not automatically added to PATH in GitHub Actions. Changes: - govulncheck: Added full path $(go env GOPATH)/bin/govulncheck - osv-scanner: Added full path $(go env GOPATH)/bin/osv-scanner - gosec: Added full path $(go env GOPATH)/bin/gosec This fixes the security scan failures that have been occurring since July 2025 when these tools were added to the workflow. References: - https://github.com/google/osv-scanner/issues/620 - Exit code 127 indicates "command not found" in Unix/Linux 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index acbaaf4..51d126d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -31,7 +31,7 @@ jobs: run: go install golang.org/x/vuln/cmd/govulncheck@latest - name: Run govulncheck - run: govulncheck ./... + run: $(go env GOPATH)/bin/govulncheck ./... osv-scanner: name: OSV Security Scan @@ -52,7 +52,7 @@ jobs: run: go install github.com/google/osv-scanner/cmd/osv-scanner@latest - name: Run OSV Scanner - run: osv-scanner scan source -r . + run: $(go env GOPATH)/bin/osv-scanner scan source -r . gosec: name: Go Security Analysis @@ -73,7 +73,7 @@ jobs: run: go install github.com/securego/gosec/v2/cmd/gosec@latest - name: Run gosec Security Scanner - run: gosec -fmt sarif -out results.sarif ./... + run: $(go env GOPATH)/bin/gosec -fmt sarif -out results.sarif ./... - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 From eb9ae048dad31e50ff80f9caff761321bf112467 Mon Sep 17 00:00:00 2001 From: Richard Wooding Date: Thu, 8 Jan 2026 11:42:17 +0200 Subject: [PATCH 4/4] fix: remove incorrect 'source' argument from osv-scanner command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The osv-scanner was failing with "lstat source: no such file or directory" because it was interpreting "source" as a directory name to scan. The correct syntax is: osv-scanner scan -r . NOT: osv-scanner scan source -r . The word "source" is not part of the osv-scanner CLI syntax for direct invocation. It only appears in pre-commit hook configurations with the --recursive flag. This fix completes the resolution of the security scanning issues: - govulncheck: ✅ Working (PATH fix) - gosec: ✅ Working (PATH fix) - osv-scanner: ✅ Should now work (PATH + syntax fix) References: - https://google.github.io/osv-scanner/usage/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 51d126d..5b411b4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -52,7 +52,7 @@ jobs: run: go install github.com/google/osv-scanner/cmd/osv-scanner@latest - name: Run OSV Scanner - run: $(go env GOPATH)/bin/osv-scanner scan source -r . + run: $(go env GOPATH)/bin/osv-scanner scan -r . gosec: name: Go Security Analysis