Skip to content

[9.4](backport #4380) chore: upgrade trivy to v0.69.3 with GOEXPERIMENT=jsonv2#5907

Merged
olegsu merged 3 commits into
9.4from
mergify/bp/9.4/pr-4380
May 5, 2026
Merged

[9.4](backport #4380) chore: upgrade trivy to v0.69.3 with GOEXPERIMENT=jsonv2#5907
olegsu merged 3 commits into
9.4from
mergify/bp/9.4/pr-4380

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify Bot commented May 5, 2026

Summary

  • Upgrades github.com/aquasecurity/trivy from v0.66.0 to v0.69.3
  • Adds GOEXPERIMENT=jsonv2 to all build paths — required because trivy v0.67+ imports Go's experimental encoding/json/v2 packages which are only available at compile time when this flag is set
  • Removes transitive dependency on deprecated AWS SDK v1 (github.com/aws/aws-sdk-go v1.55.8) which was previously pulled in by trivy v0.66.0
  • Co-upgrades 22 transitive dependencies (trivy-checks, trivy-db, opa v1.8→v1.11, helm v3.18→v3.19, k8s.io v0.33→v0.34, kustomize v0.19→v0.20, and others)

Why GOEXPERIMENT=jsonv2 is needed

Starting with trivy v0.67.0, trivy uses encoding/json/v2 (Go's experimental next-gen JSON library) via github.com/aquasecurity/trivy/pkg/x/json. Without GOEXPERIMENT=jsonv2 set at compile time, any go build that imports trivy fails with:

build constraints exclude all Go files in .../encoding/json/jsontext

Go 1.26.1 (already in use) satisfies the Go ≥ 1.25 requirement, but the flag is still required as encoding/json/v2 remains experimental.

Files changed

File Change
go.mod / go.sum Bumped trivy + transitive deps
magefile.go args.Env["GOEXPERIMENT"] = "jsonv2" in Build() and GolangCrossBuild()
.buildkite/scripts/package.sh export GOEXPERIMENT=jsonv2 after hermit activation
.github/workflows/packaging.yml Added to top-level env:
.github/workflows/ci-pull_request.yml New top-level env: block
.github/workflows/binary-size-monitor.yml Added to env:
.github/workflows/eks-ci.yml Added to env:
.github/actions/docker-images/action.yml Added to Build cloudbeat binary step env:
justfile Inline GOEXPERIMENT=jsonv2 on go build in build-binary and build-cloudbeat-debug

Test plan

  • GOEXPERIMENT=jsonv2 go build ./... — clean
  • GOEXPERIMENT=jsonv2 go vet ./... — clean
  • go mod verify — all modules verified
  • TestVulnerabilityWorker_Run — PASS
  • Full go test ./... (will run in CI)
  • Packaging CI (packaging.yml) validates cross-build path
  • Watch first Buildkite DRA pipeline on merge to confirm golang-crossbuild containers work

See trivy-upgrade-report.md for the full analysis including DRA process breakdown.

🤖 Generated with Claude Code

This is an automatic backport of pull request #4380 done by Mergify.

@olegsu @mergify
chore: upgrade trivy to v0.69.3 with GOEXPERIMENT=jsonv2 (#4380)
07fe52f 
## Summary

- Upgrades `github.com/aquasecurity/trivy` from `v0.66.0` to `v0.69.3`
- Adds `GOEXPERIMENT=jsonv2` to all build paths — required because trivy
v0.67+ imports Go's experimental `encoding/json/v2` packages which are
only available at compile time when this flag is set
- Removes transitive dependency on deprecated AWS SDK v1
(`github.com/aws/aws-sdk-go v1.55.8`) which was previously pulled in by
trivy v0.66.0
- Co-upgrades 22 transitive dependencies (trivy-checks, trivy-db, opa
v1.8→v1.11, helm v3.18→v3.19, k8s.io v0.33→v0.34, kustomize v0.19→v0.20,
and others)

## Why GOEXPERIMENT=jsonv2 is needed

Starting with trivy v0.67.0, trivy uses `encoding/json/v2` (Go's
experimental next-gen JSON library) via
`github.com/aquasecurity/trivy/pkg/x/json`. Without
`GOEXPERIMENT=jsonv2` set at **compile time**, any `go build` that
imports trivy fails with:
```
build constraints exclude all Go files in .../encoding/json/jsontext
```

Go 1.26.1 (already in use) satisfies the Go ≥ 1.25 requirement, but the
flag is still required as `encoding/json/v2` remains experimental.

## Files changed

| File | Change |
|------|--------|
| `go.mod` / `go.sum` | Bumped trivy + transitive deps |
| `magefile.go` | `args.Env["GOEXPERIMENT"] = "jsonv2"` in `Build()` and
`GolangCrossBuild()` |
| `.buildkite/scripts/package.sh` | `export GOEXPERIMENT=jsonv2` after
hermit activation |
| `.github/workflows/packaging.yml` | Added to top-level `env:` |
| `.github/workflows/ci-pull_request.yml` | New top-level `env:` block |
| `.github/workflows/binary-size-monitor.yml` | Added to `env:` |
| `.github/workflows/eks-ci.yml` | Added to `env:` |
| `.github/actions/docker-images/action.yml` | Added to `Build cloudbeat
binary` step `env:` |
| `justfile` | Inline `GOEXPERIMENT=jsonv2` on `go build` in
`build-binary` and `build-cloudbeat-debug` |

## Test plan

- [x] `GOEXPERIMENT=jsonv2 go build ./...` — clean
- [x] `GOEXPERIMENT=jsonv2 go vet ./...` — clean
- [x] `go mod verify` — all modules verified
- [x] `TestVulnerabilityWorker_Run` — PASS
- [x] Full `go test ./...` (will run in CI)
- [ ] Packaging CI (`packaging.yml`) validates cross-build path
- [ ] Watch first Buildkite DRA pipeline on merge to confirm
golang-crossbuild containers work

See `trivy-upgrade-report.md` for the full analysis including DRA
process breakdown.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
(cherry picked from commit cfd61d8)

# Conflicts:
#	go.mod
#	go.sum
@mergify mergify Bot requested a review from a team as a code owner May 5, 2026 20:45
@mergify mergify Bot assigned olegsu May 5, 2026
@mergify
Copy link
Copy Markdown
Contributor Author

mergify Bot commented May 5, 2026

Cherry-pick of cfd61d8 has failed:

On branch mergify/bp/9.4/pr-4380
Your branch is up to date with 'origin/9.4'.

You are currently cherry-picking commit cfd61d8f.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   .buildkite/scripts/package.sh
	modified:   .github/actions/docker-images/action.yml
	modified:   .github/workflows/binary-size-monitor.yml
	modified:   .github/workflows/ci-pull_request.yml
	modified:   .github/workflows/eks-ci.yml
	modified:   .github/workflows/packaging.yml
	modified:   justfile
	modified:   magefile.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@mergify mergify Bot mentioned this pull request May 5, 2026
Merged
7 tasks
@olegsu @claude
fix: resolve go.mod/go.sum merge conflicts for trivy v0.69.3 backport
349b30d 
Cherry-pick of #4380 onto 9.4 left unresolved conflict markers in
go.mod and go.sum. Resolution strategy:
- trivy v0.69.3, trivy-db, trivy-checks: cherry-pick side (upgrade goal)
- aws-sdk-go-v2 and AWS service modules: HEAD side (9.4 Renovate bumps)
- toqueteos/webbrowser, transparency-dev/formats: cherry-pick (new trivy deps)
- golang.org/x/exp: HEAD (newer timestamp from 9.4 Renovate)
- go.sum: union of both sides

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@olegsu @claude
fix: run go mod tidy to clean up stale go.sum entries
57d543b 
Union merge of go.sum conflict blocks left 10 stale entries that
mage check detects via make update. go mod tidy removes them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@olegsu olegsu added this pull request to the merge queue May 5, 2026
Merged via the queue into 9.4 with commit 2130e8d May 5, 2026
11 checks passed
@olegsu olegsu deleted the mergify/bp/9.4/pr-4380 branch May 5, 2026 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olegsu olegsu olegsu approved these changes

Assignees

@olegsu olegsu

Labels

backport conflicts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olegsu