fix(deps): bump toolchain to go1.24.9 for CVEs found by govulncheck

[jakedoublev]

DSPX-1861

go env
Run go install golang.org/x/vuln/cmd/govulncheck@latest
Run govulncheck -C lib/ocrypto -format text ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/[email protected]
    Fixed in: encoding/[email protected]
    Example traces found:
Error:       #1: ec_key_pair.go:471:37: ocrypto.GetECKeySize calls x509.ParsePKIXPublicKey, which calls asn1.Unmarshal

Vulnerability #2: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
Error:       #1: ec_key_pair.go:318:37: ocrypto.ECPubKeyFromPem calls x509.ParseCertificate, which eventually calls url.Parse

Vulnerability #3: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/[email protected]
    Fixed in: encoding/[email protected]
    Example traces found:
Error:       #1: ec_key_pair.go:466:24: ocrypto.GetECKeySize calls pem.Decode

Vulnerability #4: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
Error:       #1: ec_key_pair.go:433:53: ocrypto.ECPrivateKeyInPemFormat calls x509.MarshalPKCS8PrivateKey
Error:       #2: ec_key_pair.go:449:39: ocrypto.ECPublicKeyInPemFormat calls x509.MarshalPKIXPublicKey
Error:       #3: ec_key_pair.go:318:37: ocrypto.ECPubKeyFromPem calls x509.ParseCertificate
Error:       #4: asym_decryption.go:57:37: ocrypto.FromPrivatePEMWithSalt calls x509.ParseECPrivateKey
Error:       #5: asym_decryption.go:52:40: ocrypto.FromPrivatePEMWithSalt calls x509.ParsePKCS1PrivateKey
Error:       #6: ec_key_pair.go:352:40: ocrypto.ECPrivateKeyFromPem calls x509.ParsePKCS8PrivateKey
Error:       #7: ec_key_pair.go:471:37: ocrypto.GetECKeySize calls x509.ParsePKIXPublicKey

Your code is affected by 4 vulnerabilities from the Go standard library.
This scan also found 1 vulnerability in packages you import and 5
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

[gemini-code-assist]

Summary of Changes

Hello @jakedoublev, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a critical maintenance update by upgrading the Go toolchain version to go1.24.9 across various modules within the repository. This change is essential for mitigating known security vulnerabilities detected by govulncheck, ensuring the project remains secure and up-to-date with the latest Go security patches.

Highlights

• Toolchain Update: The Go toolchain has been bumped from version go1.24.6 to go1.24.9 across all relevant modules.
• Security Fixes: This update specifically addresses Common Vulnerabilities and Exposures (CVEs) that were identified by the govulncheck tool, enhancing the project's security.

Ignored Files

• Ignored by pattern: protocol/**/* (1)
  • protocol/go/go.mod

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Go version bumps high, CVEs now fade away, Code is safe and sound.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the Go toolchain to go1.24.9 to address security vulnerabilities. The change is applied consistently across the go.work file and all modified go.mod files. This is a necessary and correct update to ensure the project's security. The changes look good.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	180.634373ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	92.240285ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	365.938428ms
Throughput	273.27 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.050312771s
Average Latency	388.985204ms
Throughput	128.04 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.213467377s
Average Latency	270.991047ms
Throughput	183.73 requests/second

[github-actions]

X-Test Results

opentdfplatform00GEDW.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
cukes-report
bats-test-results
test-cases-mapping-report
✅ js-pull-2849
✅ java-pull-2849
✅ go-pull-2849

[jp-ayyappan]

Approving because @strantalis approves.

[opentdf-automation]

Successfully created backport PR for release/service/v0.11:

• fix(deps): bump toolchain to go1.24.9 for CVEs found by govulncheck [backport to release/service/v0.11] #2850

[c-r33d]

/backport

[opentdf-automation]

Backport failed for release/service/v0.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release/service/v0.11
git worktree add -d .worktree/backport-2849-to-release/service/v0.11 origin/release/service/v0.11
cd .worktree/backport-2849-to-release/service/v0.11
git switch --create backport-2849-to-release/service/v0.11
git cherry-pick -x 23f76c034cfb4c325d868eb96c95ba616e362db4

[opentdf-automation]

Successfully created backport PR for release/lib/ocrypto/v0.7:

• fix(deps): bump toolchain to go1.24.9 for CVEs found by govulncheck [backport to release/lib/ocrypto/v0.7] #2871

[opentdf-automation]

Successfully created backport PR for release/sdk/v0.10:

• fix(deps): bump toolchain to go1.24.9 for CVEs found by govulncheck [backport to release/sdk/v0.10] #2872