stackrox · davdhacs · Mar 25, 2026 · Mar 24, 2026 · Mar 26, 2026 · Mar 24, 2026
diff --git a/Makefile b/Makefile
@@ -342,9 +342,15 @@ config-controller-gen:
 .PHONY: generated-srcs
 generated-srcs: go-generated-srcs config-controller-gen
 
+ifdef SKIP_DEPS
+deps:
+	@echo "+ $@ (skipped via SKIP_DEPS)"
+	$(SILENT)touch deps
+else
 deps: $(shell find $(BASE_DIR) -name "go.sum")
 	@echo "+ $@"
 	$(SILENT)touch deps
+endif
 
 %/go.sum: %/go.mod
 	$(SILENT)cd $*
@@ -554,11 +560,17 @@ sensor-pipeline-benchmark: build-prep test-prep
 	LOGLEVEL="panic" go test -bench=. -run=^# -benchtime=30s -count=5 ./sensor/tests/pipeline | tee $(CURDIR)/test-output/pipeline.results.txt
 
 .PHONY: go-postgres-unit-tests
-go-postgres-unit-tests: build-prep test-prep
+go-postgres-unit-tests: go-postgres-unit-tests-main go-postgres-unit-tests-migrator
+
+.PHONY: go-postgres-unit-tests-main
+go-postgres-unit-tests-main: build-prep test-prep
 	set -o pipefail ; \
 	CGO_ENABLED=1 GOEXPERIMENT=cgocheck2 MUTEX_WATCHDOG_TIMEOUT_SECS=30 GOTAGS=$(GOTAGS),test,sql_integration scripts/go-test.sh -timeout 15m  -race -cover -coverprofile test-output/coverage.out -v \
 		$(shell git grep -rl "//go:build sql_integration" central pkg tools | sed -e 's@^@./@g' | xargs -n 1 dirname | sort | uniq | xargs go list -tags sql_integration | grep -v '^github.com/stackrox/rox/tests$$' | grep -Ev $(UNIT_TEST_IGNORE)) \
 		| tee $(GO_TEST_OUTPUT_PATH)
+
+.PHONY: go-postgres-unit-tests-migrator
+go-postgres-unit-tests-migrator: build-prep test-prep
 	@# The -p 1 passed to go test is required to ensure that tests of different packages are not run in parallel, so as to avoid conflicts when interacting with the DB.
 	set -o pipefail ; \
 	CGO_ENABLED=1 GOEXPERIMENT=cgocheck2 MUTEX_WATCHDOG_TIMEOUT_SECS=30 GOTAGS=$(GOTAGS),test,sql_integration scripts/go-test.sh -p 1 -race -cover -coverprofile test-output/migrator-coverage.out -v \
@@ -602,7 +614,7 @@ test: go-unit-tests ui-test shell-unit-tests
 .PHONY: integration-unit-tests
 integration-unit-tests: build-prep test-prep
 	set -o pipefail ; \
-	GOTAGS=$(GOTAGS),test,integration scripts/go-test.sh -count=1 -v \
+	GOTAGS=$(GOTAGS),test,integration scripts/go-test.sh -v \
 		$(shell go list ./... | grep  "registries\|scanners\|notifiers") \
 		| tee $(GO_TEST_OUTPUT_PATH)
 

diff --git a/pkg/containers/detection_test.go b/pkg/containers/detection_test.go
diff --git a/pkg/logging/rate_limited_logger.go b/pkg/logging/rate_limited_logger.go
@@ -163,10 +163,11 @@ const (
 	localFilePathPrefix = "github.com/stackrox/stackrox/"
 	filePathPrefix      = "github.com/stackrox/rox/"
 	githubPathPrefix    = "/__w/stackrox/stackrox/"
+	githubHostPrefix    = "/home/runner/work/stackrox/stackrox/"
 )
 
 func getTrimmedFilePath(path string) string {
-	prefixes := []string{filePathPrefix, localFilePathPrefix, githubPathPrefix}
+	prefixes := []string{filePathPrefix, localFilePathPrefix, githubPathPrefix, githubHostPrefix}
 	for _, prefix := range prefixes {
 		prefixToCut := strings.Index(path, prefix)
 		if prefixToCut >= 0 {

@@ -3,6 +3,7 @@ package zipdownload
 import (
 	"archive/zip"
 	"bytes"
+	"errors"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -208,7 +209,9 @@ func TestExtractZipToFolder_PreventPathTraversal(t *testing.T) {
 
 	for _, path := range checkPaths {
 		_, err := os.Stat(path)
-		// Expect "no such file or directory" - meaning the file wasn't created
-		assert.ErrorIs(t, err, fs.ErrNotExist, "Malicious file should not exist at %s", path)
+		// File must not exist. On non-root runners, paths under /root/ return
+		// ErrPermission instead of ErrNotExist — both confirm the file wasn't written.
+		assert.True(t, errors.Is(err, fs.ErrNotExist) || errors.Is(err, fs.ErrPermission),
+			"Malicious file should not exist at %s, got: %v", path, err)
 	}
 }
diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh
@@ -2322,12 +2322,16 @@ _EO_SUITE_HEADER_
         local result="${lines[1]}"
         local details="${lines[2]}"
 
-        # XML escape description
-        description="${description//&/&amp;}"
-        description="${description//\"/&quot;}"
-        description="${description//\'/&#39;}"
-        description="${description//</&lt;}"
-        description="${description//>/&gt;}"
+        # XML escape description.
+        # \& is required: bash 5.2+ treats & in ${var//pat/repl} as the
+        # matched text (like sed), so without \& the & is replaced by the
+        # match itself. \& works on all bash versions (4.4–5.3 verified).
+        # CI container had bash 5.1 (UBI9); ubuntu-latest has bash 5.2+.
+        description="${description//&/\&amp;}"
+        description="${description//\"/\&quot;}"
+        description="${description//\'/\&#39;}"
+        description="${description//</\&lt;}"
+        description="${description//>/\&gt;}"
 
         cat << _EO_CASE_HEADER_ >> "${junit_file}"
         <testcase name="${description}" classname="${class}">

diff --git a/scripts/go-tool.sh b/scripts/go-tool.sh
@@ -12,43 +12,56 @@ die() {
 }
 
 RACE="${RACE:-false}"
-
-x_defs=()
-x_def_errors=()
-
-while read -r line || [[ -n "$line" ]]; do
-	if [[ "$line" =~ ^[[:space:]]*$ ]]; then
-		continue
-	elif [[ "$line" =~ ^([^[:space:]]+)[[:space:]]+(.*)[[:space:]]*$ ]]; then
-		var="${BASH_REMATCH[1]}"
-		def="${BASH_REMATCH[2]}"
-		eval "status_${var}=$(printf '%q' "$def")"
-	else
-		die "Malformed status.sh output line ${line}"
-	fi
-done < <(cd "${SCRIPT_DIR}/.."; ./status.sh)
-
-while read -r line || [[ -n "$line" ]]; do
-	if [[ "$line" =~ ^[[:space:]]*$ ]]; then
-		continue
-	elif [[ "$line" =~ ^([^:]+):([[:digit:]]+):[[:space:]]*(var[[:space:]]+)?([^[:space:]]+)[[:space:]].*//XDef:([^[:space:]]+)[[:space:]]*$ ]]; then
-		go_file="${BASH_REMATCH[1]}"
-		go_line="${BASH_REMATCH[2]}"
-		go_var="${BASH_REMATCH[4]}"
-		status_var="${BASH_REMATCH[5]}"
-
-		varname="status_${status_var}"
-		[[ -n "${!varname}" ]] || x_def_errors+=(
-			"Variable ${go_var} defined in ${go_file}:${go_line} references status var ${status_var} that is not part of the status.sh output"
-		)
-		go_package="$(cd "${SCRIPT_DIR}/.."; go list -e "./$(dirname "$go_file")")"
-
-		x_defs+=(-X "\"${go_package}.${go_var}=${!varname}\"")
+REPO_ROOT="${SCRIPT_DIR}/.."
+
+if [[ "$TOOL" == "test" ]]; then
+	# Use fixed version strings for tests. Stable ldflags = stable link ActionIDs
+	# = Go test cache hits across commits. Tests don't need real version info.
+	VERSION_PKG="github.com/stackrox/rox/pkg/version/internal"
+	x_defs=(
+		-X "\"${VERSION_PKG}.MainVersion=0.0.0-test\""
+		-X "\"${VERSION_PKG}.CollectorVersion=0.0.0\""
+		-X "\"${VERSION_PKG}.ScannerVersion=0.0.0\""
+		-X "\"${VERSION_PKG}.FactVersion=0.0.0\""
+	)
+else
+	x_defs=()
+	x_def_errors=()
+
+	while read -r line || [[ -n "$line" ]]; do
+		if [[ "$line" =~ ^[[:space:]]*$ ]]; then
+			continue
+		elif [[ "$line" =~ ^([^[:space:]]+)[[:space:]]+(.*)[[:space:]]*$ ]]; then
+			var="${BASH_REMATCH[1]}"
+			def="${BASH_REMATCH[2]}"
+			eval "status_${var}=$(printf '%q' "$def")"
+		else
+			die "Malformed status.sh output line ${line}"
+		fi
+	done < <(cd "${REPO_ROOT}"; ./status.sh)
+
+	while read -r line || [[ -n "$line" ]]; do
+		if [[ "$line" =~ ^[[:space:]]*$ ]]; then
+			continue
+		elif [[ "$line" =~ ^([^:]+):([[:digit:]]+):[[:space:]]*(var[[:space:]]+)?([^[:space:]]+)[[:space:]].*//XDef:([^[:space:]]+)[[:space:]]*$ ]]; then
+			go_file="${BASH_REMATCH[1]}"
+			go_line="${BASH_REMATCH[2]}"
+			go_var="${BASH_REMATCH[4]}"
+			status_var="${BASH_REMATCH[5]}"
+
+			varname="status_${status_var}"
+			[[ -n "${!varname}" ]] || x_def_errors+=(
+				"Variable ${go_var} defined in ${go_file}:${go_line} references status var ${status_var} that is not part of the status.sh output"
+			)
+			go_package="$(cd "${REPO_ROOT}"; go list -e "./$(dirname "$go_file")")"
+
+			x_defs+=(-X "\"${go_package}.${go_var}=${!varname}\"")
+		fi
+	done < <(git -C "${REPO_ROOT}" grep -n '//XDef:' -- '*.go')
+	if [[ "${#x_def_errors[@]}" -gt 0 ]]; then
+		printf >&2 "%s\n" "${x_def_errors[@]}"
+		exit 1
 	fi
-done < <(git -C "${SCRIPT_DIR}/.." grep -n '//XDef:' -- '*.go')
-if [[ "${#x_def_errors[@]}" -gt 0 ]]; then
-	printf >&2 "%s\n" "${x_def_errors[@]}"
-	exit 1
 fi
 
 ldflags=("${x_defs[@]}")

@@ -9,6 +9,14 @@ fi
 load "${bats_helpers_root}/bats-support/load.bash"
 load "${bats_helpers_root}/bats-assert/load.bash"
 
+# yq_multidoc runs yq and strips --- document separators from output.
+# yq 4.x adds separators between multi-doc results which shift assert_line indices.
+yq_multidoc() {
+  local output
+  output=$(yq "$@") || return $?
+  sed '/^---$/d' <<< "$output"
+}
+
 # luname outputs uname in lowercase
 luname() {
   uname | tr '[:upper:]' '[:lower:]'

@@ -60,7 +60,7 @@ teardown() {
     assert_line '2'
 
     # Ensure that all yaml docs are of kind 'NetworkPolicy'
-    run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: NetworkPolicy'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: NetworkPolicy'
@@ -69,7 +69,7 @@ teardown() {
     assert_line --index 5 'doc: 2'
 
     # Ensure that all NetworkPolicies have the generated-by-stackrox label
-    run yq e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
+    run yq_multidoc e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
     assert_line --index 0 'match: "true"'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: "true"'
@@ -99,7 +99,7 @@ teardown() {
     assert_line '2'
 
     # Ensure that all yaml docs are of kind 'NetworkPolicy'
-    run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: NetworkPolicy'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: NetworkPolicy'
@@ -108,7 +108,7 @@ teardown() {
     assert_line --index 5 'doc: 2'
 
     # Ensure that dns ports are properly set
-    run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: null'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: '${dns_port}
@@ -131,7 +131,7 @@ teardown() {
     yaml_valid "$ofile"
 
     # Ensure that dns ports are properly set
-    run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: null'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: '${dns_port}

@@ -61,43 +61,22 @@ teardown() {
     assert_line '2'
 
     # Ensure that all yaml docs are of kind 'NetworkPolicy'
-    run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
-    # Github actions run yq v3
+    run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: NetworkPolicy'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: NetworkPolicy'
     assert_line --index 3 'doc: 1'
     assert_line --index 4 'match: NetworkPolicy'
     assert_line --index 5 'doc: 2'
 
-    # yq v4 assertions
-    #    assert_line --index 0 'match: NetworkPolicy'
-    #    assert_line --index 1 'doc: 0'
-    #    assert_line --index 2 '---'
-    #    assert_line --index 3 'match: NetworkPolicy'
-    #    assert_line --index 4 'doc: 1'
-    #    assert_line --index 5 '---'
-    #    assert_line --index 6 'match: NetworkPolicy'
-    #    assert_line --index 7 'doc: 2'
-
     # Ensure that all NetworkPolicies have the generated-by-stackrox label
-    run yq e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
+    run yq_multidoc e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
     assert_line --index 0 'match: "true"'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: "true"'
     assert_line --index 3 'doc: 1'
     assert_line --index 4 'match: "true"'
     assert_line --index 5 'doc: 2'
-
-    # yq v4 assertions
-    #    assert_line --index 0 'match: "true"'
-    #    assert_line --index 1 'doc: 0'
-    #    assert_line --index 2 '---'
-    #    assert_line --index 3 'match: "true"'
-    #    assert_line --index 4 'doc: 1'
-    #    assert_line --index 5 '---'
-    #    assert_line --index 6 'match: "true"'
-    #    assert_line --index 7 'doc: 2'
 }
 
 @test "roxctl-release netpol generate generates network policies with custom dns port" {
@@ -121,7 +100,7 @@ teardown() {
     assert_line '2'
 
     # Ensure that all yaml docs are of kind 'NetworkPolicy'
-    run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: NetworkPolicy'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: NetworkPolicy'
@@ -130,7 +109,7 @@ teardown() {
     assert_line --index 5 'doc: 2'
 
     # Ensure that dns ports are properly set
-    run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: null'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: '${dns_port}
@@ -153,7 +132,7 @@ teardown() {
     yaml_valid "$ofile"
 
     # Ensure that dns ports are properly set
-    run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
+    run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
     assert_line --index 0 'match: null'
     assert_line --index 1 'doc: 0'
     assert_line --index 2 'match: '${dns_port}