Resolve Snyk Vulnerabilities

[AlexBMes]

Changes:

• Update vulnerable go net package in wal-g to resolve CVE-2026-39821
• Update libcrypto versions to resolve CVE-2026-31789
• Image updates to allow install of later net package version
  • Update base builder image to golang:1.26-alpine
  • Add cmake wrapper to inject the backward-compatibility flag required to compile WAL-G's legacy brotli submodule

[gbmeuk]

What's this all about and why is it written in this weird way?

[AlexBMes]

In order to resolve the a critical vulnerability present in the Wal-G package, there needed to be an update to one of the packages that is installed (i.e. go get golang.org/x/net@v0.54.0 here).
However, this version of the package required go requires Go >= 1.25, so the base Go builder image was update to v1.26. This lead to a new issue in the build of the image, which Gemini summarized as:

WAL-G relies on a C library called Brotli for data compression. WAL-G v1.1 is old enough that it bundles a severely outdated version of Brotli as a Git submodule. The modern Alpine builder image ships with the newest version of cmake (the C build tool), which explicitly refuses to parse Brotli's ancient CMakeLists.txt file because it is too old.
The relevant error was:

CMake Error: Compatibility with CMake < 3.5 has been removed... Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway

So the suggestion was to replace the cmake command with a script that injects the relevant backwards compatibility flag. This flag is injected only when running a build command and not when calling itself with specific environment variables.
This solution was as an alternative to patching source code, or upgrading to an untested version of wal-g