chore: update Go to 1.25 and golangci-lint to v2

[thomasschafer]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High) - n/a
• Highlights breaking API changes (if applicable) - n/a
• Links to automated tests covering new functionality - n/a
• Includes manual testing instructions (if necessary) - n/a
• Updates relevant GitBook documentation (PR link: ___) - n/a
• Includes product update to be announced in the next stable release notes - n/a

What does this PR do?

In snyk/cli-extension-sbom#167 in we bumped the version of Go, so before merging that PR we need to bump the Go version in the CLI. This PR bumps Go and golangi-lint versions in here, fixing the linting errors that arise.

I also ran into a couple of FIPS issues. Initially, acceptance tests were previously failing on non-FIPS builds with

Expected: ""
Received: "panic: opensslcrypto: FIPS mode requested (environment variable GODEBUG=fips140=on) but not available: OpenSSL 3.0.8 7 Feb 2023·
goroutine 1 [running]:
crypto/internal/backend.init.0()
    /home/circleci/project/go/src/crypto/internal/backend/openssl_linux.go:39 +0x129

which appears to be because of the change here to the Microsoft Go build:

Prior to Go 1.25, developers can opt into using system-provided cryptography by setting the GOEXPERIMENT environment variable to systemcrypto before building their program.
Starting with Go 1.25, the Microsoft toolchain enables systemcrypto by default. Developers can opt out by setting the GOEXPERIMENT environment variable to nosystemcrypto.which is used here, meaning that the non-FIPS builds now have FIPS enabled and so are panicking because OPENSSL is not available. To work around this I have split out FIPS and non-FIPS builds, given that previously they were both built using Microsoft Go.

After that, acceptance tests were failing with

Failed to clone test repository: Command failed: git clone https://github.com/leaktk/fake-leaks /tmp/snyk-secrets-test && cd /tmp/snyk-secrets-test && git checkout 366ae0080cc67973619584080fc85734ba2658b2
Cloning into '/tmp/snyk-secrets-test'...
ssh_dispatch_run_fatal: Connection to 140.82.112.3 port 22: invalid argument
fatal: Could not read from remote repository.

This was happening because OPENSSL_CONF was being set for not just the CLI but also for other commands such as git clone. To resolve this I updated the env handling to only pass a value for OPENSSL_CONF to the CLI commands.

What's the product update that needs to be communicated to CLI users?

None

[hoerup]

Maybe even update to go 1.25.7 to avoid the recent CVE-2025-68121

[thomasschafer]

Updated from Ubuntu to Debian as the Dockerfile uses Debian