SECURITY: verifying github.com/google/cadvisor@v0.49.1: checksum mismatch

[mangelajo]

We are using cadvisor on a project, and suddenly we are getting a hash missmatch:

verifying github.com/google/cadvisor@v0.49.1: checksum mismatch
	downloaded: h1:L9S9Pdb/uu1HA2PGmgBG4q/V3s9Ct3VWsLicarHVvfQ=
	go.sum:     h1:9M++63nWvdq6Oci6wUDuAfQNTZpuz1ZObln0Bhs9xN0=

I wanted to confirm if the release has been re-tagged, if it's a know developer action this is ok. If not we could be facing a security issue.

I had the previous hash version for v0.49.1 stored on a different computer, so I decided to run a diff between the new hash of 0.49.1, this is what I get:

[majopela@centauro google]$ diff -r cadvisor@v0.49.1 cadvisor@v0.49.1_sec_warnig/
diff -r cadvisor@v0.49.1/build/release.sh cadvisor@v0.49.1_sec_warnig/build/release.sh
74c74
<   docker buildx build --platform "linux/${arch}" --build-arg VERSION="$VERSION" -f deploy/Dockerfile -t "$arch_specific_image"  --progress plain --push .
---
>   docker buildx build --platform "linux/${arch}" --provenance=false --build-arg VERSION="$VERSION" -f deploy/Dockerfile -t "$arch_specific_image"  --progress plain --push .

It seems to be related to the provenance check of the images used in the build process or as base images, which is security-related.

Thank you

[mangelajo]

It seems to be related to: 570d8a7

If this was intentional, for my experience, never re-tag an existing tag, caches in github, and in go proxies will make a big mess, we should always create a new minor version.

[penglei]

Our team also encountered this issue, and upon investigation, I found that the checksum for tag v0.49.1 in the official Go proxy and SUMDB is incorrect. After removing the GOPROXY and GOSUMDB configurations from go env and letting go module fetch tag v0.49.1 from GitHub directly, the calculated checksum differs. I suggest that cadvisor creates a new tag v0.49.2 to address this issue, as it imposes a significant burden on environment management for large project maintainers.
@bobbypage