Skip to content

gitlab-runner-17.8/17.8.3-r3: cve remediation #44039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 2 commits into from
Feb 27, 2025
Merged

gitlab-runner-17.8/17.8.3-r3: cve remediation #44039

OddBloke merged 2 commits into from
Feb 27, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Feb 27, 2025

gitlab-runner-17.8/17.8.3-r3: fix GHSA-c6gw-w398-hv78

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-17.8.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Feb 27, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error: "package github.com/go-jose/go-jose/v3 was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'"

• Error Category: Dependency

• Failure Point: go/bump step for docker-machine dependency updates

• Root Cause Analysis: The go/bump tool is trying to update github.com/go-jose/go-jose/v3 but this package is not listed as a dependency in the machine/go.mod file

• Suggested Fix:
Remove the go-jose package from the deps list in the go/bump step since it's not needed for docker-machine:

  - uses: go/bump
    with:
      deps: |-
        github.com/golang-jwt/jwt/v4@v4.5.1
        golang.org/x/crypto@v0.31.0
        golang.org/x/net@v0.33.0

• Explanation: The go-jose package appears to be included in error in the docker-machine dependency updates. The package is needed for gitlab-runner-helper but not for the main docker-machine build. Removing it from this go/bump step will allow the build to proceed while keeping the other necessary dependency updates.

• Additional Notes:

  • The go-jose package is correctly included in the helper subpackage go/bump step
  • This fix maintains the security updates for jwt, crypto and net packages
  • No functionality should be affected as the package wasn't actually used in docker-machine

• References:

@octo-sts octo-sts bot added ai/skip-comment Stop AI from commenting on PR bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. labels Feb 27, 2025
@hectorj2f
add missing gobump step
5a78675 
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
Signed-off-by: hectorj2f <hector@chainguard.dev>
@hectorj2f hectorj2f force-pushed the cve-gitlab-runner-17.8-fff18a854da80914f7ba19493959cd20 branch from 0415b90 to 5a78675 Compare February 27, 2025 18:26
@hectorj2f hectorj2f requested a review from a team February 27, 2025 18:26
@hectorj2f hectorj2f self-assigned this Feb 27, 2025
@OddBloke OddBloke merged commit dbe5e80 into main Feb 27, 2025
21 checks passed
@OddBloke OddBloke deleted the cve-gitlab-runner-17.8-fff18a854da80914f7ba19493959cd20 branch February 27, 2025 21:02
This was referenced Jul 9, 2025
Merged
Merged
@octo-sts octo-sts bot mentioned this pull request Jul 30, 2025
Merged
This was referenced Aug 16, 2025
Closed
Closed
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OddBloke OddBloke OddBloke approved these changes

Assignees

@hectorj2f hectorj2f

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-c6gw-w398-hv78 go/bump manual/review-needed request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OddBloke @hectorj2f