Skip to content

snyk-cli/1.1295.4-r0: cve remediation #45334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

snyk-cli/1.1295.4-r0: cve remediation #45334

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Mar 8, 2025

snyk-cli/1.1295.4-r0: fix CVE-2025-22869

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/snyk-cli.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Mar 8, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the error log, I'll analyze and provide a solution:

• Detected Error: The error appears to be with the git checkout step, specifically with the tag v1.1295.4 not being found.

• Error Category: Version/Configuration

• Failure Point:

[git checkout] execute: git clone --quiet --origin=origin --config=user.name=Melange Build --config=user.email=melange-build@cgr.dev --config=advice.detachedHead=false --branch=v1.1295.4 --depth=1 https://github.com/snyk/cli /tmp/tmp.oOHujs

• Root Cause Analysis: The git-checkout step is failing because it's trying to clone with a specific tag that doesn't match the upstream repository's tag format.

• Suggested Fix:

  1. Verify the correct tag format in the snyk/cli repository
  2. Modify the git-checkout step in the melange yaml to use the correct tag format:
  - uses: git-checkout
    with:
      repository: https://github.com/snyk/cli
      tag: ${{package.version}}  # Remove the 'v' prefix
      expected-commit: b1e2445578abbb425a96611e4e58ff8057329e82

• Explanation: Looking at the Snyk CLI repository, their release tags don't use the 'v' prefix. The current configuration is trying to checkout 'v1.1295.4' but the actual tag is likely just '1.1295.4'.

• Additional Notes:

  • This is a common issue when package version schemes don't match upstream tag formats
  • You may also want to verify the expected-commit hash matches the target version
  • Consider updating the update.github section to remove the strip-prefix if it's not needed:
update:
  enabled: true
  github:
    identifier: snyk/cli

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Mar 8, 2025
@developer-guy developer-guy self-assigned this Mar 8, 2025
@developer-guy
Copy link
Member

developer-guy commented Mar 8, 2025

superseded by #45335

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@developer-guy developer-guy

Labels

ai/skip-comment Stop AI from commenting on PR automated pr CVE-2025-22869 go/bump request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@developer-guy