Skip to content

snyk-cli/1.1295.4-r0: cve remediation #45335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 2 commits into from
Mar 13, 2025
Merged

snyk-cli/1.1295.4-r0: cve remediation #45335

OddBloke merged 2 commits into from
Mar 13, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Mar 8, 2025

snyk-cli/1.1295.4-r0: fix CVE-2025-22868

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/snyk-cli.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Mar 8, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the build error output, I'll analyze and provide specific fixes:

• Detected Error: git clone --quiet --origin=origin --config=user.name=Melange Build --config=user.email=melange-build@cgr.dev --config=advice.detachedHead=false --branch=v1.1295.4 --depth=1 https://github.com/snyk/cli /tmp/tmp.rDYeWh
(The command failed silently, indicating a tag/branch issue)

• Error Category: Version/Git Checkout

• Failure Point: git-checkout pipeline step

• Root Cause Analysis: The build is failing because the git-checkout step is trying to clone using -b v1.1295.4 which attempts to treat the tag as a branch. This is incorrect for tag checkouts.

• Suggested Fix:
Modify the git-checkout step in the melange YAML to:

  - uses: git-checkout
    with:
      repository: https://github.com/snyk/cli
      ref: v${{package.version}}
      expected-commit: b1e2445578abbb425a96611e4e58ff8057329e82

• Explanation:

  • The current configuration uses tag: which forces git to try checking out the tag as a branch
  • Using ref: instead allows git to properly resolve both tags and branches
  • This matches how the upstream repository tags their releases

• Additional Notes:

  • Verify the expected-commit hash matches the v1.1295.4 tag
  • The tag format matches the upstream convention (v prefix)
  • This is a common issue when working with repositories that use tagged releases

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Mar 8, 2025
@developer-guy developer-guy self-assigned this Mar 8, 2025
@developer-guy
fix go.mod root for bump
b3bda52 
Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
@developer-guy developer-guy mentioned this pull request Mar 8, 2025
Closed
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Mar 8, 2025
@OddBloke OddBloke merged commit 468610b into main Mar 13, 2025
21 checks passed
@OddBloke OddBloke deleted the cve-snyk-cli-ecccdf81abf0059ddc029980060280cc branch March 13, 2025 12:13
@octo-sts octo-sts bot mentioned this pull request May 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OddBloke OddBloke OddBloke approved these changes

Assignees

@developer-guy developer-guy

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. CVE-2025-22868 go/bump manual/review-needed request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OddBloke @developer-guy