Skip to content

rancher-machine/0.15.0.126-r0: cve remediation #48875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

rancher-machine/0.15.0.126-r0: cve remediation #48875

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Apr 2, 2025

rancher-machine/0.15.0.126-r0: fix GHSA-gh5c-3h97-2f3q

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/rancher-machine.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Apr 2, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error: "go.mod:121: replace github.com/moby/moby: version "v26.0.0" invalid: should be v0 or v1, not v26"

• Error Category: Version/Dependency

• Failure Point: go/bump step when trying to update moby dependency

• Root Cause Analysis: The moby/moby repository uses a non-standard versioning scheme. While the version is v26.0.0, Go's module system expects semantic versions starting with v0 or v1 for the initial module path.

• Suggested Fix:

  - uses: go/bump
    with:
      deps: |-
        github.com/golang-jwt/jwt/v4@v4.5.2
        golang.org/x/crypto@v0.35.0
        golang.org/x/net@v0.36.0
        golang.org/x/oauth2@v0.27.0
        github.com/moby/moby@v20.10.24+incompatible

• Explanation: The moby/moby project (Docker Engine) uses a different versioning scheme that doesn't follow Go's semantic versioning requirements. Using the +incompatible suffix tells Go to accept the non-standard version number. v20.10.24 is a stable version that should be compatible with rancher-machine.

• Additional Notes:

  • The moby/moby project is now known as docker/docker-ce
  • The +incompatible suffix is a Go modules convention for handling non-semantic versions
  • Version v20.10.24 is chosen as it's a stable release that maintains compatibility

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Apr 2, 2025
@dnegreira
Copy link
Member

dnegreira commented Apr 4, 2025

Closing as wolfi-dev/advisories#16717 got merged with an advisory for this CVE.

@dnegreira dnegreira closed this Apr 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

@Dentrax Dentrax

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-gh5c-3h97-2f3q go/bump request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dnegreira @Dentrax