cert-manager-cmctl/2.2.0-r1: cve remediation

[octo-sts]

cert-manager-cmctl/2.2.0-r1: fix GHSA-557j-xg8c-q2mm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cert-manager-cmctl.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

failed to run update. Error: package oras.land/oras-go was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	Go (gobump)
Failure Point	gobump --packages="oras.land/oras-go@v1.2.6
github.com/docker/docker@v27.1.1
helm.sh/helm/v3@v3.18.4" --tidy="true"

Root Cause Analysis 🔍

The build is trying to update the Go module dependency 'oras.land/oras-go' to version v1.2.6, but this package isn't listed in the go.mod file. The gobump tool requires that packages being updated must already exist in the go.mod file, or be explicitly listed in the 'replaces' parameter.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• helm-push/0.10.4-r25: cve remediation #50161
• kyverno-notation-aws/1.1-r10: cve remediation #48098
• gitlab-runner-17.8/17.8.3-r3: cve remediation #44039

Suggested Changes

File: cert-manager-cmctl.yaml

• modify at line 21-25 (go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        oras.land/oras-go@v1.2.6
        github.com/docker/docker@v27.1.1
        helm.sh/helm/v3@v3.18.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/docker/docker@v27.1.1
        helm.sh/helm/v3@v3.18.4
      replaces: oras.land/oras-go=oras.land/oras-go@v1.2.6

Click to expand fix analysis

Analysis

Looking at the three similar fixed build failures, I observe a consistent pattern: in each case, the go/bump step was trying to update a package that wasn't present in the go.mod file. The fixes generally took one of two approaches:

1. Removing the problematic package from the deps list if it wasn't actually needed (Fix #0, Fix Add binutils-2.39 configuration #1)
2. Adding the missing package to the replaces parameter (Fix Add pax-utils into the OS. #2, partially Fix #0)

In Fix #0 and Fix #1, unnecessary packages were removed from the deps list. In Fix #0, one of the packages was also moved to the replaces parameter. In Fix #2, the solution was to keep the package but explicitly add it to the replaces parameter.

For our current failure with "oras.land/oras-go", the error is identical in nature - we're trying to update a package that doesn't exist in the go.mod file.

Click to expand fix explanation

Explanation

The build failure occurs because the gobump tool is trying to update "oras.land/oras-go" to version v1.2.6, but this package is not listed in the go.mod file of the project. This is a limitation of the gobump tool which requires packages being updated to either:

1. Already exist in the go.mod file, or
2. Be explicitly listed in the 'replaces' parameter

By moving "oras.land/oras-go@v1.2.6" from the deps list to the replaces parameter, we're telling the gobump tool to handle this package as a replacement rather than a direct dependency update. This approach matches what was done in Fix #0 where helm.sh/helm/v3 was moved to the replaces parameter.

The format for the replaces parameter is original=replacement, so we're specifying oras.land/oras-go=oras.land/oras-go@v1.2.6. This tells gobump to replace any reference to oras.land/oras-go with version v1.2.6, regardless of whether it exists in the go.mod file already.

This change allows the build to proceed without failing on the missing dependency while still ensuring that the desired version (v1.2.6) is used during the build process.

Click to expand alternative approaches

Alternative Approaches

• Remove oras.land/oras-go completely from the deps list if it's not actually needed by the project. This would be simpler but would only work if the dependency isn't required.
• Add a preliminary go/bump step that first adds oras.land/oras-go to the go.mod file, and then update it in a subsequent step. This is more complex but would add the dependency directly.
• Examine the go.mod file manually to see if oras.land/oras-go exists under a different name or path, and update that instead. This would be appropriate if there's an alias or indirect dependency.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.