Skip to content

flux-source-controller/1.6.2-r1: cve remediation #58640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
efbar merged 3 commits into from
Jul 10, 2025
Merged

flux-source-controller/1.6.2-r1: cve remediation #58640

efbar merged 3 commits into from
Jul 10, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 9, 2025

flux-source-controller/1.6.2-r1: fix GHSA-557j-xg8c-q2mm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/flux-source-controller.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr flux-source-controller GHSA-557j-xg8c-q2mm go/bump request-cve-remediation labels Jul 9, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 9, 2025

📦 Build Failed: Missing Dependency

failed to run update. Error: package oras.land/oras-go was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System Go
Failure Point gobump package update command

Root Cause Analysis 🔍

The build is trying to update the 'oras.land/oras-go' package using gobump, but this package is not found in the go.mod file. The build is attempting to upgrade packages during the 'go/bump' step, but one of the specified packages doesn't exist in the project dependencies.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: flux-source-controller.yaml

  • modification at line 36-40 (go/bump section)
    Original:
  - uses: go/bump
    with:
      deps: |-
        oras.land/oras-go@v1.2.6
        github.com/go-viper/mapstructure/v2@v2.3.0
        helm.sh/helm/v3@v3.18.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/go-viper/mapstructure/v2@v2.3.0
        helm.sh/helm/v3@v3.18.4
      replaces: oras.land/oras-go=oras.land/oras-go@v1.2.6
Click to expand fix analysis

Analysis

Analyzing the three similar fixed build failures, I observe a consistent pattern: the go/bump step fails when trying to update a package that isn't directly declared in the go.mod file. In all three examples, the fix involved one of two approaches:

  1. Removing the problematic package from the deps list in the go/bump step (Fix #0 and Add binutils-2.39 configuration #1)
  2. Adding the package to the replaces parameter to explicitly handle it (Fix Add pax-utils into the OS. #2)

The key insight is that packages listed in the deps section must either exist directly in the go.mod file or be explicitly listed in the replaces section for the gobump tool to handle them properly.

Click to expand fix explanation

Explanation

The current build failure occurs because the build is trying to update the 'oras.land/oras-go' package using gobump, but this package is not found in the go.mod file. This is a common issue with the gobump tool, which requires packages being updated to either exist directly in the go.mod file or be explicitly specified in the 'replaces' parameter.

By moving 'oras.land/oras-go@v1.2.6' from the 'deps' list to the 'replaces' parameter, we're telling the gobump tool to handle this package specially. This allows the build to update a package that might be a transitive dependency (not directly listed in go.mod) or handle it through the replace directive in the go.mod file.

This approach closely mirrors Fix Example #2, which successfully resolved a similar issue with the golang.org/x/oauth2 package by properly handling it in the build configuration.

Click to expand alternative approaches

Alternative Approaches

  • Remove 'oras.land/oras-go@v1.2.6' from the deps list entirely if the package update isn't strictly necessary. This is similar to the approach in Fix Example #0 and Add binutils-2.39 configuration #1, where problematic packages were simply removed.
  • Add 'oras.land/oras-go' directly to the project's go.mod file before running the gobump step, ensuring it's recognized as a direct dependency.
  • Modify the underlying source code to explicitly import and use 'oras.land/oras-go' so it becomes a direct dependency in the go.mod file naturally, though this is more intrusive and would require code changes.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 9, 2025
@dnegreira dnegreira self-assigned this Jul 10, 2025
dnegreira added 2 commits July 10, 2025 10:30
@dnegreira
Remove unnecessary bump
28f109b 
Signed-off-by: David Negreira <david.negreira@chainguard.dev>
@dnegreira
Merge branch 'main' into cve-flux-source-controller-1.6.2-r1-b7517d07…
00af230 
…00e5b80ef9402e26ed0418df
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Jul 10, 2025
@efbar efbar merged commit e7c14ce into main Jul 10, 2025
18 checks passed
@efbar efbar deleted the cve-flux-source-controller-1.6.2-r1-b7517d0700e5b80ef9402e26ed0418df branch July 10, 2025 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efbar efbar efbar approved these changes

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. flux-source-controller GHSA-557j-xg8c-q2mm go/bump manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@efbar @dnegreira