Skip to content

flux-helm-controller/1.3.0-r3: cve remediation #58656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dnegreira merged 2 commits into from
Jul 10, 2025
Merged

flux-helm-controller/1.3.0-r3: cve remediation #58656

dnegreira merged 2 commits into from
Jul 10, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 9, 2025

flux-helm-controller/1.3.0-r3: fix GHSA-557j-xg8c-q2mm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/flux-helm-controller.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr flux-helm-controller GHSA-557j-xg8c-q2mm go/bump request-cve-remediation labels Jul 9, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 9, 2025

📦 Build Failed: Missing Dependency

failed to run update. Error: package oras.land/oras-go was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System Go
Failure Point go/bump step during package build

Root Cause Analysis 🔍

The build is trying to update the oras.land/oras-go package, but this package is not listed in the go.mod file. The gobump tool requires packages to either exist in go.mod or be explicitly listed in the 'replaces' parameter.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: flux-helm-controller.yaml

  • update at line 21-24 (go/bump step)
    Original:
  - uses: go/bump
    with:
      deps: |-
        oras.land/oras-go@v1.2.6
        helm.sh/helm/v3@v3.18.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        helm.sh/helm/v3@v3.18.4
      replaces: oras.land/oras-go=oras.land/oras-go@v1.2.6
Click to expand fix analysis

Analysis

The pattern observed in similar fixed build failures involves addressing the mismatch between packages specified in the go/bump step and those present in the go.mod file. In all three examples, the solution involved one of the following approaches:

  1. Removing the problematic package from the deps list if it's not needed
  2. Adding the package to the replaces list when it's a transitive dependency
  3. Adding only packages that are directly referenced in go.mod to the deps list

The common issue is that the go/bump tool requires packages being updated to either exist in the go.mod file or be explicitly listed in the 'replaces' parameter. When a package like oras.land/oras-go is specified in the deps list but isn't directly in go.mod (possibly being a transitive dependency), the build fails.

Click to expand fix explanation

Explanation

The current build failure occurs because the go/bump step is trying to update oras.land/oras-go, but this package is not directly listed in the go.mod file of the flux-helm-controller repository. The error message specifically states: "package oras.land/oras-go was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'".

The suggested fix moves oras.land/oras-go from the deps list to the replaces parameter. This approach is similar to Fix Example #2 where golang.org/x/oauth2 was handled through the replaces parameter. By adding oras.land/oras-go to the replaces list, we're telling the go/bump tool that even though this package isn't directly in go.mod, it should still be updated to the specified version.

This solution addresses the root cause by providing the go/bump tool with the correct instructions for handling a package that's likely a transitive dependency (not directly in go.mod). The change is minimal and focused on addressing the specific error without unnecessary modifications to the build configuration.

Click to expand alternative approaches

Alternative Approaches

  • Remove oras.land/oras-go from the deps list entirely if it's not critical to explicitly update this dependency. This is similar to Fix Example #0 and Add binutils-2.39 configuration #1 where problematic packages were removed.
  • Examine the repository's go.mod file to determine if oras.land/oras-go should be added as a direct dependency. If so, it would need to be added to the repository's go.mod file first, rather than just changing the Melange YAML.
  • If the package is needed but should not be in go.mod, maintain it in the deps list but add an empty replaces parameter: replaces: ''

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 9, 2025
@efbar efbar self-assigned this Jul 10, 2025
@efbar
fix: remove unneeded bump
05bc591 
Signed-off-by: Francesco Bartolini <francesco.bartolini@chainguard.dev>
@efbar efbar requested a review from a team July 10, 2025 08:55
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Jul 10, 2025
@dnegreira dnegreira merged commit e63c5df into main Jul 10, 2025
24 checks passed
@dnegreira dnegreira deleted the cve-flux-helm-controller-1.3.0-r3-b7517d0700e5b80ef9402e26ed0418df branch July 10, 2025 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dnegreira dnegreira dnegreira approved these changes

Assignees

@efbar efbar

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. flux-helm-controller GHSA-557j-xg8c-q2mm go/bump manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dnegreira @efbar