k8ssandra-client/0.8.0-r1: cve remediation

[octo-sts]

k8ssandra-client/0.8.0-r1: fix GHSA-557j-xg8c-q2mm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/k8ssandra-client.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

failed to run update. Error: package oras.land/oras-go was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	Go (using gobump)
Failure Point	go/bump step using gobump command

Root Cause Analysis 🔍

The gobump tool is trying to update the package 'oras.land/oras-go' but cannot find it in the go.mod file. This likely means the package is either not a direct dependency or is included via a different module path in the project. The build process expects to update this package but cannot find the proper reference in the dependency management file.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• kyverno-notation-aws/1.1-r10: cve remediation #48098
• helm-push/0.10.4-r25: cve remediation #50161
• datadog-agent/7.63.3-r1: cve remediation #46273

Suggested Changes

File: k8ssandra-client.yaml

• remove at line 20-21 (go/bump deps section)
  Original:

        oras.land/oras-go@v1.2.6

Content:

Remove the oras.land/oras-go package from the deps list

• alternative at line 16-23 (go/bump section)
  Original:

  - uses: go/bump
    with:
      deps: |-
        oras.land/oras-go@v1.2.6
        github.com/docker/docker@v27.1.1
        github.com/containerd/containerd@v1.7.27
        golang.org/x/net@v0.38.0
        helm.sh/helm/v3@v3.18.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/docker/docker@v27.1.1
        github.com/containerd/containerd@v1.7.27
        golang.org/x/net@v0.38.0
        helm.sh/helm/v3@v3.18.4
      replaces: oras.land/oras-go=oras.land/oras-go@v1.2.6

Content:

Alternative approach: Add the package to the replaces section instead of removing it

Click to expand fix analysis

Analysis

The pattern across all three similar fixed build failures involves issues with the go/bump step trying to update packages that weren't directly declared in the go.mod file. The solutions generally fall into two categories:

1. Removing the problematic package from the deps list if it's not directly needed
2. Adding the package to the 'replaces' section when it needs to be updated but isn't in go.mod
3. In one case (Fix Example Add pax-utils into the OS. #2), the package was added to the deps list and explicitly versioned

The most common approach was to remove dependencies that were causing issues from the deps list, particularly when they might be transitive dependencies not directly declared in go.mod.

Click to expand fix explanation

Explanation

The build failure occurs because the gobump tool is trying to update 'oras.land/oras-go' but cannot find it in the go.mod file. This indicates that oras.land/oras-go might be a transitive dependency rather than a direct dependency in the k8ssandra-client project.

The primary recommended fix is to simply remove 'oras.land/oras-go' from the deps list in the go/bump step. This mirrors what was done in Fix Examples #0 and #1, where problematic packages that weren't directly in go.mod were removed from the deps list.

This should work because:

1. If oras.land/oras-go is indeed a transitive dependency, it will still be updated appropriately through its parent dependency without needing explicit specification
2. The gobump tool only needs direct dependencies to be listed in the deps section or in the replaces section
3. Removing it from the deps list eliminates the specific error without affecting the actual dependency resolution during the build process

The alternative approach of adding it to the replaces section would work if there's a specific need to pin this transitive dependency to a particular version, even though it's not directly declared in go.mod. This approach was used in Fix Example #2 where they kept the dependency but moved it to the replaces section.

Click to expand alternative approaches

Alternative Approaches

• Instead of removing oras.land/oras-go from the deps list, you could check the project's go.mod file to see if there's a different module path being used for this package and update the deps entry accordingly.
• You could add an explicit 'go mod' command before the go/bump step to ensure all dependencies, including transitive ones, are properly represented in the go.mod file.
• If oras.land/oras-go is truly needed at a specific version, you could modify the project's go.mod file directly in a previous step to add it as a direct dependency before running go/bump.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[kbsteere]

Advisory PR: wolfi-dev/advisories#20919