Skip to content

buck2/20250401-r2: cve remediation #62906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kbsteere merged 3 commits into from
Aug 14, 2025
Merged

buck2/20250401-r2: cve remediation #62906

kbsteere merged 3 commits into from
Aug 14, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Aug 12, 2025

buck2/20250401-r2: fix GHSA-qx2v-8332-m4fv

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/buck2.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P0 This label indicates our scanning found CRITICAL CVEs for these packages. automated pr request-cve-remediation rust/cargobump buck2 GHSA-qx2v-8332-m4fv labels Aug 12, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 12, 2025
edited
Loading

📦 Build Failed: Missing Dependency

Error: failed reading file: open Cargo.lock: no such file or directory

Build Details

Category Details
Build System melange/rust/cargo
Failure Point rust/cargobump pipeline step - cargobump command execution

Root Cause Analysis 🔍

The cargobump tool is attempting to read a Cargo.lock file that does not exist in the current directory. This suggests either the Cargo.lock file was not generated during the initial cargo setup, or the working directory is incorrect when cargobump is executed. The build system expects this file to exist for dependency management but it's missing from the source checkout.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Aug 12, 2025
@dnegreira dnegreira self-assigned this Aug 14, 2025
@dnegreira
buck2: remove cargobump
a7eaaf4 
Signed-off-by: David Negreira <david.negreira@chainguard.dev>
@dnegreira
Copy link
Member

dnegreira commented Aug 14, 2025

malscan is clean

user@david-negreira:~/packages/buck2$ ~/git/image-fulfillment-sandbox/amber.arcadia/download-presubmit-packages.sh --malc https://apk.cgr.dev/wolfi-presubmit/61863e77ab723cefbb5a730d59eefacdea9d70a4
Downloading "https://apk.cgr.dev/wolfi-presubmit/61863e77ab723cefbb5a730d59eefacdea9d70a4/aarch64/buck2-20250401-r3.apk" to "buck2-20250401-r3-aarch64.apk"
Downloading "https://apk.cgr.dev/wolfi-presubmit/61863e77ab723cefbb5a730d59eefacdea9d70a4/x86_64/buck2-20250401-r3.apk" to "buck2-20250401-r3-x86_64.apk"
Waiting for downloads to finish...
All downloads complete.
Scanning downloaded APKs with malcontent...
🔎 Scanning "/work/buck2-20250401-r3-aarch64.apk"
🔎 Scanning "/work/buck2-20250401-r3-x86_64.apk"
Malcontent scan complete.
[1m 4.827s] --> [0]

@dnegreira dnegreira requested a review from a team August 14, 2025 09:42
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Aug 14, 2025
@kbsteere kbsteere merged commit 0d16f36 into main Aug 14, 2025
18 checks passed
@kbsteere kbsteere deleted the cve-buck2-20250401-r2-6b394d5bb77de650c7b3aa909246b697 branch August 14, 2025 12:49
This was referenced Aug 30, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kbsteere kbsteere kbsteere approved these changes

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. buck2 GHSA-qx2v-8332-m4fv manual/review-needed P0 This label indicates our scanning found CRITICAL CVEs for these packages. request-cve-remediation rust/cargobump

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dnegreira @kbsteere