Skip to content

helm-set-status/0.3.0-r1: cve remediation #63343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

helm-set-status/0.3.0-r1: cve remediation #63343

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Aug 16, 2025

helm-set-status/0.3.0-r1: fix GHSA-f9f8-9pmf-xv68

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/helm-set-status.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr GHSA-f9f8-9pmf-xv68 go/bump helm-set-status request-cve-remediation labels Aug 16, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 16, 2025

📦 Build Failed: Missing Dependency

package github.com/docker/docker was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System go/gobump
Failure Point go/bump step during gobump execution

Root Cause Analysis 🔍

The gobump tool is attempting to update the github.com/docker/docker package to version v26.1.5, but this package is not present in the current go.mod file. This suggests either the package was previously removed from dependencies or the version bump configuration is referencing a package that doesn't exist in the project's dependency list.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: helm-set-status.yaml

  • modification at line 19-23 (pipeline go/bump step deps section)
    Original:
  - uses: go/bump
    with:
      deps: |-
        github.com/containerd/containerd@v1.7.27
        github.com/docker/docker@v26.1.5
        golang.org/x/net@v0.38.0
        golang.org/x/oauth2@v0.27.0
        helm.sh/helm/v3@v3.18.5

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/containerd/containerd@v1.7.27
        github.com/docker/docker@v26.1.5+incompatible
        golang.org/x/net@v0.38.0
        golang.org/x/oauth2@v0.27.0
        helm.sh/helm/v3@v3.18.5

Content:

Add +incompatible suffix to github.com/docker/docker version specification
Click to expand fix analysis

Analysis

Looking at the similar fixes, there's a clear pattern: when gobump encounters a package that's not found in the go.mod file, the solution is to add that specific package with its version to the deps list in the go/bump step. In all three examples, the missing package was added to the deps section with the exact version that gobump was trying to update to. Fix #0 and #1 both dealt with the same github.com/docker/docker package being missing and added it with version v28.3.3+incompatible. Fix #2 showed a similar pattern with github.com/go-jose/go-jose/v3 being added to resolve the missing package error.

Click to expand fix explanation

Explanation

The fix should work because the error indicates that gobump cannot find github.com/docker/docker in the go.mod file when trying to update it to v26.1.5. Based on the similar fixes, particularly examples #0 and #1, the solution is to add the +incompatible suffix to the Docker package version in the deps list. The +incompatible suffix is required for Docker packages because they don't follow semantic versioning conventions that Go modules expect. This tells the Go module system to treat this as a legacy package that predates Go modules. The current configuration has github.com/docker/docker@v26.1.5, but it should be github.com/docker/docker@v26.1.5+incompatible to properly handle the package's non-standard versioning scheme.

Click to expand alternative approaches

Alternative Approaches

  • Remove github.com/docker/docker from the deps list entirely if it's not actually needed as a direct dependency
  • Add the package to a 'replaces' section if the gobump tool supports it, though this approach wasn't used in the similar fixes
  • Check if there's an alternative Docker client library that follows proper Go module versioning that could be used instead

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Aug 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-f9f8-9pmf-xv68 go/bump helm-set-status P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vishal-chdhry