helm-mapkubeapis/0.6.1-r1: cve remediation

[octo-sts]

helm-mapkubeapis/0.6.1-r1: fix GHSA-f9f8-9pmf-xv68

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/helm-mapkubeapis.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

• GHSA-4vq8-7jfc-9cvp (Low) in github.com/docker/docker@github.com/docker/docker@v28.0.0

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package github.com/docker/docker was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	melange with go/gobump
Failure Point	go/bump pipeline step during dependency update

Root Cause Analysis 🔍

The gobump tool attempted to update the github.com/docker/docker package to version v26.0.0-rc3, but this package is not present in the project's go.mod file. The tool requires the package to either exist in go.mod or be explicitly listed in the 'replaces' configuration to handle missing dependencies.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• trivy/0.64.1-r2: cve remediation #61154
• gitlab-runner-17.8/17.8.3-r3: cve remediation #44039

Suggested Changes

File: helm-mapkubeapis.yaml

• modification at line 15-18 (go/bump pipeline step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/docker/docker@v26.0.0-rc3
        golang.org/x/oauth2@v0.27.0
        helm.sh/helm/v3@v3.18.5

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/docker/docker@v26.0.0-rc3+incompatible
        golang.org/x/oauth2@v0.27.0
        helm.sh/helm/v3@v3.18.5

Content:

Add '+incompatible' suffix to the github.com/docker/docker dependency version

Click to expand fix analysis

Analysis

Looking at the similar fixed build failures, there's a clear pattern: when the gobump tool encounters a package that's not present in the go.mod file, the solution is to add that specific package with its exact version to the 'deps' list in the go/bump pipeline step. In all three examples, the fix involved adding the missing package (github.com/docker/docker or github.com/go-jose/go-jose/v3) with the specific version that gobump was trying to update to. The pattern shows that docker packages typically use the '+incompatible' suffix when added to the deps list.

Click to expand fix explanation

Explanation

The fix should work because the pattern from all similar failures shows that when gobump cannot find a package in go.mod, the solution is to ensure the package is properly specified in the deps list with the correct version format. In the case of Docker packages, they typically require the '+incompatible' suffix when specified as dependencies. The current configuration has 'github.com/docker/docker@v26.0.0-rc3' but based on the patterns from the fixed examples (which show '@v28.3.3+incompatible'), the Docker package needs the '+incompatible' suffix. This suffix indicates that the package doesn't follow semantic import versioning conventions, which is common for Docker packages. Adding this suffix should allow gobump to properly handle the dependency update.

Click to expand alternative approaches

Alternative Approaches

• Remove the github.com/docker/docker dependency entirely from the deps list if it's not actually needed by the project
• Check if the Docker dependency should be using a different package path or version that actually exists in the project's go.mod file
• Add the package to a 'replaces' configuration section if the gobump tool supports it for handling missing dependencies

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.