airflow-3/3.0.6-r1: cve remediation

[octo-sts]

airflow-3/3.0.6-r1: fix GHSA-pph8-gcv7-4qj5

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/airflow-3.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

Error: failed reading file: open Cargo.lock: no such file or directory

Build Details

Category	Details
Build System	melange/rust
Failure Point	rust/cargobump step - attempting to read Cargo.lock file

Root Cause Analysis 🔍

The cargobump tool is trying to read a Cargo.lock file that doesn't exist in the current directory. This suggests the project either doesn't use Rust/Cargo as a build system, or the Cargo.lock file is located in a different directory than expected. The build pipeline is configured to run a rust/cargobump step on what appears to be a Python project (Apache Airflow), causing a mismatch between the expected build system and the actual project structure.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• buck2/20250401-r2: cve remediation #62906
• efs-utils/2.3.3-r0: cve remediation #62912
• buck2/20250401-r2: cve remediation #62906

Suggested Changes

File: airflow-3.yaml

• removal at line 77-78 (pipeline section, after git-checkout step)
  Original:

  - uses: rust/cargobump

Content:

Remove the rust/cargobump step entirely as Apache Airflow is a Python project, not a Rust project

Click to expand fix analysis

Analysis

The similar fixes show a consistent pattern where the "rust/cargobump" step is being used inappropriately for projects that are not Rust-based. In all three examples, the fixes involved either removing the rust/cargobump step entirely or addressing CVE-related issues through epoch bumps and patch updates. The current failure is occurring because Apache Airflow is a Python project, not a Rust project, yet the pipeline contains a "uses: rust/cargobump" step that expects to find a Cargo.lock file. This is a fundamental mismatch between the build system configuration and the actual project type.

Click to expand fix explanation

Explanation

The suggested fix removes the inappropriate rust/cargobump step from the Apache Airflow build pipeline. Apache Airflow is a Python-based workflow orchestration platform that does not use Rust or Cargo as its build system. The rust/cargobump step is specifically designed for Rust projects to update Cargo.lock files and manage Rust dependencies. Since Airflow uses Python packaging (pyproject.toml, setup.py, etc.) and pip/uv for dependency management, the rust/cargobump step is completely unnecessary and causes the build to fail when it tries to read a non-existent Cargo.lock file. The build pipeline already includes appropriate Python-specific build steps using 'python -m build --wheel' and 'uv pip install', which are the correct tools for building and installing Python packages.

Click to expand alternative approaches

Alternative Approaches

• If there are specific Rust components embedded within the Airflow project that require cargo management, the rust/cargobump step could be moved to run only in the directory containing those components using a 'working-directory' parameter
• Alternatively, if the rust/cargobump step was added for security scanning purposes, it could be replaced with Python-specific dependency vulnerability scanning tools that are appropriate for Python projects

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[dnegreira]

needs advisory wolfi-dev/advisories#23267

[efbar]

Closing after this #64989 (comment) has been merged