Skip to content

jitsucom-bulker/2.11.913-r0: cve remediation #72259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dnegreira merged 2 commits into from
Nov 24, 2025
Merged

jitsucom-bulker/2.11.913-r0: cve remediation #72259

dnegreira merged 2 commits into from
Nov 24, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Nov 18, 2025

jitsucom-bulker/2.11.913-r0: fix GHSA-9mj6-hxhv-w67j

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/jitsucom-bulker.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr GHSA-9mj6-hxhv-w67j go/bump jitsucom-bulker request-cve-remediation labels Nov 18, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Nov 18, 2025

📦 Build Failed: Missing Dependency

failed to run update. Error: package github.com/go-viper/mapstructure/v2 was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System go/gobump
Failure Point go/bump step during dependency update process

Root Cause Analysis 🔍

The gobump tool is attempting to update the package github.com/go-viper/mapstructure/v2 to version v2.4.0, but this package is not declared as a dependency in the go.mod file. This suggests either the package name is incorrect, it was removed from dependencies, or it needs to be added to the 'replaces' section of the build configuration.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: jitsucom-bulker.yaml

  • removal at line 23-24 (kafkabase go/bump deps section)
    Original:
deps: |-
        github.com/go-viper/mapstructure/v2@v2.4.0

Replacement:

deps: |-

Content:

Remove the github.com/go-viper/mapstructure/v2@v2.4.0 dependency from kafkabase modroot
  • removal at line 32-33 (ingest go/bump deps section)
    Original:
deps: |-
        github.com/go-viper/mapstructure/v2@v2.4.0

Replacement:

deps: |-

Content:

Remove the github.com/go-viper/mapstructure/v2@v2.4.0 dependency from ingest modroot
  • removal at line 38-39 (admin go/bump deps section)
    Original:
deps: |-
        github.com/go-viper/mapstructure/v2@v2.4.0

Replacement:

deps: |-

Content:

Remove the github.com/go-viper/mapstructure/v2@v2.4.0 dependency from admin modroot
  • removal at line 44-45 (bulkerapp go/bump deps section)
    Original:
deps: |-
        github.com/go-viper/mapstructure/v2@v2.4.0

Replacement:

deps: |-

Content:

Remove the github.com/go-viper/mapstructure/v2@v2.4.0 dependency from bulkerapp modroot
  • modification at line 50-53 (bulkerlib go/bump deps section)
    Original:
deps: |-
        github.com/snowflakedb/gosnowflake@v1.13.3
        github.com/go-viper/mapstructure/v2@v2.4.0
        github.com/dvsekhvalnov/jose2go@v1.7.0

Replacement:

deps: |-
        github.com/snowflakedb/gosnowflake@v1.13.3
        github.com/dvsekhvalnov/jose2go@v1.7.0

Content:

Remove the github.com/go-viper/mapstructure/v2@v2.4.0 dependency from bulkerlib modroot while keeping other dependencies
Click to expand fix analysis

Analysis

The similar build failures all follow the same pattern: the go/bump tool attempts to update a package that doesn't exist in the go.mod file. In all three examples, the fix was to remove the problematic package from the deps list in the go/bump step. This indicates that these packages either don't exist in the project's dependencies, have been renamed/moved, or are no longer needed. The pattern shows that when gobump cannot find a package in go.mod, the solution is typically to remove it from the dependency update list rather than adding it to replaces.

Click to expand fix explanation

Explanation

This fix addresses the root cause of the build failure by removing the problematic package github.com/go-viper/mapstructure/v2 from all go/bump dependency lists. The error indicates this package is not found in any of the go.mod files across the different modules (kafkabase, ingest, admin, bulkerapp, bulkerlib). Based on the patterns from similar fixes, when gobump cannot locate a package in go.mod, it means the package either doesn't exist as a dependency in those modules, has been renamed, or is no longer needed. Rather than trying to force the package into the build through replaces (which would be inappropriate if the package isn't actually used), the correct approach is to remove it from the dependency update list. This allows the build to proceed with the actual dependencies that exist in each module's go.mod file.

Click to expand alternative approaches

Alternative Approaches

  • If the package is genuinely needed, check if it has been renamed or moved to a different import path and update the dependency reference accordingly
  • Verify if the package exists in a different version (v1 instead of v2) and update the version in the deps list
  • Add the package to the replaces section if it needs to be substituted with a different package, though this is less likely given the error message

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added ai/skip-comment Stop AI from commenting on PR cve-pr-closer/v2-adv-disagreement labels Nov 18, 2025
@catmsred catmsred assigned catmsred and unassigned catmsred Nov 19, 2025
@bentasker
fix: the ingest module does not use mapstructure/v2 so remove the bump
b07a49f 
Signed-off-by: Ben Tasker <2900301+bentasker@users.noreply.github.com>
@bentasker bentasker self-assigned this Nov 23, 2025
@bentasker bentasker requested a review from a team November 23, 2025 12:31
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed approver-bot/manual-review-needed staging-approver-bot/manual-review-needed labels Nov 23, 2025
@dnegreira dnegreira merged commit 5c73798 into main Nov 24, 2025
19 checks passed
@dnegreira dnegreira deleted the cve-jitsucom-bulker-2.11.913-r0-00702ea6fd8eee091b928712584748d5 branch November 24, 2025 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dnegreira dnegreira dnegreira approved these changes

Assignees

@bentasker bentasker

Labels

ai/skip-comment Stop AI from commenting on PR approver-bot/manual-review-needed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. cve-pr-closer/v2-adv-disagreement GHSA-9mj6-hxhv-w67j go/bump jitsucom-bulker manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation staging-approver-bot/manual-review-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dnegreira @bentasker @catmsred