Skip to content

aactl/0.4.12-r39: cve remediation #74938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

aactl/0.4.12-r39: cve remediation #74938

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 7, 2025

aactl/0.4.12-r39: fix GHSA-f83f-xpx7-ffpw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/aactl.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 7, 2025

📦 Build Failed: Missing Dependency

package github.com/docker/docker was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System melange/go
Failure Point go/bump pipeline step during dependency management

Root Cause Analysis 🔍

The gobump tool attempted to update the github.com/docker/docker package to version v28.0.0, but this package is not present in the go.mod file. The tool requires either the package to exist in go.mod or to be explicitly added to the 'replaces' configuration to handle missing dependencies.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: aactl.yaml

  • modification at line 14-29 (go/bump deps section)
    Original:
github.com/docker/docker@v28.0.0

Content:

Remove github.com/docker/docker@v28.0.0 from the deps list
  • modification at line 30 (go/bump replaces section)
    Original:
replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/v3@v3.0.4 github.com/sigstore/cosign/v2=github.com/sigstore/cosign/v2@v2.2.4

Replacement:

replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/v3@v3.0.4 github.com/sigstore/cosign/v2=github.com/sigstore/cosign/v2@v2.2.4 github.com/docker/docker=github.com/docker/docker@v28.0.0+incompatible

Content:

Add github.com/docker/docker to the replaces section with +incompatible suffix
Click to expand fix analysis

Analysis

Analysis of the three similar fixes reveals two consistent patterns for resolving the "github.com/docker/docker was not found on the go.mod file" error: 1) Moving the github.com/docker/docker dependency from the 'deps' list to the 'replaces' list with a compatible version suffix (Fix #0), 2) Adding the dependency directly to the 'deps' list with the +incompatible suffix (Fix #1), or 3) Removing the dependency entirely from the go/bump configuration (Fix #2). The +incompatible suffix appears to be necessary for the docker/docker package due to its versioning scheme that doesn't follow semantic versioning conventions.

Click to expand fix explanation

Explanation

This fix addresses the root cause by moving the github.com/docker/docker dependency from the 'deps' list to the 'replaces' list with the +incompatible suffix. The github.com/docker/docker package has a complex versioning history that doesn't strictly follow semantic versioning, which is why Go modules require the +incompatible suffix for certain versions. The 'replaces' directive in go/bump allows the tool to handle dependencies that may not be directly present in the go.mod file or need special version handling. This approach follows the exact pattern used in Fix #0, which resolved the identical error by moving the docker/docker package to replaces with the +incompatible suffix. The +incompatible suffix tells Go that this version predates the adoption of Go modules and should be treated accordingly.

Click to expand alternative approaches

Alternative Approaches

  • Remove the github.com/docker/docker dependency entirely from the go/bump configuration if it's not actually needed by the aactl project (as done in Fix Add pax-utils into the OS. #2)
  • Add the dependency directly to the deps list with the +incompatible suffix: github.com/docker/docker@v28.0.0+incompatible (similar to Fix Add binutils-2.39 configuration #1 approach)

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 7, 2025
@aborrero aborrero self-assigned this Dec 12, 2025
@aborrero
Copy link
Member

aborrero commented Dec 12, 2025

advisory wolfi-dev/advisories#27904

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 12, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-jvcq-vxr3-45q4 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/aactl.advisories.yaml

ID:      CGA-jvcq-vxr3-45q4
Package: aactl
Aliases: CVE-2025-66506 GHSA-f83f-xpx7-ffpw
Events:
  - "scan/v1" at 2025-12-06 11:03:48 UTC
  - "pending-upstream-fix" at 2025-12-12 13:23:32 UTC

@octo-sts octo-sts bot closed this Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@aborrero aborrero

Labels

aactl ai/skip-comment Stop AI from commenting on PR automated pr GHSA-f83f-xpx7-ffpw go/bump request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aborrero