trivy-operator/0.29.0-r5: cve remediation

[octo-sts]

trivy-operator/0.29.0-r5: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/trivy-operator.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/timestamp-authority@v2.0.3: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category	Details
Build System	Go (melange)
Failure Point	go/bump step during dependency update

Root Cause Analysis 🔍

The gobump tool is attempting to update the github.com/sigstore/timestamp-authority dependency to version v2.0.3, but this version has an incompatible module path. The go.mod file at that revision expects the module path to be 'github.com/sigstore/timestamp-authority/v2' (with /v2 suffix for major version 2), but the dependency is being referenced without the /v2 suffix. This is a Go module versioning constraint violation where major version 2+ modules must include the major version in their import path.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• wolfictl/0.31.1-r0: cve remediation #47264

Suggested Changes

File: trivy-operator.yaml

• modification at line 19 (go/bump step deps section)
  Original:

        github.com/sigstore/timestamp-authority@v2.0.3

Replacement:

        github.com/sigstore/timestamp-authority/v2@v2.0.3

Content:

Update the timestamp-authority dependency to use the correct v2 module path

Click to expand fix analysis

Analysis

Based on the similar fixed build failures, I observe a clear pattern: when Go modules reach major version 2 or higher, they must include the major version suffix in their module path. Both fix examples show the same solution - adding a separate dependency entry with the correct versioned module path (e.g., github.com/containerd/containerd/v2@v2.1.5) alongside or instead of the non-versioned path. The gobump tool requires explicit specification of the correct module path that matches what's declared in the target version's go.mod file.

Click to expand fix explanation

Explanation

This fix addresses the root cause by using the correct module path that matches what the timestamp-authority v2.0.3 expects in its go.mod file. When Go modules reach major version 2+, they must include the major version in their import path as per Go module versioning semantics. The timestamp-authority v2.0.3 has declared its module path as 'github.com/sigstore/timestamp-authority/v2' in its go.mod, so we must reference it exactly that way. This is the same pattern used successfully in both similar fixes where containerd v2+ required the /v2 suffix.

Click to expand alternative approaches

Alternative Approaches

• Keep both the v1 and v2 module paths if the codebase needs to support both versions simultaneously, similar to how containerd was handled in the examples
• Downgrade to a v1.x.x version of timestamp-authority if v2 compatibility is not required
• Remove the timestamp-authority dependency entirely if it's not actually needed by the current codebase

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-wx9q-pmx7-57g8 has the latest event type of "false-positive-determination": https://github.com/wolfi-dev/advisories/blob/main/trivy-operator.advisories.yaml

ID:      CGA-wx9q-pmx7-57g8
Package: trivy-operator
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-07 05:41:00 UTC
  - "false-positive-determination" at 2025-12-12 01:17:16 UTC