Skip to content

witness/0.10.1-r2: cve remediation #75170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 2 commits into from
Closed

witness/0.10.1-r2: cve remediation #75170

octo-sts wants to merge 2 commits into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

witness/0.10.1-r2: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/witness.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/timestamp-authority@v2.0.3: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System Go/Melange
Failure Point go/bump step - go get command during dependency update

Root Cause Analysis 🔍

Version mismatch in Go module versioning - the module github.com/sigstore/timestamp-authority has a go.mod file that declares itself as v2 module path but is being referenced at v2.0.3 which conflicts with Go's semantic import versioning requirements. The module path should include /v2 suffix for major version 2 and above.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: witness.yaml

  • modification at line 24-26 (go/bump step)
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/sigstore/timestamp-authority@v2.0.3

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/sigstore/timestamp-authority/v2@v2.0.3

Content:

Replace the timestamp-authority dependency specification to use the correct v2 module path with /v2 suffix
Click to expand fix analysis

Analysis

Based on the similar fixed build failures, there is a clear pattern: when Go modules use semantic import versioning for major version 2+, they require a "/v2" suffix in their module path. Both containerd fixes show that for v2.x.x versions, the dependency must be specified with both the original module path (for v1.x compatibility) and the versioned module path (github.com/module/v2) to handle the post-v2 module path requirement. The timestamp-authority module at v2.0.3 has the same issue - its go.mod declares "github.com/sigstore/timestamp-authority/v2" as the module path, but it's being referenced without the /v2 suffix.

Click to expand fix explanation

Explanation

This fix addresses the root cause of the Go module versioning error. The timestamp-authority module v2.0.3 has a go.mod file that declares its module path as "github.com/sigstore/timestamp-authority/v2" (with the /v2 suffix), which is the correct convention for Go modules with major version 2 or higher. When we reference it as "github.com/sigstore/timestamp-authority@v2.0.3" without the /v2 suffix, Go's module system cannot resolve it because the actual module path doesn't match. By changing the dependency specification to "github.com/sigstore/timestamp-authority/v2@v2.0.3", we're using the correct module path that matches what's declared in the module's go.mod file. This follows the same pattern used in both containerd fixes where the versioned module path (with /v2 suffix) was added to resolve the semantic import versioning conflict.

Click to expand alternative approaches

Alternative Approaches

  • Pin to a v1.x version of timestamp-authority if v2 features are not required, though this may introduce security vulnerabilities or missing functionality
  • Use a replace directive in go.mod to override the module path, but this is generally not recommended for production builds as it can mask versioning issues
  • Wait for upstream to release the module with proper v2 tagging convention, but this delays the build and may not be feasible

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@jamie-albert jamie-albert self-requested a review December 15, 2025 16:21
@debasishbsws debasishbsws self-assigned this Dec 15, 2025
@debasishbsws
Merge branch 'main' into cve-witness-0.10.1-r2-c1efa1a4c43a745cd462d3…
232d20b 
…46a286e7d5

Signed-off-by: Debasish Biswas <debasish.biswas@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamie-albert jamie-albert Awaiting requested review from jamie-albert

Assignees

@debasishbsws debasishbsws

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4qg8-fj49-pxjh go/bump request-cve-remediation witness

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@debasishbsws