Skip to content

skaffold/2.17.0-r2: cve remediation #75230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

skaffold/2.17.0-r2: cve remediation #75230

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

skaffold/2.17.0-r2: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/skaffold.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr GHSA-4qg8-fj49-pxjh go/bump request-cve-remediation skaffold labels Dec 8, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/timestamp-authority@v2.0.3: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System melange/go
Failure Point gobump dependency update step for github.com/sigstore/timestamp-authority@v2.0.3

Root Cause Analysis 🔍

The go.mod file for github.com/sigstore/timestamp-authority at version v2.0.3 declares itself as module path 'github.com/sigstore/timestamp-authority/v2', but the dependency is being referenced as 'github.com/sigstore/timestamp-authority@v2.0.3' without the '/v2' suffix. This violates Go module versioning rules where major version 2+ must include the version in the module path.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: skaffold.yaml

  • modification at line 17-20 (go/bump step with deps containing github.com/sigstore/timestamp-authority)
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/sigstore/timestamp-authority@v2.0.3

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/sigstore/timestamp-authority/v2@v2.0.3

Content:

Replace the dependency reference from 'github.com/sigstore/timestamp-authority@v2.0.3' to 'github.com/sigstore/timestamp-authority/v2@v2.0.3' to match the module path declared in the go.mod file
Click to expand fix analysis

Analysis

The similar fixes show a clear pattern: when Go modules use v2+ versioning, they require the version suffix in the module path. Both containerd fixes demonstrate the same approach - adding dual dependency entries: one for the v1.x version using the original module path (github.com/containerd/containerd@v1.x.x) and another for the v2.x version using the versioned module path (github.com/containerd/containerd/v2@v2.x.x). This allows the build system to properly resolve dependencies that may require either version format.

Click to expand fix explanation

Explanation

The fix works because Go's module system requires that for major versions 2 and higher, the module path must include the version suffix (e.g., /v2). The timestamp-authority project at v2.0.3 has declared its module path as 'github.com/sigstore/timestamp-authority/v2' in its go.mod file, but the dependency is being referenced as 'github.com/sigstore/timestamp-authority@v2.0.3' without the '/v2' suffix. By changing the dependency reference to include the correct module path 'github.com/sigstore/timestamp-authority/v2@v2.0.3', the Go module system will be able to properly resolve and fetch the dependency. This aligns with Go's semantic import versioning rules and matches the pattern seen in the containerd fixes where the v2+ versions required the versioned module path.

Click to expand alternative approaches

Alternative Approaches

  • Pin to a v1.x version of timestamp-authority if v2 features are not required, using 'github.com/sigstore/timestamp-authority@v1.x.x'
  • Add both v1 and v2 dependency entries similar to the containerd fixes, allowing the build system to choose the appropriate version based on other dependencies
  • Update to a newer version of timestamp-authority v2.x that might have resolved module path issues, if available

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@catmsred catmsred self-assigned this Dec 12, 2025
@catmsred
Copy link
Member

catmsred commented Dec 12, 2025

Advisory PR: wolfi-dev/advisories#27919

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 12, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-44vc-cjxq-2296 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/skaffold.advisories.yaml

ID:      CGA-44vc-cjxq-2296
Package: skaffold
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-07 06:36:08 UTC
  - "pending-upstream-fix" at 2025-12-12 20:07:45 UTC

@octo-sts octo-sts bot closed this Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@catmsred catmsred

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4qg8-fj49-pxjh go/bump P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer skaffold

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catmsred