aactl/0.4.12-r39: cve remediation

[octo-sts]

aactl/0.4.12-r39: fix GHSA-f83f-xpx7-ffpw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/aactl.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package github.com/docker/docker was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	melange/go
Failure Point	go/bump pipeline step during dependency management

Root Cause Analysis 🔍

The gobump tool attempted to update the github.com/docker/docker package to version v28.0.0, but this package is not present in the go.mod file. The tool requires either the package to exist in go.mod or to be explicitly added to the 'replaces' configuration to handle missing dependencies.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• trivy/0.64.1-r2: cve remediation #61154
• helm-set-status/0.3.0-r2: cve remediation #63423

Suggested Changes

File: aactl.yaml

• modification at line 14-29 (go/bump deps section)
  Original:

github.com/docker/[email protected]

Content:

Remove github.com/docker/[email protected] from the deps list

• modification at line 30 (go/bump replaces section)
  Original:

replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/[email protected] github.com/sigstore/cosign/v2=github.com/sigstore/cosign/[email protected]

Replacement:

replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/[email protected] github.com/sigstore/cosign/v2=github.com/sigstore/cosign/[email protected] github.com/docker/docker=github.com/docker/[email protected]+incompatible

Content:

Add github.com/docker/docker to the replaces section with +incompatible suffix

Click to expand fix analysis

Analysis

Analysis of the three similar fixes reveals two consistent patterns for resolving the "github.com/docker/docker was not found on the go.mod file" error: 1) Moving the github.com/docker/docker dependency from the 'deps' list to the 'replaces' list with a compatible version suffix (Fix #0), 2) Adding the dependency directly to the 'deps' list with the +incompatible suffix (Fix #1), or 3) Removing the dependency entirely from the go/bump configuration (Fix #2). The +incompatible suffix appears to be necessary for the docker/docker package due to its versioning scheme that doesn't follow semantic versioning conventions.

Click to expand fix explanation

Explanation

This fix addresses the root cause by moving the github.com/docker/docker dependency from the 'deps' list to the 'replaces' list with the +incompatible suffix. The github.com/docker/docker package has a complex versioning history that doesn't strictly follow semantic versioning, which is why Go modules require the +incompatible suffix for certain versions. The 'replaces' directive in go/bump allows the tool to handle dependencies that may not be directly present in the go.mod file or need special version handling. This approach follows the exact pattern used in Fix #0, which resolved the identical error by moving the docker/docker package to replaces with the +incompatible suffix. The +incompatible suffix tells Go that this version predates the adoption of Go modules and should be treated accordingly.

Click to expand alternative approaches

Alternative Approaches

• Remove the github.com/docker/docker dependency entirely from the go/bump configuration if it's not actually needed by the aactl project (as done in Fix Add pax-utils into the OS. #2)
• Add the dependency directly to the deps list with the +incompatible suffix: github.com/docker/[email protected]+incompatible (similar to Fix Add binutils-2.39 configuration #1 approach)

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[aborrero]

advisory wolfi-dev/advisories#27904

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-jvcq-vxr3-45q4 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/aactl.advisories.yaml

ID:      CGA-jvcq-vxr3-45q4
Package: aactl
Aliases: CVE-2025-66506 GHSA-f83f-xpx7-ffpw
Events:
  - "scan/v1" at 2025-12-06 11:03:48 UTC
  - "pending-upstream-fix" at 2025-12-12 13:23:32 UTC