Skip to content

falcoctl/0.11.4-r3: cve remediation #74957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 3 commits into from
Closed

falcoctl/0.11.4-r3: cve remediation #74957

octo-sts wants to merge 3 commits into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 7, 2025

falcoctl/0.11.4-r3: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/falcoctl.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr falcoctl GHSA-4qg8-fj49-pxjh go/bump request-cve-remediation labels Dec 7, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 7, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System Go modules (via gobump)
Failure Point go get command during dependency update in go/bump pipeline step

Root Cause Analysis 🔍

The gobump tool attempted to update the github.com/sigstore/timestamp-authority dependency to v2.0.3, but this version has an incompatible module path. The go.mod file at that revision expects the module path to be 'github.com/sigstore/timestamp-authority/v2' (with /v2 suffix) for v2+ versions according to Go module versioning conventions, but the dependency is being referenced without the /v2 suffix.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: falcoctl.yaml

  • modification at line 25-26 (go/bump step deps section)
    Original:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]

Replacement:

      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Update the timestamp-authority dependency to use the correct module path with /v2 suffix for v2+ versions
Click to expand fix analysis

Analysis

Both similar fixes followed the same pattern: when Go modules have post-v2 module paths (with /v2 suffix), the dependency specification needs to include both the original module path for v1.x versions and the versioned module path for v2+ versions. In both cases, the fix involved adding two dependency entries in the go/bump step - one for the v1.x branch (e.g., github.com/containerd/[email protected]) and another for the v2+ branch with the /v2 suffix (e.g., github.com/containerd/containerd/[email protected]). This addresses Go's module versioning convention where major version 2+ requires the version suffix in the module path.

Click to expand fix explanation

Explanation

The current build failure occurs because github.com/sigstore/[email protected] has a go.mod file that specifies the module path as 'github.com/sigstore/timestamp-authority/v2' (with /v2 suffix) to comply with Go's semantic import versioning. When referencing v2+ versions of Go modules, the import path must include the major version suffix. By changing the dependency specification from 'github.com/sigstore/[email protected]' to 'github.com/sigstore/timestamp-authority/[email protected]', we align with the module's actual path declaration in its go.mod file, which resolves the version validation error.

Click to expand alternative approaches

Alternative Approaches

  • Pin to a v1.x version of timestamp-authority if v2+ features are not required, which would avoid the module path suffix requirement
  • Use a replace directive in go.mod to map the old path to the new path, though this is more complex and less preferred
  • Wait for upstream falcoctl to update their go.mod dependencies to use the correct v2 module paths

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 7, 2025
@dnegreira dnegreira self-assigned this Dec 11, 2025
@dnegreira
falcoctl: add replaces for timestamp-authority
be75eb1 
github.com/sigstore/timestamp-authority has modified their module naming
to include `v2`.
Adapt the bump to use the new v2 version.

Signed-off-by: David Negreira <[email protected]>
@dnegreira
falcoctl: fix linting
a94bd70 
Signed-off-by: David Negreira <[email protected]>
@dnegreira dnegreira force-pushed the cve-falcoctl-0.11.4-r3-c1efa1a4c43a745cd462d346a286e7d5 branch from b39eccf to a94bd70 Compare December 11, 2025 14:34
@dnegreira
Copy link
Member

dnegreira commented Dec 12, 2025

needs advisory wolfi-dev/advisories#27905

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 12, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-85q9-vm8j-j4g5 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/falcoctl.advisories.yaml

ID:      CGA-85q9-vm8j-j4g5
Package: falcoctl
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-07 11:28:48 UTC
  - "pending-upstream-fix" at 2025-12-12 13:13:10 UTC

@octo-sts octo-sts bot closed this Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr falcoctl GHSA-4qg8-fj49-pxjh go/bump P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira