Skip to content

vexctl/0.4.1-r3: cve remediation #75099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

vexctl/0.4.1-r3: cve remediation #75099

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

vexctl/0.4.1-r3: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/vexctl.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System go/melange
Failure Point go/bump step during dependency update with gobump tool

Root Cause Analysis 🔍

The Go module github.com/sigstore/timestamp-authority has a versioning mismatch - the go.mod file declares it as a v2 module with path "github.com/sigstore/timestamp-authority/v2" but the tag v2.0.3 is being requested without the v2 suffix in the module path. This violates Go's semantic versioning requirements for major version 2+ modules.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: vexctl.yaml

  • modification at line 17-19 (go/bump deps section)
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Change the dependency specification from 'github.com/sigstore/[email protected]' to 'github.com/sigstore/timestamp-authority/[email protected]' to match the module's v2 path convention
Click to expand fix analysis

Analysis

Both similar fixes show a consistent pattern: when Go modules with v2+ versions have module paths that include the version suffix (e.g., "/v2"), the dependency specification must use the versioned module path. In both containerd cases, the fix involved adding a new dependency entry using the correct v2 module path format alongside the original dependency. The pattern is: for modules with post-v2 module paths, specify both the original path with a compatible v1.x version AND the versioned path (with /v2 suffix) with the desired v2.x version.

Click to expand fix explanation

Explanation

The fix addresses the root cause by using the correct Go module path for v2+ versions. The timestamp-authority module declares itself as 'github.com/sigstore/timestamp-authority/v2' in its go.mod file for v2.x.x versions, following Go's semantic versioning conventions. By changing the dependency specification to include the '/v2' suffix in the module path, we ensure that Go's module system can correctly resolve the v2.0.3 version. This follows the exact same pattern used in the containerd fixes, where the versioned module path was used instead of the base path for v2+ versions.

Click to expand alternative approaches

Alternative Approaches

  • Pin to a v1.x.x version of timestamp-authority if available and compatible with the project requirements, avoiding the v2 module path complexity entirely
  • Add both the v1 and v2 dependency specifications (similar to the containerd fixes) if the project needs to support both versions, though this may not be necessary for timestamp-authority
  • Update to a newer version of timestamp-authority (if available) that may have resolved any module path inconsistencies

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@jamie-albert jamie-albert self-requested a review December 15, 2025 16:20
@debasishbsws debasishbsws self-assigned this Dec 15, 2025
@debasishbsws
Copy link
Member

debasishbsws commented Dec 15, 2025

wolfi-dev/advisories#27941

@jamie-albert
Copy link
Member

jamie-albert commented Dec 15, 2025

advisory merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamie-albert jamie-albert Awaiting requested review from jamie-albert

Assignees

@debasishbsws debasishbsws

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4qg8-fj49-pxjh go/bump request-cve-remediation vexctl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@debasishbsws @jamie-albert