zarf/0.67.0-r0: cve remediation

[octo-sts]

zarf/0.67.0-r0: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/zarf.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

• GHSA-f83f-xpx7-ffpw (High) in github.com/sigstore/[email protected]/sigstore/[email protected]

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category	Details
Build System	melange/go
Failure Point	go/bump step during gobump execution

Root Cause Analysis 🔍

Go module version mismatch - the dependency github.com/sigstore/[email protected] has an incompatible module path structure. The module declares itself as v2 in its go.mod file but is being referenced without the /v2 suffix in the version tag, violating Go's semantic versioning requirements for major versions >= 2.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• wolfictl/0.31.1-r0: cve remediation #47264

Suggested Changes

File: zarf.yaml

• modification at line 23-25 (pipeline go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Replace the dependency specification to use the correct v2 module path format

Click to expand fix analysis

Analysis

Both similar fixes show a consistent pattern: when Go modules use v2+ versioning, they require explicit module path suffixes in dependencies. Fix #0 and Fix #1 both resolved containerd v2 module path issues by adding two dependency entries - one for the v1 path (github.com/containerd/containerd) and one for the v2 path (github.com/containerd/containerd/v2) with the correct version. The pattern shows that Go's semantic versioning requires the /v2 suffix in the module path for major versions 2 and above, and the build system needs both the legacy and new module paths specified explicitly to handle transitive dependencies correctly.

Click to expand fix explanation

Explanation

The fix addresses the root cause by updating the module path to match Go's semantic versioning requirements for v2+ modules. The timestamp-authority module declares itself as 'github.com/sigstore/timestamp-authority/v2' in its go.mod file for v2.0.3, so the dependency specification must include the '/v2' suffix. This follows the exact same pattern seen in both similar fixes where containerd v2 modules required the '/v2' suffix. Go's module system enforces that major versions 2 and above must have the version suffix in the module path, and the current specification without '/v2' violates this rule, causing the 'invalid version' error.

Click to expand alternative approaches

Alternative Approaches

• Pin to an earlier v1.x.x version of timestamp-authority that doesn't require the /v2 module path suffix, though this may not meet security requirements
• Add both v1 and v2 module paths like in the containerd fixes, but this would only be necessary if there are conflicting transitive dependencies requiring different major versions

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[OddBloke]

wolfi-dev/advisories#27939

[jamie-albert]

advisory merged