Skip to content

falcoctl/0.11.4-r3: cve remediation #75153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

falcoctl/0.11.4-r3: cve remediation #75153

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

falcoctl/0.11.4-r3: fix GHSA-f83f-xpx7-ffpw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/falcoctl.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr falcoctl GHSA-f83f-xpx7-ffpw go/bump request-cve-remediation labels Dec 8, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

📦 Build Failed: Missing Dependency

go: github.com/falcosecurity/falcoctl/pkg/test imports github.com/distribution/distribution/v3/registry imports github.com/distribution/distribution/v3/tracing imports go.opentelemetry.io/contrib/exporters/autoexport imports go.opentelemetry.io/otel/sdk/log tested by go.opentelemetry.io/otel/sdk/log.test imports go.opentelemetry.io/otel/sdk/internal/internaltest: module go.opentelemetry.io/otel/sdk@latest found (v1.38.0), but does not contain package go.opentelemetry.io/otel/sdk/internal/internaltest

Build Details

Category Details
Build System go
Failure Point go mod tidy command during go/bump pipeline step

Root Cause Analysis 🔍

The go.opentelemetry.io/otel/sdk module version 1.38.0 does not contain the required internal test package 'go.opentelemetry.io/otel/sdk/internal/internaltest'. This is a dependency resolution issue where a transitive dependency expects an internal package that doesn't exist in the resolved module version.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Melange YAML

  • add (go/bump deps section)
    Original:
deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]

Replacement:

deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]
        go.opentelemetry.io/otel/[email protected]

Content:

Add go.opentelemetry.io/otel/sdk version constraint
Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, this is a Go dependency resolution issue where the go.opentelemetry.io/otel/sdk module v1.38.0 doesn't contain the expected internal test package. This typically occurs when transitive dependencies expect internal packages that have been removed, moved, or restructured in newer versions of the OpenTelemetry SDK.

Click to expand fix explanation

Explanation

The build failure is caused by a transitive dependency expecting an internal test package that was removed or restructured in OpenTelemetry SDK v1.38.0. By constraining the go.opentelemetry.io/otel/sdk module to v1.37.0 in the go/bump step, we force the dependency resolver to use a version that still contains the required internal/internaltest package. This approach maintains compatibility with the existing dependency chain while avoiding the breaking changes introduced in v1.38.0. The go/bump step will run 'go mod tidy' with these constraints, ensuring all transitive dependencies resolve correctly.

Click to expand alternative approaches

Alternative Approaches

  • Wait for upstream falcoctl to update their dependencies to be compatible with OpenTelemetry SDK v1.38.0+
  • Use go mod replace directives to redirect the problematic import to a compatible version
  • Patch the source code to remove or replace the dependency chain that requires the missing internal package
  • Use an older version of the distribution/distribution dependency that doesn't pull in the incompatible OpenTelemetry version

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@dnegreira dnegreira self-assigned this Dec 11, 2025
@dnegreira
Copy link
Member

dnegreira commented Dec 12, 2025

needs advisory wolfi-dev/advisories#27905

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 12, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-vhw9-jgcp-3xv9 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/falcoctl.advisories.yaml

ID:      CGA-vhw9-jgcp-3xv9
Package: falcoctl
Aliases: CVE-2025-66506 GHSA-f83f-xpx7-ffpw
Events:
  - "scan/v1" at 2025-12-07 11:28:47 UTC
  - "pending-upstream-fix" at 2025-12-12 13:15:35 UTC

@octo-sts octo-sts bot closed this Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr falcoctl GHSA-f83f-xpx7-ffpw go/bump P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira