Skip to content

gitsign/0.13.0-r7: cve remediation #75203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

gitsign/0.13.0-r7: cve remediation #75203

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

gitsign/0.13.0-r7: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitsign.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System melange (with Go build system)
Failure Point go/bump step during dependency update with gobump tool

Root Cause Analysis 🔍

The Go module github.com/sigstore/timestamp-authority has an incorrect versioning scheme where the v2.0.3 tag doesn't match the v2 module path declared in go.mod. Go modules with major version v2+ must have the version suffix in their module path, but this dependency has a mismatch between its tag (v2.0.3) and its declared module path (github.com/sigstore/timestamp-authority/v2).

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: gitsign.yaml

  • modification at line 18-21 (go/bump step deps section)
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/cloudflare/[email protected]
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/cloudflare/[email protected]
        golang.org/x/[email protected]
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Replace the dependency specification to use the correct v2 module path with /v2 suffix
Click to expand fix analysis

Analysis

The similar fixes show a consistent pattern for resolving Go module versioning conflicts with v2+ dependencies. In both cases, the solution was to add explicit dependency specifications in the go/bump step that include both the v1.x version (using the original module path) and the v2.x version (using the /v2 suffixed module path). This allows the Go module system to properly resolve the correct module path for each major version.

Click to expand fix explanation

Explanation

The fix addresses the root cause by changing the module path from 'github.com/sigstore/[email protected]' to 'github.com/sigstore/timestamp-authority/[email protected]'. This aligns with Go's semantic import versioning requirement that major versions v2 and above must include the major version in the module path. The error occurs because the dependency's go.mod file declares the module path as 'github.com/sigstore/timestamp-authority/v2', but the dependency specification was using the v0/v1 style path without the version suffix. By adding '/v2' to the module path, Go's module system can correctly resolve the dependency and match it with the declared module path in the go.mod file.

Click to expand alternative approaches

Alternative Approaches

  • Pin to a v1.x version of timestamp-authority if v2 features are not required, which would use the original module path without version suffix
  • Add both v1.x and v2.x dependency specifications similar to the containerd fixes, allowing gradual migration between major versions

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@dnegreira dnegreira self-assigned this Dec 15, 2025
@dnegreira
Copy link
Member

dnegreira commented Dec 15, 2025

needs advisory wolfi-dev/advisories#27933

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 15, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-2c28-65c2-hxfc has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/gitsign.advisories.yaml

ID:      CGA-2c28-65c2-hxfc
Package: gitsign
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-06 23:17:37 UTC
  - "pending-upstream-fix" at 2025-12-15 15:13:03 UTC

@octo-sts octo-sts bot closed this Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4qg8-fj49-pxjh gitsign go/bump request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira