Skip to content

gitsign/0.13.0-r7: cve remediation #75207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 2 commits into from
Closed

gitsign/0.13.0-r7: cve remediation #75207

octo-sts wants to merge 2 commits into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

gitsign/0.13.0-r7: fix GHSA-f83f-xpx7-ffpw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitsign.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

🛑 Build Failed: Compilation

sc.signingConfig.GetCaUrl undefined (type *"github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1".SigningConfig has no field or method GetCaUrl)

Build Details

Category Details
Build System go
Failure Point go build compilation during go/build step

Root Cause Analysis 🔍

API incompatibility between sigstore-go v0.7.0 and protobuf-specs dependencies. The SigningConfig type no longer has the expected methods (GetCaUrl, GetOidcUrl, GetTlogUrls) or has changed its interface, causing multiple compilation errors in the sigstore-go package.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: package/gitsign.yaml

  • addition at line 21-24 (pipeline go/bump deps section)
    Original:
golang.org/x/[email protected]
github.com/cloudflare/[email protected]
golang.org/x/[email protected]
github.com/sigstore/[email protected]

Replacement:

golang.org/x/[email protected]
github.com/cloudflare/[email protected]
golang.org/x/[email protected]
github.com/sigstore/[email protected]
github.com/sigstore/[email protected]

Content:

Add github.com/sigstore/[email protected] to the dependency bump list to ensure compatibility with sigstore-go v0.7.0
Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, based on the error message indicating API incompatibility between sigstore-go v0.7.0 and protobuf-specs dependencies where SigningConfig type no longer has expected methods (GetCaUrl, GetOidcUrl, GetTlogUrls), this appears to be a dependency version mismatch issue that requires updating the sigstore/protobuf-specs dependency to a compatible version.

Click to expand fix explanation

Explanation

The compilation error indicates that the SigningConfig type from github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1 no longer has the expected methods (GetCaUrl, GetOidcUrl, GetTlogUrls). This is a classic dependency version mismatch where the protobuf-specs package has been updated with breaking API changes that are incompatible with the version of sigstore-go being used (v0.7.0). By explicitly bumping the protobuf-specs dependency to a compatible version (v0.3.0), we ensure that the API methods expected by sigstore-go are available. The go/bump pipeline step will update the go.mod file to use the specified version, resolving the compilation errors caused by missing methods on the SigningConfig type.

Click to expand alternative approaches

Alternative Approaches

  • Downgrade sigstore-go to an earlier version that's compatible with the current protobuf-specs version
  • Update to a newer version of sigstore-go (if available) that's compatible with the newer protobuf-specs API
  • Apply a patch to the source code to adapt to the new API interface before compilation

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@dnegreira dnegreira self-assigned this Dec 15, 2025
@dnegreira
Copy link
Member

dnegreira commented Dec 15, 2025
edited
Loading

needs advisory wolfi-dev/advisories#27933

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 15, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-xrvj-839r-77q9 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/gitsign.advisories.yaml

ID:      CGA-xrvj-839r-77q9
Package: gitsign
Aliases: CVE-2025-66506 GHSA-f83f-xpx7-ffpw
Events:
  - "scan/v1" at 2025-12-06 23:17:36 UTC
  - "pending-upstream-fix" at 2025-12-15 15:13:03 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-j6w5-q3hw-pw8j, CGA-gv44-j7jq-9rxh).

@octo-sts octo-sts bot closed this Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cve-pr-closer/v2-adv-disagreement GHSA-f83f-xpx7-ffpw gitsign go/bump request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira