skaffold/2.17.0-r2: cve remediation

[octo-sts]

skaffold/2.17.0-r2: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/skaffold.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category	Details
Build System	melange/go
Failure Point	gobump dependency update step for github.com/sigstore/[email protected]

Root Cause Analysis 🔍

The go.mod file for github.com/sigstore/timestamp-authority at version v2.0.3 declares itself as module path 'github.com/sigstore/timestamp-authority/v2', but the dependency is being referenced as 'github.com/sigstore/[email protected]' without the '/v2' suffix. This violates Go module versioning rules where major version 2+ must include the version in the module path.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• wolfictl/0.31.1-r0: cve remediation #47264

Suggested Changes

File: skaffold.yaml

• modification at line 17-20 (go/bump step with deps containing github.com/sigstore/timestamp-authority)
  Original:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Replace the dependency reference from 'github.com/sigstore/[email protected]' to 'github.com/sigstore/timestamp-authority/[email protected]' to match the module path declared in the go.mod file

Click to expand fix analysis

Analysis

The similar fixes show a clear pattern: when Go modules use v2+ versioning, they require the version suffix in the module path. Both containerd fixes demonstrate the same approach - adding dual dependency entries: one for the v1.x version using the original module path (github.com/containerd/[email protected]) and another for the v2.x version using the versioned module path (github.com/containerd/containerd/[email protected]). This allows the build system to properly resolve dependencies that may require either version format.

Click to expand fix explanation

Explanation

The fix works because Go's module system requires that for major versions 2 and higher, the module path must include the version suffix (e.g., /v2). The timestamp-authority project at v2.0.3 has declared its module path as 'github.com/sigstore/timestamp-authority/v2' in its go.mod file, but the dependency is being referenced as 'github.com/sigstore/[email protected]' without the '/v2' suffix. By changing the dependency reference to include the correct module path 'github.com/sigstore/timestamp-authority/[email protected]', the Go module system will be able to properly resolve and fetch the dependency. This aligns with Go's semantic import versioning rules and matches the pattern seen in the containerd fixes where the v2+ versions required the versioned module path.

Click to expand alternative approaches

Alternative Approaches

• Pin to a v1.x version of timestamp-authority if v2 features are not required, using 'github.com/sigstore/[email protected]'
• Add both v1 and v2 dependency entries similar to the containerd fixes, allowing the build system to choose the appropriate version based on other dependencies
• Update to a newer version of timestamp-authority v2.x that might have resolved module path issues, if available

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[catmsred]

Advisory PR: wolfi-dev/advisories#27919

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-44vc-cjxq-2296 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/skaffold.advisories.yaml

ID:      CGA-44vc-cjxq-2296
Package: skaffold
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-07 06:36:08 UTC
  - "pending-upstream-fix" at 2025-12-12 20:07:45 UTC