Skip to content

goreleaser/2.13.1-r0: cve remediation #75234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

goreleaser/2.13.1-r0: cve remediation #75234

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 8, 2025

goreleaser/2.13.1-r0: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/goreleaser.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 8, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/timestamp-authority@v2.0.3: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System Go (via gobump tool in melange)
Failure Point go/bump step - gobump command execution

Root Cause Analysis 🔍

The go.mod file has a semantic versioning mismatch - the module path includes '/v2' suffix indicating it should be version 2.x.x, but the requested version v2.0.3 is being treated as invalid by Go's module system. This is a common issue when Go modules don't follow proper semantic versioning conventions for major version paths.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: goreleaser.yaml

  • modification at line 19-21 (pipeline section, go/bump step)
    Original:
  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority@v2.0.3

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority@v1.2.12
        github.com/sigstore/timestamp-authority/v2@v2.0.3

Content:

Add both the v1.x version and the properly versioned v2.x dependency for timestamp-authority
Click to expand fix analysis

Analysis

Both similar fixes show a consistent pattern: when Go modules have post-v2 module paths (ending with "/v2"), the dependency specification must include both the legacy module path and the versioned module path. In Fix Example #0, containerd v2.1.5 was fixed by adding both "github.com/containerd/containerd@v1.7.29" and "github.com/containerd/containerd/v2@v2.1.5". Fix Example #1 shows the same pattern with containerd v2.0.4, adding both the v1.x version and the properly versioned v2.x dependency. The root cause is Go's semantic versioning requirement that major version 2+ modules must use versioned import paths.

Click to expand fix explanation

Explanation

This fix addresses the Go module versioning issue by following the same pattern used in the similar fixes. The timestamp-authority project uses a post-v2 module path "github.com/sigstore/timestamp-authority/v2" for version 2.x.x, which requires the dependency to be specified with the versioned path. By adding both the v1.x version (github.com/sigstore/timestamp-authority@v1.2.12) and the properly versioned v2.x dependency (github.com/sigstore/timestamp-authority/v2@v2.0.3), we ensure Go's module system can correctly resolve the dependency. The v1.x version provides backward compatibility while the v2.x version with the correct module path satisfies the semantic versioning requirements for major version 2+ modules.

Click to expand alternative approaches

Alternative Approaches

  • Replace the dependency entirely with just the v2 versioned path: github.com/sigstore/timestamp-authority/v2@v2.0.3 (may cause compatibility issues if other dependencies expect the v1 module path)
  • Use a different version of timestamp-authority that doesn't have the v2 module path issue, such as staying with v1.x versions
  • Update the goreleaser codebase to properly import the v2 module path and then use only the versioned dependency

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 8, 2025
@dnegreira dnegreira self-assigned this Dec 15, 2025
@dnegreira
Copy link
Member

dnegreira commented Dec 15, 2025

needs advisory wolfi-dev/advisories#27934

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 15, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-3869-r3q2-2p7h has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/goreleaser.advisories.yaml

ID:      CGA-3869-r3q2-2p7h
Package: goreleaser
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-06 14:30:02 UTC
  - "pending-upstream-fix" at 2025-12-15 15:44:22 UTC

@octo-sts octo-sts bot closed this Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dnegreira dnegreira

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4qg8-fj49-pxjh go/bump goreleaser request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira