Skip to content

spire-server/1.14.0-r0: cve remediation #75899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

spire-server/1.14.0-r0: cve remediation #75899

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 14, 2025

spire-server/1.14.0-r0: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/spire-server.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added automated pr GHSA-4qg8-fj49-pxjh go/bump legacy-remediation request-cve-remediation spire-server P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Dec 14, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 14, 2025

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category Details
Build System melange/go
Failure Point go/bump step - gobump package update

Root Cause Analysis 🔍

The dependency github.com/sigstore/[email protected] has a version mismatch where the go.mod file declares a post-v2 module path (github.com/sigstore/timestamp-authority/v2) but the version tag is still v2.0.3. Go modules require proper semantic import versioning where major version v2+ must include the version in the module path, causing this version constraint violation during the dependency update process.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: spire-server.yaml

  • modification at line 32-34 (go/bump step deps section)
    Original:
  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Update the module path to include the v2 suffix as required by Go's semantic import versioning for major version v2+
Click to expand fix analysis

Analysis

Both similar fixes follow the same pattern: when Go modules encounter a post-v2 module path mismatch, the solution is to explicitly specify both the old v1.x module path and the new v2+ module path with version suffix in the go/bump deps section. In Fix Example #0, containerd v2.1.5 was added as 'github.com/containerd/containerd/[email protected]' alongside the v1 path. In Fix Example #1, the same pattern was applied with containerd v2.0.4. The key insight is that Go's semantic import versioning requires major version v2+ dependencies to include the version in the module path, so both module paths must be explicitly declared to resolve the version constraint violation.

Click to expand fix explanation

Explanation

The fix addresses the root cause of the Go module version mismatch by using the correct module path format. When a Go module reaches major version v2 or higher, Go's semantic import versioning requires that the module path include the major version suffix (e.g., '/v2'). The error occurs because the current dependency specification uses 'github.com/sigstore/[email protected]' but the actual go.mod file in that version declares the module path as 'github.com/sigstore/timestamp-authority/v2'. By changing the dependency specification to 'github.com/sigstore/timestamp-authority/[email protected]', we align with the module's declared path and satisfy Go's versioning constraints. This is the same pattern successfully applied in both similar fixes for containerd dependencies.

Click to expand alternative approaches

Alternative Approaches

  • Pin to a v1.x version if available and compatible with the project's requirements, though this may not provide the latest features and security updates
  • Check if there's a newer version (like v2.1.x) that might have resolved any module path issues, though this could introduce breaking changes
  • Contact the timestamp-authority maintainers to clarify the intended module versioning strategy if the current approach doesn't work

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added ai/skip-comment Stop AI from commenting on PR cve-pr-closer/v2-adv-disagreement labels Dec 14, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 15, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-q4m3-v973-ghc2 has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/spire-server.advisories.yaml

ID:      CGA-q4m3-v973-ghc2
Package: spire-server
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-07 06:37:24 UTC
  - "pending-upstream-fix" at 2025-12-13 17:36:33 UTC

@octo-sts octo-sts bot closed this Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cve-pr-closer/v2-adv-disagreement GHSA-4qg8-fj49-pxjh go/bump legacy-remediation P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer spire-server

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant