kubevela/1.10.6-r0: cve remediation

[octo-sts]

kubevela/1.10.6-r0: fix GHSA-5xqw-8hwv-wg92

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kubevela.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/kubevela/[email protected]

[octo-sts]

📦 Build Failed: Missing Dependency

module k8s.io/apiserver@latest found (v0.35.0), but does not contain package k8s.io/apiserver/pkg/util/version

Build Details

Category	Details
Build System	Go
Failure Point	go mod tidy command during go/bump step

Root Cause Analysis 🔍

The Go module dependency resolution failed because k8s.io/apiserver version 0.35.0 does not contain the required package k8s.io/apiserver/pkg/util/version that is being imported by the kubevela project through its dependency chain. This is likely due to a breaking change or package restructuring in the k8s.io/apiserver module where the util/version package was removed or moved to a different location.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cluster-api-helm-controller/0.3.2-r4: cve remediation #63421

Suggested Changes

File: kubevela.yaml

• modification (pipeline[1].uses go/bump with.replaces section)
  Original:

replaces: github.com/docker/docker=github.com/moby/[email protected]+incompatible

Replacement:

replaces: |-
        github.com/docker/docker=github.com/moby/[email protected]+incompatible
        k8s.io/apiserver=k8s.io/[email protected]

Content:

Add k8s.io/apiserver version constraint to replaces directive using multiline format

Click to expand fix analysis

Analysis

The similar fix shows a pattern where k8s.io/apiserver dependency issues are resolved by explicitly pinning the k8s.io/apiserver module to a specific compatible version using the 'replaces' directive in the go/bump step. In the example fix, k8s.io/apiserver was replaced with version v0.31.12 to ensure compatibility when the latest version (v0.33.4 in that case, v0.35.0 in current case) lacks the required package. This approach bypasses the problematic latest version and uses a known working version that contains the necessary packages.

Click to expand fix explanation

Explanation

This fix addresses the root cause by explicitly constraining k8s.io/apiserver to version v0.31.12, which is known to contain the required package k8s.io/apiserver/pkg/util/version. The current failure occurs because the latest version v0.35.0 has restructured or removed this package. By using the 'replaces' directive in go/bump, we override Go's module resolution to use the compatible version instead of the problematic latest version. The multiline format (|-) is used to maintain consistency with the existing replaces structure and allows for clean addition of multiple replace directives.

Click to expand alternative approaches

Alternative Approaches

• Use a different compatible version like v0.30.x if v0.31.12 proves incompatible with other dependencies
• Pin to the last known working version by checking the kubevela project's go.mod file to see what version they officially support
• Update the kubevela source version to a newer release that may have already addressed this k8s.io/apiserver compatibility issue

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.