qdrant/1.16.3-r1: cve remediation

[octo-sts]

qdrant/1.16.3-r1: fix GHSA-2gh3-rmm4-6rq5

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/qdrant.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/qdrant/[email protected]

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

failed to select a version for the requirement protobuf = "^2.28.0" candidate versions found which didn't match: 3.7.2

Build Details

Category	Details
Build System	Cargo/Rust
Failure Point	cargobump --run-update=false --bump-file ./cargobump-deps.yaml

Root Cause Analysis 🔍

The build is trying to update the protobuf dependency from version 2.28.0 to 3.7.2, but there's a version constraint mismatch. The storage package requires protobuf ^2.28.0 (which means >= 2.28.0 but < 3.0.0), but only version 3.7.2 is available in the crates.io index, which doesn't satisfy the ^2.28.0 constraint due to the major version difference.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• yara-x/0.13.0-r1: cve remediation #46904

Suggested Changes

File: qdrant.yaml

• addition (after git-checkout step)
  Original:

  - uses: rust/cargobump

Replacement:

  - runs: |
      sed -i 's/protobuf = "\^2\.28\.0"/protobuf = "3.7.2"/' Cargo.toml

  - uses: rust/cargobump

Content:

Add sed command to update protobuf version constraint

Click to expand fix analysis

Analysis

The similar fix shows a pattern of using sed commands to update protobuf version constraints in Cargo.toml files when cargobump encounters version mismatches. The fix updates the exact version string to match what's available in the crates.io index. In the example, protobuf was updated from "3.7.1" to "3.7.2" using a sed replacement command that targets the specific protobuf dependency line in Cargo.toml.

Click to expand fix explanation

Explanation

This fix addresses the root cause by updating the protobuf version constraint before cargobump runs. The current error shows that the package requires protobuf ^2.28.0 (any version >= 2.28.0 but < 3.0.0), but only 3.7.2 is available in the crates.io index. The sed command changes the version constraint from "^2.28.0" to "3.7.2" to match the available version. This allows cargobump to proceed without version conflicts. The pattern follows the successful fix in the similar issue where protobuf was updated from 3.7.1 to 3.7.2.

Click to expand alternative approaches

Alternative Approaches

• Update the Cargo.lock file directly to pin protobuf to 3.7.2, though this is less maintainable
• Modify multiple Cargo.toml files if the protobuf dependency appears in workspace members
• Use cargo-edit commands to update the dependency version programmatically instead of sed

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.