Skip to content

cluster-api-helm-controller/0.3.2-r2: cve remediation #61490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

cluster-api-helm-controller/0.3.2-r2: cve remediation #61490

wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Aug 2, 2025

cluster-api-helm-controller/0.3.2-r2: fix GHSA-5xqw-8hwv-wg92

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cluster-api-helm-controller.advisories.yaml

"Breadcrumbs" for this automated service

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Aug 2, 2025

📦 Build Failed: Missing Dependency

module k8s.io/apiserver@latest found (v0.33.3), but does not contain package k8s.io/apiserver/pkg/util/version

Build Details

Category Details
Build System Melange (Go build system)
Failure Point go/bump step during go mod tidy execution

Root Cause Analysis 🔍

The k8s.io/apiserver module version v0.33.3 does not contain the required package k8s.io/apiserver/pkg/util/version that is needed by the cluster-api dependency chain. This indicates a breaking change or package restructuring in the apiserver module that removed or moved the version package.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: cluster-api-helm-controller.yaml

  • modification at line 19-25 (pipeline go/bump step (main))
    Original:
  - uses: go/bump
    with:
      deps: |-
        github.com/containerd/[email protected]
        golang.org/x/[email protected]
        golang.org/x/[email protected]
        helm.sh/helm/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/containerd/[email protected]
        golang.org/x/[email protected]
        helm.sh/helm/[email protected]

Content:

Remove golang.org/x/[email protected] from main go/bump step
  • modification at line 27-31 (pipeline go/bump step (hack/tools))
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
      modroot: hack/tools

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        golang.org/x/[email protected]
      modroot: hack/tools

Content:

Add golang.org/x/[email protected] to hack/tools go/bump step
Click to expand fix analysis

Analysis

Looking at the three similar fixes, there's a clear pattern: all three fixes are identical and address the k8s.io/[email protected] dependency issue by adding specific dependency bumps. The key changes include: 1) Adding github.com/containerd/[email protected] to the main go/bump step, 2) Adding golang.org/x/[email protected] to both go/bump steps, and 3) Moving the golang.org/x/[email protected] dependency from the main go/bump to the hack/tools go/bump step. This pattern suggests that the issue is resolved by explicitly pinning compatible versions of transitive dependencies that work with the problematic k8s.io/apiserver version.

Click to expand fix explanation

Explanation

The fix works by addressing dependency resolution conflicts that arise when k8s.io/[email protected] is pulled in as a transitive dependency. The missing k8s.io/apiserver/pkg/util/version package indicates a version compatibility issue between different parts of the Kubernetes ecosystem. By explicitly pinning golang.org/x/[email protected] in both locations and moving golang.org/x/[email protected] to the hack/tools module, we ensure that the dependency resolution uses compatible versions that don't conflict with the problematic k8s.io/apiserver version. The github.com/containerd/[email protected] dependency is already correctly pinned. This approach forces Go's module system to use specific versions that are known to work together, bypassing the automatic resolution that's failing with the incompatible k8s.io/apiserver version.

Click to expand alternative approaches

Alternative Approaches

  • Pin k8s.io/apiserver to a specific older version that contains the required package, though this may introduce security vulnerabilities
  • Update to a newer version of cluster-api-addon-provider-helm that's compatible with k8s.io/[email protected]
  • Use replace directives in go.mod to force specific module versions, though this requires more invasive changes

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Aug 2, 2025
@kbsteere
Copy link
Member

kbsteere commented Aug 4, 2025

Advisory wolfi-dev/advisories#21337, closing PR

@kbsteere kbsteere closed this Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cluster-api-helm-controller GHSA-5xqw-8hwv-wg92 go/bump request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kbsteere