kubevela/1.9.13-r1: cve remediation

[octo-sts]

The automation almost got this one right, but it omitted '+incompatible' (internal DYDX issue filed).

---

kubevela/1.9.13-r1: fix GHSA-gh5c-3h97-2f3q

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kubevela.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the error log, I'll analyze the build failure:

• Detected Error: The build appears to fail when running "go/bump" step with Go 1.23.3, which is an invalid Go version (latest stable is 1.21.x)

• Error Category: Version/Configuration

• Failure Point: The go/bump step attempting to use Go 1.23.3

• Root Cause Analysis: The system is trying to use Go 1.23.3, which doesn't exist. The highest current stable version of Go is 1.21.x. This appears to be an incorrect version specification in the build environment.

• Suggested Fix:

1. Modify the build environment package specification to use the correct Go version:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - go-1.21
      - openssf-compiler-options

• Explanation:

• Go 1.23.3 doesn't exist (as of current date)
• The build system is pulling an invalid Go version
• Switching to Go 1.21.x (latest stable) should resolve the version mismatch
• This aligns with Go's release schedule and versioning pattern

• Additional Notes:

• Go follows semantic versioning with major versions released approximately every 6 months
• Current stable versions are in the 1.21.x series
• The build system should use a valid, stable Go version

• References:

• Go Release Policy: https://golang.org/doc/devel/release
• Current Go Releases: https://golang.org/dl/
• Go Version Support: https://golang.org/doc/devel/release#policy

Would you like me to provide additional guidance on version compatibility or build configuration?

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the error output, I'll analyze and provide specific fixes:

• Detected Error: "Failed to running update. Error: failed to run 'go get': exit status 1 with output: go: errors parsing go.mod"

• Error Category: Dependency/Version

• Failure Point: go/bump step during dependency updates

• Root Cause Analysis:
The error occurs during go mod tidy with Go 1.23.4, likely due to incompatible version constraints or syntax errors in the dependency updates specified in the go/bump step.

• Suggested Fix:

1. Modify the go/bump section to break down the dependency updates into compatible groups:

  - uses: go/bump
    with:
      deps: |
        github.com/containerd/[email protected]
        github.com/cloudflare/[email protected]
        github.com/fluxcd/source-controller/[email protected]
        oras.land/[email protected]
        golang.org/x/[email protected]
      replaces: |
        github.com/go-git/go-git/v5=github.com/go-git/go-git/[email protected]
        github.com/docker/docker=github.com/moby/[email protected]

  - uses: go/bump
    with:
      deps: |
        go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
        go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]
        go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected]
        github.com/hashicorp/[email protected]

• Explanation:
Breaking down the dependency updates into smaller groups helps isolate potential version conflicts and makes it easier to identify problematic dependencies. The OpenTelemetry dependencies are grouped separately as they often have interdependent version requirements.

• Additional Notes:

• Consider adding GO111MODULE=on before the go/bump steps
• The original error suggests a parsing issue which often occurs with dependency version conflicts
• Breaking updates into logical groups reduces the chance of circular dependencies

• References:

• Go Modules Reference: https://go.dev/ref/mod
• KubeVela Go Dependencies: https://github.com/kubevela/kubevela/blob/master/go.mod

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "replace github.com/moby/moby: version "v26.0.0" invalid: should be v0 or v1, not v26"

• Error Category: Version

• Failure Point: go/bump step when trying to update dependencies

• Root Cause Analysis: The error occurs because Go's module system expects semantic versioning (v0 or v1 for major versions), but we're trying to use v26.0.0 for moby/moby which doesn't follow this convention

• Suggested Fix:
Modify the moby/moby version reference in the go/bump step to use the proper git commit hash instead:

  - uses: go/bump
    with:
      deps: github.com/containerd/[email protected] github.com/cloudflare/[email protected] go.opentelemetry.io/contrib/instrumentation/net/http/[email protected] go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected] go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] github.com/fluxcd/source-controller/[email protected] oras.land/[email protected] golang.org/x/[email protected] github.com/hashicorp/[email protected] github.com/moby/[email protected]
      replaces: github.com/go-git/go-git/v5=github.com/go-git/go-git/[email protected] github.com/docker/docker=github.com/moby/[email protected]

• Explanation: The Moby project (Docker) uses an unconventional versioning scheme that doesn't comply with Go modules' semantic versioning requirements. Using the latest stable version (24.0.7) instead of v26.0.0 should resolve the parsing error while maintaining compatibility.

• Additional Notes:

• Moby/Docker maintains its own versioning scheme separate from Go's semantic versioning requirements
• The version v24.0.7 is the latest stable release that should work with most Go projects
• Using a specific commit hash could be an alternative if needed

• References:

• Go Modules Reference: https://go.dev/ref/mod#go-mod-file-replace
• Moby Project Releases: https://github.com/moby/moby/releases
• Go Module Version Numbering: https://go.dev/doc/modules/version-numbers