Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pulumi/3.142.0-r0: cve remediation #35894

Merged
merged 2 commits into from
Dec 9, 2024
Merged

pulumi/3.142.0-r0: cve remediation #35894

merged 2 commits into from
Dec 9, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 5, 2024

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr go/bump pulumi/3.142.0-r0 request-cve-remediation GHSA-q59j-vv4j-v33c labels Dec 5, 2024
@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Dec 5, 2024

Gen AI suggestions to solve the build error:

• Detected Error: "Error: Failed to running update. Error: failed to run 'go mod tidy': exit status 1 with output: go: go.mod file not found in current directory or any parent directory"

• Error Category: Configuration/Build

• Failure Point: go/bump step in pipeline trying to run go mod tidy

• Root Cause Analysis: The go/bump step is failing because it can't find the go.mod file. This is because the modroot path specified in the YAML isn't correct relative to the working directory.

• Suggested Fix:
Update the go/bump step in the YAML to include the correct modroot path:

  - uses: go/bump
    with:
      deps: github.com/moby/[email protected]
      modroot: ./pulumi

• Explanation:
The git-checkout step clones the repository into a "pulumi" directory, but the go/bump step is looking for go.mod in the current directory. By explicitly setting modroot to "./pulumi", we point to the correct location of the go.mod file.

• Additional Notes:

  • The go/bump action requires the go.mod file to be present in the specified modroot directory
  • The path should be relative to the working directory where melange is running
  • You can verify the correct path by checking the git-checkout step's destination parameter

• References:

@developer-guy
fix the modroot
d8e3f62 
Signed-off-by: Batuhan Apaydin <[email protected]>
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Dec 8, 2024
@mamccorm mamccorm merged commit 610d6ac into main Dec 9, 2024
14 checks passed
@mamccorm mamccorm deleted the cve-pulumi-c338cbc25f3e2dd6ad05ae72d94831c2 branch December 9, 2024 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mamccorm mamccorm mamccorm approved these changes

Assignees

@developer-guy developer-guy

Labels
automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-q59j-vv4j-v33c go/bump manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. pulumi/3.142.0-r0 request-cve-remediation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mamccorm @developer-guy