docker-machine-driver-harvester/1.0.5-r3: cve remediation

[octo-sts]

docker-machine-driver-harvester/1.0.5-r3: fix GHSA-9m94-w2vq-hcf9

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker-machine-driver-harvester.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/harvester/docker-machine-driver-harvester@v1.0.5

[octo-sts]

🛑 Build Failed: Compilation

unknown field S390x in struct literal of type "kubevirt.io/api/core/v1".ArchConfiguration and c.GetConfig().ArchitectureConfiguration.S390x undefined (type *"kubevirt.io/api/core/v1".ArchConfiguration has no field or method S390x)

Build Details

Category	Details
Build System	Go
Failure Point	go build command during compilation of kubevirt.io/kubevirt/pkg/virt-config package

Root Cause Analysis 🔍

The kubevirt dependency version being used has a struct definition incompatible with the code trying to access the S390x field. The ArchConfiguration struct in kubevirt.io/api/core/v1 does not contain the S390x field that the code is trying to reference, indicating a version mismatch or API breaking change between the expected kubevirt version and the one being used.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Melange YAML pipeline section

• version_downgrade at line pipeline uses go/bump section (go/bump step - kubevirt dependency)
  Original:

kubevirt.io/kubevirt@v1.7.0-beta.0

Replacement:

kubevirt.io/kubevirt@v1.6.1

Content:

Downgrade kubevirt dependency to a stable version that still includes the S390x field in ArchConfiguration struct

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, the error indicates a version mismatch issue where the code is trying to access a S390x field in kubevirt.io/api/core/v1.ArchConfiguration struct that doesn't exist in the current version. This is a common issue when dependencies are updated and API structures change between versions. The go/bump step in the pipeline updates kubevirt.io/kubevirt to v1.7.0-beta.0, which likely introduced breaking changes to the ArchConfiguration struct.

Click to expand fix explanation

Explanation

The build failure occurs because the code expects an S390x field in the ArchConfiguration struct from kubevirt.io/api/core/v1, but this field was removed or renamed in the v1.7.0-beta.0 version being used. Since this is a beta version, it likely contains breaking API changes. By downgrading to kubevirt v1.6.1 (the latest stable release before v1.7.0), we maintain compatibility with the existing code that expects the S390x field. The v1.6.1 version should still contain the S390x architecture configuration field that the docker-machine-driver-harvester code is trying to access. This is a safer approach than upgrading the application code to match the new API, as it maintains stability while the upstream kubevirt v1.7.0 API is still in beta.

Click to expand alternative approaches

Alternative Approaches

• Remove the S390x field references from the source code if S390x architecture support is not needed for this driver
• Update the source code to use the new API structure in kubevirt v1.7.0-beta.0 if the field was renamed or moved to a different struct
• Pin to an even earlier kubevirt version (like v1.5.x) if v1.6.1 also has compatibility issues
• Wait for kubevirt v1.7.0 stable release which might restore the S390x field or provide migration guidance

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.