zot/2.1.13-r0: cve remediation

[octo-sts]

zot/2.1.13-r0: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/zot.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/project-zot/zot@v2.1.13

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/timestamp-authority@v2.0.3: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category	Details
Build System	go
Failure Point	go/bump step during go get command execution

Root Cause Analysis 🔍

The dependency github.com/sigstore/timestamp-authority@v2.0.3 has an incompatible module path structure. The go.mod file specifies a post-v2 module path 'github.com/sigstore/timestamp-authority/v2' but the version tag v2.0.3 doesn't match this module path convention. Go modules with major version v2+ require the major version to be included in the module path.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• wolfictl/0.31.1-r0: cve remediation #47264

Suggested Changes

File: zot.yaml

• modification at line 25-28 (go/bump section)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority@v2.0.3

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority/v2@v2.0.3

Content:

Update the dependency specification to use the correct v2 module path format

Click to expand fix analysis

Analysis

The similar fix shows a clear pattern for handling Go module v2+ dependency issues. When a package has upgraded to v2.x.x and uses the "/v2" module path suffix, the dependency specification in go/bump must be updated to include both the old v1.x path (for compatibility) and the new v2.x path with the correct module path format. The fix involved adding two entries: one for the legacy path with a v1.x version and another for the new v2 module path with the v2.x version.

Click to expand fix explanation

Explanation

The current error occurs because the timestamp-authority package has migrated to Go modules v2+ convention, which requires the major version to be included in the module path. The go.mod file in the upstream repository specifies the module path as 'github.com/sigstore/timestamp-authority/v2', but the dependency is being referenced as 'github.com/sigstore/timestamp-authority@v2.0.3' without the '/v2' suffix. By changing the dependency specification to 'github.com/sigstore/timestamp-authority/v2@v2.0.3', we align with the correct module path format that Go expects for v2+ modules. This matches the pattern seen in the containerd fix where the v2 module path was explicitly specified with the '/v2' suffix.

Click to expand alternative approaches

Alternative Approaches

• If there are compatibility concerns, could add both v1 and v2 paths similar to the containerd fix, but this would require knowing what v1 version was previously used
• Could investigate if there's a newer v2.x.x version available that might have better compatibility
• Could check if the package actually needs this specific dependency or if it can be removed entirely

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.