kubevela/1.10.6-r0: cve remediation

[octo-sts]

kubevela/1.10.6-r0: fix GHSA-4hfp-h4cw-hj8p

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kubevela.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/kubevela/kubevela@v1.10.6

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

module k8s.io/apiserver@latest found (v0.35.0), but does not contain package k8s.io/apiserver/pkg/util/version

Build Details

Category	Details
Build System	Go (gobump)
Failure Point	go mod tidy command during dependency update process

Root Cause Analysis 🔍

The k8s.io/apiserver module version v0.35.0 does not contain the required package k8s.io/apiserver/pkg/util/version that is being imported by the application code. This indicates either the package was moved/removed in this version of the apiserver module, or there's an incompatibility between the module version and the expected package structure.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cluster-api-helm-controller/0.3.2-r4: cve remediation #63421

Suggested Changes

File: kubevela.yaml

• add at line 25 (go/bump section - replaces field)
  Original:

replaces: github.com/docker/docker=github.com/moby/moby@v26.1.0+incompatible

Replacement:

replaces: |-
        github.com/docker/docker=github.com/moby/moby@v26.1.0+incompatible
        k8s.io/apiserver=k8s.io/apiserver@v0.31.12

Content:

Add k8s.io/apiserver version constraint to the replaces section to pin it to a compatible version that contains the required pkg/util/version package

Click to expand fix analysis

Analysis

The similar fixed failure shows a pattern where k8s.io/apiserver module versions (v0.33.4 in the example, v0.35.0 in current case) do not contain the expected package k8s.io/apiserver/pkg/util/version. The fix involved adding a specific version constraint using the 'replaces' directive to pin k8s.io/apiserver to an earlier compatible version (v0.31.12 in the example). This suggests that newer versions of k8s.io/apiserver have restructured or removed the pkg/util/version package, requiring a downgrade to a stable version that still contains this package.

Click to expand fix explanation

Explanation

The fix works by explicitly constraining the k8s.io/apiserver module to version v0.31.12, which is known to contain the required k8s.io/apiserver/pkg/util/version package. The current failure occurs because kubevela's dependency resolution is picking up v0.35.0 of k8s.io/apiserver, which has either moved or removed the pkg/util/version package. By adding the version constraint in the 'replaces' section, we force Go's module system to use the older, compatible version instead of the latest one. This approach follows the exact same pattern used in the similar fix, where the same package was constrained to the same version (v0.31.12) to resolve an identical missing package error.

Click to expand alternative approaches

Alternative Approaches

• Update kubevela's source code to use the new location/structure of the version utilities in k8s.io/apiserver v0.35.0, though this would require identifying where the functionality moved
• Pin to a different intermediate version of k8s.io/apiserver (like v0.32.x or v0.33.x) that might still contain the package while being newer than v0.31.12
• Update all Kubernetes-related dependencies to a consistent version set that works together, though this might introduce other compatibility issues

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.