kubevela/1.10.6-r0: cve remediation

[octo-sts]

kubevela/1.10.6-r0: fix GHSA-9h84-qmv7-982p

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kubevela.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/kubevela/kubevela@v1.10.6

[octo-sts]

📦 Build Failed: Missing Dependency

go: github.com/oam-dev/kubevela/cmd/core/app/hooks imports github.com/kubevela/pkg/util/singleton imports sigs.k8s.io/apiserver-runtime/pkg/builder imports sigs.k8s.io/apiserver-runtime/internal/sample-apiserver/pkg/cmd/server imports k8s.io/apiserver/pkg/util/version: module k8s.io/apiserver@latest found (v0.35.0), but does not contain package k8s.io/apiserver/pkg/util/version

Build Details

Category	Details
Build System	Go Modules
Failure Point	go mod tidy command during gobump dependency update process

Root Cause Analysis 🔍

The k8s.io/apiserver module version v0.35.0 does not contain the required package k8s.io/apiserver/pkg/util/version that is being imported by the dependency chain. This is a missing package within an existing module, causing the Go module resolution to fail during the dependency update process.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cluster-api-helm-controller/0.3.2-r4: cve remediation #63421

Suggested Changes

File: kubevela.yaml

• add at line around line 22 (pipeline -> uses: go/bump -> with -> replaces section)
  Original:

replaces: github.com/docker/docker=github.com/moby/moby@v26.1.0+incompatible

Replacement:

replaces: |-
        github.com/docker/docker=github.com/moby/moby@v26.1.0+incompatible
        k8s.io/apiserver=k8s.io/apiserver@v0.31.12

Content:

Add k8s.io/apiserver version replacement to pin to a working version

Click to expand fix analysis

Analysis

The similar fix shows a pattern of addressing k8s.io/apiserver package version conflicts by using the "replaces" directive in the go/bump step. In the fixed example, when k8s.io/apiserver@latest (v0.33.4) was missing the required package k8s.io/apiserver/pkg/util/version, the solution was to replace it with a specific working version (v0.31.12) that contained the needed package. This approach pins the problematic dependency to a known working version rather than relying on the latest version which is missing required packages.

Click to expand fix explanation

Explanation

This fix addresses the root cause by replacing the problematic k8s.io/apiserver@v0.35.0 with v0.31.12, which is known to contain the required k8s.io/apiserver/pkg/util/version package. The similar fix demonstrated this exact approach worked for the same missing package issue in v0.33.4. By adding this replacement to the existing replaces section in the go/bump step, we override Go's module resolution to use a specific version that has the needed package structure. The v0.31.12 version was chosen based on the successful fix pattern, as it represents a stable version that maintains the required package structure before the breaking changes in later versions.

Click to expand alternative approaches

Alternative Approaches

• Update the entire dependency chain to use newer compatible versions that don't rely on the removed package
• Pin to an even earlier version of k8s.io/apiserver (like v0.30.x) if v0.31.12 still has issues
• Add specific version constraints for the importing packages (sigs.k8s.io/apiserver-runtime) to versions compatible with newer k8s.io/apiserver versions

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.