kubevela/1.10.6-r0: cve remediation

[octo-sts]

kubevela/1.10.6-r0: fix GHSA-f9f8-9pmf-xv68

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kubevela.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/kubevela/kubevela@v1.10.6

[octo-sts]

📦 Build Failed: Missing Dependency

go: github.com/oam-dev/kubevela/cmd/core/app/hooks imports github.com/kubevela/pkg/util/singleton imports sigs.k8s.io/apiserver-runtime/pkg/builder imports sigs.k8s.io/apiserver-runtime/internal/sample-apiserver/pkg/cmd/server imports k8s.io/apiserver/pkg/util/version: module k8s.io/apiserver@latest found (v0.35.0), but does not contain package k8s.io/apiserver/pkg/util/version

Build Details

Category	Details
Build System	go/gobump
Failure Point	go mod tidy during gobump dependency update

Root Cause Analysis 🔍

The k8s.io/apiserver module version 0.35.0 does not contain the required package k8s.io/apiserver/pkg/util/version that is being imported by the dependency chain. This is likely due to package restructuring or removal in newer versions of the Kubernetes apiserver module.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cluster-api-helm-controller/0.3.2-r4: cve remediation #63421

Suggested Changes

File: kubevela.yaml

• modification (pipeline[0].uses: go/bump.with)
  Original:

  - uses: go/bump
    with:
      replaces: github.com/docker/docker=github.com/moby/moby@v26.1.0+incompatible
      deps: |-
        github.com/containerd/containerd@v1.7.29
        golang.org/x/crypto@v0.45.0
        helm.sh/helm/v3@v3.18.5

Replacement:

  - uses: go/bump
    with:
      replaces: |-
        github.com/docker/docker=github.com/moby/moby@v26.1.0+incompatible
        k8s.io/apiserver=k8s.io/apiserver@v0.31.12
      deps: |-
        github.com/containerd/containerd@v1.7.29
        golang.org/x/crypto@v0.45.0
        helm.sh/helm/v3@v3.18.5

Content:

Add k8s.io/apiserver version constraint to replaces directive

Click to expand fix analysis

Analysis

The similar fix shows a pattern where k8s.io/apiserver version compatibility issues are resolved by explicitly downgrading to a specific working version using the 'replaces' directive in the go/bump step. In the previous fix, k8s.io/apiserver was replaced with v0.31.12 when v0.33.4 was causing the missing package error. This suggests that newer versions of k8s.io/apiserver have restructured or removed the pkg/util/version package.

Click to expand fix explanation

Explanation

This fix addresses the root cause by explicitly constraining k8s.io/apiserver to version v0.31.12, which is known to contain the required pkg/util/version package. The current error occurs because the latest version (v0.35.0) has likely removed or restructured this package. By adding the replacement directive, we force the Go module system to use the compatible version instead of attempting to use the latest. The fix follows the exact same pattern as the previous successful fix, just updating the replaces directive to include both the existing Docker replacement and the new apiserver version constraint.

Click to expand alternative approaches

Alternative Approaches

• Try a different compatible version of k8s.io/apiserver (such as v0.30.x or v0.32.x) if v0.31.12 proves incompatible with other dependencies
• Investigate if the kubevela project has updated their dependencies to work with newer k8s.io/apiserver versions and update to a newer kubevela version
• Add version constraints for other k8s.io packages that might be transitively pulled in to ensure consistency across the entire Kubernetes ecosystem dependencies

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.