helm-push/0.10.4-r29: cve remediation

[octo-sts]

helm-push/0.10.4-r29: fix GHSA-557j-xg8c-q2mm

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/helm-push.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

failed to run update. Error: package github.com/docker/distribution was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	go
Failure Point	gobump command execution during go/bump step

Root Cause Analysis 🔍

The build is trying to update github.com/docker/distribution package, but this package is not listed in the go.mod file. The gobump tool requires packages to either exist in go.mod or be explicitly listed in the replaces section.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• gitlab-runner-17.8/17.8.3-r3: cve remediation #44039
• kyverno-notation-aws/1.1-r10: cve remediation #48098
• helm-push/0.10.4-r25: cve remediation #50161

Suggested Changes

File: helm-push.yaml

• modify at line 42-51 (go/bump section)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/docker/distribution@v2.8.3
        google.golang.org/protobuf@v1.33.0
        github.com/distribution/reference@v0.6.0
        github.com/docker/docker-credential-helpers@v0.8.1
        oras.land/oras-go@v1.2.5
        github.com/docker/docker@v26.1.5
        golang.org/x/crypto@v0.35.0
        golang.org/x/oauth2@v0.27.0
        github.com/containerd/containerd@v1.7.27
        golang.org/x/net@v0.38.0
        helm.sh/helm/v3@v3.18.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        google.golang.org/protobuf@v1.33.0
        github.com/distribution/reference@v0.6.0
        github.com/docker/docker-credential-helpers@v0.8.1
        oras.land/oras-go@v1.2.5
        github.com/docker/docker@v26.1.5
        golang.org/x/crypto@v0.35.0
        golang.org/x/oauth2@v0.27.0
        github.com/containerd/containerd@v1.7.27
        golang.org/x/net@v0.38.0
        helm.sh/helm/v3@v3.18.4
      replaces: github.com/docker/distribution=github.com/docker/distribution@v2.8.3

Click to expand fix analysis

Analysis

The pattern in the similar fixed build failures shows that when the go/bump step fails with the error "package X was not found on the go.mod file", there are two main approaches to fix it:

1. Remove the problematic package from the deps list if it's not actually needed
2. Add the package to the 'replaces' parameter if it needs to be updated but isn't in go.mod

In all three examples, the maintainers either removed the package causing the error from the deps list (Example #1 and #2) or explicitly added it to the replaces parameter (Example #0). The current failure is specifically related to the github.com/docker/distribution package, which is being updated in the deps list but isn't found in the go.mod file.

Click to expand fix explanation

Explanation

The error message clearly indicates that github.com/docker/distribution is not found in the go.mod file, but is being referenced in the deps list for the go/bump step. Based on the similar fixed build failures, the most appropriate solution is to move this package from the deps list to the replaces parameter.

By adding github.com/docker/distribution=github.com/docker/distribution@v2.8.3 to the replaces parameter, we're explicitly telling the gobump tool to handle this package as a replacement, which is the proper way to deal with dependencies that aren't directly listed in the go.mod file but need security updates.

This approach is consistent with Fix Example #2 where they moved helm.sh/helm/v3 to the replaces section. The fix will allow the gobump tool to successfully update the package without requiring it to be in the go.mod file directly.

Click to expand alternative approaches

Alternative Approaches

• Remove github.com/docker/distribution from the deps list entirely if it's not actually required for security updates. This was done in Fix Example Add binutils-2.39 configuration #1 where they removed google.golang.org/grpc from the deps list.
• Keep the package in the deps list, but also add it to a new 'replaces' list, allowing it to be specified in both places. This is slightly redundant but would work.
• Examine the go.mod file in the source code to see if there's an indirect dependency on github.com/docker/distribution and potentially add it as a direct dependency in the project if appropriate.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.