helm-set-status/0.3.0-r1: cve remediation

[octo-sts]

helm-set-status/0.3.0-r1: fix GHSA-f9f8-9pmf-xv68

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/helm-set-status.advisories.yaml

⚠️ Deferred 1 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

• GHSA-4vq8-7jfc-9cvp (Low) in github.com/docker/docker@github.com/docker/docker@v28.0.0

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

📦 Build Failed: Missing Dependency

package github.com/docker/docker was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	go/gobump
Failure Point	go/bump step during gobump execution

Root Cause Analysis 🔍

The gobump tool is attempting to update the github.com/docker/docker package to version v26.1.5, but this package is not present in the current go.mod file. This suggests either the package was previously removed from dependencies or the version bump configuration is referencing a package that doesn't exist in the project's dependency list.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• trivy/0.64.1-r2: cve remediation #61154
• gitlab-runner-17.8/17.8.3-r3: cve remediation #44039

Suggested Changes

File: helm-set-status.yaml

• modification at line 19-23 (pipeline go/bump step deps section)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/containerd/containerd@v1.7.27
        github.com/docker/docker@v26.1.5
        golang.org/x/net@v0.38.0
        golang.org/x/oauth2@v0.27.0
        helm.sh/helm/v3@v3.18.5

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/containerd/containerd@v1.7.27
        github.com/docker/docker@v26.1.5+incompatible
        golang.org/x/net@v0.38.0
        golang.org/x/oauth2@v0.27.0
        helm.sh/helm/v3@v3.18.5

Content:

Add +incompatible suffix to github.com/docker/docker version specification

Click to expand fix analysis

Analysis

Looking at the similar fixes, there's a clear pattern: when gobump encounters a package that's not found in the go.mod file, the solution is to add that specific package with its version to the deps list in the go/bump step. In all three examples, the missing package was added to the deps section with the exact version that gobump was trying to update to. Fix #0 and #1 both dealt with the same github.com/docker/docker package being missing and added it with version v28.3.3+incompatible. Fix #2 showed a similar pattern with github.com/go-jose/go-jose/v3 being added to resolve the missing package error.

Click to expand fix explanation

Explanation

The fix should work because the error indicates that gobump cannot find github.com/docker/docker in the go.mod file when trying to update it to v26.1.5. Based on the similar fixes, particularly examples #0 and #1, the solution is to add the +incompatible suffix to the Docker package version in the deps list. The +incompatible suffix is required for Docker packages because they don't follow semantic versioning conventions that Go modules expect. This tells the Go module system to treat this as a legacy package that predates Go modules. The current configuration has github.com/docker/docker@v26.1.5, but it should be github.com/docker/docker@v26.1.5+incompatible to properly handle the package's non-standard versioning scheme.

Click to expand alternative approaches

Alternative Approaches

• Remove github.com/docker/docker from the deps list entirely if it's not actually needed as a direct dependency
• Add the package to a 'replaces' section if the gobump tool supports it, though this approach wasn't used in the similar fixes
• Check if there's an alternative Docker client library that follows proper Go module versioning that could be used instead

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.