kyverno-notation-aws/1.1-r27: cve remediation

[octo-sts]

kyverno-notation-aws/1.1-r27: fix GHSA-whqx-f9j3-ch6m

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kyverno-notation-aws.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/nirmata/kyverno-notation-aws@v1.1

[octo-sts]

📦 Build Failed: Missing Dependency

Error: failed to run update. Error: package github.com/go-jose/go-jose/v3 was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category	Details
Build System	Go/Gobump
Failure Point	go/bump step during dependency update process

Root Cause Analysis 🔍

The gobump tool is attempting to update the package github.com/go-jose/go-jose/v3@v3.0.4 but this package is not present in the go.mod file. This indicates a mismatch between the packages specified in the build configuration and the actual dependencies declared in the project's go.mod file. The package may have been removed from dependencies or the version specification is incorrect.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• gitlab-runner-17.8/17.8.3-r3: cve remediation #44039
• kyverno-notation-aws/1.1-r10: cve remediation #48098
• helm-push/0.10.4-r25: cve remediation #50161

Suggested Changes

File: kyverno-notation-aws.yaml

• removal at line 18 (pipeline[1].uses.with.deps)
  Original:

github.com/go-jose/go-jose/v3@v3.0.4

Content:

Remove the github.com/go-jose/go-jose/v3@v3.0.4 dependency from the deps list

Click to expand fix analysis

Analysis

Based on the three similar fixes, there's a clear pattern: when the go/bump tool fails with "package was not found on the go.mod file", the solution is to remove the problematic dependency from the deps list in the go/bump step. In all three cases, the fix involved removing packages that were not actually present in the project's go.mod file. Fix #0 shows the issue being resolved by adding the missing package to a separate go/bump step, Fix #1 shows removal of github.com/golang/glog and github.com/kyverno/kyverno (then re-adding kyverno with a different version), and Fix #2 shows removal of google.golang.org/grpc and helm.sh/helm/v3 from the deps list (with helm being moved to a different location).

Click to expand fix explanation

Explanation

The error message clearly indicates that github.com/go-jose/go-jose/v3 is not found in the go.mod file of the kyverno-notation-aws project. Based on the pattern from similar fixes, the most straightforward solution is to remove this dependency from the go/bump deps list since it's not actually used by the project. The go/bump tool can only update dependencies that are already declared in the project's go.mod file. If this package was previously a dependency but has been removed upstream, or if it was mistakenly included in the deps list, removing it will resolve the build failure. The other dependencies in the list appear to be legitimate and should remain.

Click to expand alternative approaches

Alternative Approaches

• If github.com/go-jose/go-jose/v3 is actually needed by the project, it could be added to the replaces section instead of the deps section, similar to how other packages are handled in the existing replaces configuration
• Check if the project has migrated from v3 to v4 of go-jose (since v4 is also listed in deps) and confirm v3 is no longer needed
• Verify the actual go.mod file in the upstream repository to confirm which jose packages are actually declared as dependencies

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.