wolfi-dev
grafana-12.2/12.2.2-r0: cve remediation
grafana-12.2/12.2.2-r0: fix GHSA-2c64-vmv2-hgfc
Advisory data: https://github.com/wolfi-dev/advisories/blob/main/grafana-12.2.advisories.yaml
"Breadcrumbs" for this automated service
- Source Code: https://go/cve-remedy-automation-source
- Logs: https://go/cve-remedy-automation-logs
- Docs: (not provided yet)
![octo-sts[bot] avatar](https://avatars.githubusercontent.com/in/801323?v=4 "Published by a pub.dev verified publisher"){kind=small}
🛑 Build Failed: Compilation
cannot use options (variable of map type sets.Set[string]) as []string value in argument to scheme.Validate
Build Details
| Category | Details |
|---|---|
| Build System | Go |
| Failure Point | go build command for grafana binary |
Root Cause Analysis 🔍
Type mismatch in k8s.io/apiserver dependency - attempting to use sets.Set[string] where []string is expected, indicating incompatible versions between k8s.io/[email protected] and other Kubernetes dependencies
🔍 Build failure fix suggestions
Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:
Suggested Changes
File: grafana-12.2.yaml
- addition (After the existing go/bump step for golang.org/x/crypto and openfga) Original:
- uses: go/bump
with:
deps: |-
golang.org/x/[email protected]
github.com/openfga/[email protected]
Replacement:
- uses: go/bump
with:
deps: |-
golang.org/x/[email protected]
github.com/openfga/[email protected]
- uses: go/bump
with:
deps: |-
k8s.io/[email protected]
k8s.io/[email protected]
k8s.io/[email protected]
Content:
Add a go/bump step to align Kubernetes dependencies
Click to expand fix analysis
Analysis
No similar build failures were provided for analysis. However, the error indicates a type mismatch in k8s.io/apiserver dependency where sets.Set[string] is being used where []string is expected. This suggests incompatible versions between k8s.io/[email protected] and other Kubernetes dependencies. The issue is likely that different Kubernetes packages are using different API versions - some using the newer generic sets.Set[string] type and others expecting the older []string slice type.
Click to expand fix explanation
Explanation
The build failure is caused by a type mismatch between different versions of Kubernetes dependencies. The error shows that k8s.io/[email protected] is using the newer sets.Set[string] type, but other parts of the code expect the older []string slice type. This typically happens when Kubernetes packages are at different versions - newer versions (v0.33.x) use generics with sets.Set[string] while older versions use []string. By downgrading all Kubernetes dependencies to a consistent v0.31.3 version (which is still recent but uses the older API), we ensure all packages use the same type system. The v0.31.3 version is chosen because it's recent enough to have security fixes but old enough to use the []string API that the codebase expects.
Click to expand alternative approaches
Alternative Approaches
- Upgrade all Kubernetes dependencies to v0.33.x and modify the Grafana source code to use sets.Set[string] instead of []string where the type mismatch occurs
- Add a replace directive in go.mod to force a specific compatible version of k8s.io/apiserver
- Use go/bump to downgrade only k8s.io/apiserver to v0.31.3 while keeping other dependencies at their current versions
Was this comment helpful? Please use 👍 or 👎 reactions on this comment.
This vulnerability remediation is stale and no longer needed. 👋
Advisory CGA-m6f6-pfhq-9x3w has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/grafana-12.2.advisories.yaml
ID: CGA-m6f6-pfhq-9x3w
Package: grafana-12.2
Aliases: CVE-2025-64751 GHSA-2c64-vmv2-hgfc
Events:
- "scan/v1" at 2025-11-22 21:31:23 UTC
- "pending-upstream-fix" at 2025-11-29 02:06:00 UTC