os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

zarf/0.66.0-r1: cve remediation

Open octo-sts[bot] opened this issue 1 month ago • 1 comments

zarf/0.66.0-r1: fix GHSA-6gxw-85q2-q646

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/zarf.advisories.yaml

"Breadcrumbs" for this automated service

  • Source Code: https://go/cve-remedy-automation-source
  • Logs: https://go/cve-remedy-automation-logs
  • Docs: (not provided yet)

octo-sts[bot] avatar Nov 27 '25 11:11 octo-sts[bot]

🛑 Build Failed: Compilation

multiple-value vex.NewProcessor(vex.ProcessorOptions{…}) (value of type (*"github.com/anchore/grype/grype/vex".Processor, error)) in single-value context

Build Details

Category Details
Build System Go
Failure Point go build command during compilation of github.com/derailed/k9s/internal/vul package

Root Cause Analysis 🔍

The code is trying to assign multiple return values from vex.NewProcessor() to a single variable. This is a Go compilation error where the function returns both a processor object and an error, but the code is not properly handling both return values. This suggests a dependency version mismatch where the k9s library expects a different API signature from the grype/vex package than what's currently available.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Melange YAML

  • dependency_version_update at line deps section under go/bump (pipeline go/bump section) Original:
github.com/anchore/[email protected]

Replacement:

github.com/anchore/[email protected]

Content:

Downgrade grype to a version compatible with k9s dependency expectations
Click to expand fix analysis

Analysis

No similar fixed build failures were provided, so pattern analysis is limited. However, the error indicates a Go compilation issue where vex.NewProcessor() returns multiple values (processor, error) but the code is trying to assign them to a single variable. This is typically caused by dependency version mismatches where the API signature has changed between versions of the grype/vex package.

Click to expand fix explanation

Explanation

The compilation error occurs because the k9s code (which is an indirect dependency through the zarf build) expects vex.NewProcessor() to return a single value, but the newer version of grype (v0.104.1) changed the API to return both a processor and an error. By downgrading grype to v0.82.1, we align with the API expectations of the k9s dependency. This version is known to have the older single-return-value API that matches what the consuming code expects. The fix addresses the root cause by ensuring API compatibility between the grype version and the code that uses it.

Click to expand alternative approaches

Alternative Approaches

  • Update the zarf codebase to handle the new grype API signature with proper error handling
  • Pin to a specific commit of grype that maintains API compatibility
  • Use a replace directive in go.mod to override the grype version used by dependencies
  • Update k9s dependency to a newer version that supports the new grype API

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

octo-sts[bot] avatar Nov 27 '25 11:11 octo-sts[bot]

advisory pr here: https://github.com/wolfi-dev/advisories/pull/26419

jamie-albert avatar Dec 02 '25 04:12 jamie-albert

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-h9hf-9x4r-5fhc has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/zarf.advisories.yaml

ID:      CGA-h9hf-9x4r-5fhc
Package: zarf
Aliases: CVE-2025-65965 GHSA-6gxw-85q2-q646
Events:
  - "scan/v1" at 2025-11-27 11:40:55 UTC
  - "pending-upstream-fix" at 2025-12-02 04:33:30 UTC

octo-sts[bot] avatar Dec 02 '25 16:12 octo-sts[bot]