wolfi-dev
gitlab-runner-18.6/18.6.0-r0: cve remediation
gitlab-runner-18.6/18.6.0-r0: fix CVE-2024-36623
Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml
"Breadcrumbs" for this automated service
- Source Code: https://go/cve-remedy-automation-source
- Logs: https://go/cve-remedy-automation-logs
- Docs: (not provided yet)
![octo-sts[bot] avatar](https://avatars.githubusercontent.com/in/801323?v=4 "Published by a pub.dev verified publisher"){kind=small}
🔢 Build Failed: Dependency Version Mismatch
package github.com/docker/docker: requested version 'v25.0.4', is already at version 'v28.0.0+incompatible'
Build Details
| Category | Details |
|---|---|
| Build System | melange/go |
| Failure Point | go/bump step - gobump command execution |
Root Cause Analysis 🔍
Version conflict in Go module dependencies. The gobump tool is trying to downgrade github.com/docker/docker from v28.0.0+incompatible to v25.0.4, but Go module system prevents downgrades to incompatible versions. This indicates a mismatch between the package's dependency requirements and the current module state.
🔍 Build failure fix suggestions
Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:
Similar PRs with fixes
- https://github.com/wolfi-dev/os/pull/64338
- https://github.com/wolfi-dev/os/pull/64338
Suggested Changes
File: gitlab-runner-18.6.yaml
- modification at line 70-73 (go/bump section in main pipeline) Original:
- uses: go/bump
with:
deps: |-
golang.org/x/[email protected]
github.com/docker/[email protected]
Replacement:
- uses: go/bump
with:
deps: |-
golang.org/x/[email protected]
github.com/docker/[email protected]
Content:
Update the docker/docker dependency version from v25.0.4 to v28.0.0 to match the version already resolved in the module's dependency tree
Click to expand fix analysis
Analysis
Looking at the three similar fixes, there's a clear pattern: all failures occurred when the gobump tool tried to downgrade github.com/docker/docker from a higher version (v28.0.0+incompatible, v25.0.8+incompatible, or v25.0.6+incompatible) to a lower version (v25.0.4). The consistent fix across all examples was to explicitly specify the higher docker/docker version in the go/bump deps section, specifically github.com/docker/[email protected]. This prevents the downgrade conflict by ensuring the module uses the compatible higher version that's already resolved in the dependency tree.
Click to expand fix explanation
Explanation
The root cause of this build failure is identical to the patterns seen in the similar fixes: the go.mod file already has github.com/docker/docker at v28.0.0+incompatible, but the gobump command is trying to force it to downgrade to v25.0.4. Go's module system prevents downgrades to incompatible versions, causing the build to fail. By updating the dependency specification in the go/bump section from github.com/docker/[email protected] to github.com/docker/[email protected], we align with the version that's already resolved in the dependency graph. This change tells gobump to use the compatible v28.0.0 version instead of attempting the problematic downgrade, resolving the version conflict and allowing the build to proceed successfully.
Click to expand alternative approaches
Alternative Approaches
- Remove the explicit docker/docker version specification entirely and let Go's dependency resolution handle it automatically
- Use 'go mod tidy' before the go/bump step to clean up any version conflicts
- Pin to a specific intermediate version like v27.x.x if v28.0.0 introduces compatibility issues
Was this comment helpful? Please use 👍 or 👎 reactions on this comment.
This vulnerability remediation is stale and no longer needed. 👋
Advisory CGA-jx5f-4jh9-95pr has the latest event type of "false-positive-determination": https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml
ID: CGA-jx5f-4jh9-95pr
Package: gitlab-runner-18.6
Aliases: CVE-2024-36623 GHSA-gh5c-3h97-2f3q
Events:
- "scan/v1" at 2025-11-27 11:27:15 UTC
- "false-positive-determination" at 2025-11-30 20:29:08 UTC