os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

gitlab-runner-18.6/18.6.2-r0: cve remediation

Open octo-sts[bot] opened this issue 1 month ago • 1 comments

gitlab-runner-18.6/18.6.2-r0: fix CVE-2024-36623

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml

"Breadcrumbs" for this automated service

  • Source Code: https://go/cve-remedy-automation-source
  • Logs: https://go/cve-remedy-automation-logs
  • Docs: (not provided yet)

octo-sts[bot] avatar Nov 28 '25 10:11 octo-sts[bot]

🔢 Build Failed: Dependency Version Mismatch

package github.com/docker/docker: requested version 'v25.0.4', is already at version 'v28.0.0+incompatible'

Build Details

Category Details
Build System Go (melange build system)
Failure Point go/bump step using gobump tool during dependency version management

Root Cause Analysis 🔍

The build is trying to downgrade the github.com/docker/docker package from v28.0.0+incompatible to v25.0.4, which is not allowed. The gobump tool failed because it cannot downgrade a package that is already at a higher version. This indicates a version conflict in the Go module dependencies where the current state has a newer incompatible version but the build configuration requires an older specific version.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

  • https://github.com/wolfi-dev/os/pull/64338
  • https://github.com/wolfi-dev/os/pull/51200

Suggested Changes

File: gitlab-runner-18.6.yaml

  • modification at line 64-67 (pipeline go/bump step) Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/docker/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/docker/[email protected]

Content:

Update the github.com/docker/docker version from v25.0.4 to v28.0.0 in the deps list of the go/bump step
Click to expand fix analysis

Analysis

The analysis of the three similar fixed build failures reveals a consistent pattern: all cases involve the github.com/docker/docker package version conflicts where gobump is trying to downgrade from a higher version to a lower version (v28.0.0+incompatible to v25.0.4 in the current case, and similar downgrades in the examples). The primary fix pattern is to explicitly specify the higher version in the go/bump step's deps list. In Fix Example #0, the solution was to add "github.com/docker/[email protected]" to the deps list. The other examples show epoch increments but the core solution is always to specify the correct Docker version that aligns with what's already in the module. The failure occurs because the go.mod file already contains a newer version but the build configuration is requesting an older version, which Go's module system prevents.

Click to expand fix explanation

Explanation

This fix should work because it addresses the root cause of the version conflict. The error indicates that github.com/docker/docker is already at version v28.0.0+incompatible in the go.mod file, but the build configuration is trying to force it down to v25.0.4. Go's module system prevents downgrades to avoid breaking changes and dependency conflicts. By changing the version specification in the go/bump step from v25.0.4 to v28.0.0, we align the build configuration with the actual version present in the module, eliminating the version conflict. This follows the exact same pattern used in Fix Example #0, where the solution was to add github.com/docker/[email protected] to the deps list when facing the same downgrade issue. The +incompatible suffix indicates this is a pre-Go modules version that doesn't follow semantic import versioning, so specifying v28.0.0 should resolve to the v28.0.0+incompatible version already present.

Click to expand alternative approaches

Alternative Approaches

  • Remove the github.com/docker/[email protected] line entirely from the go/bump deps and let it use whatever version is already resolved in go.mod
  • Check if there's a specific reason GitLab Runner 18.6.2 requires Docker v25.0.4 and if so, investigate if there's a way to force the entire dependency tree to use the older version
  • Update to a newer version of GitLab Runner that is compatible with Docker v28.0.0 if the current version has fundamental incompatibilities

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

octo-sts[bot] avatar Nov 28 '25 10:11 octo-sts[bot]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-jx5f-4jh9-95pr has the latest event type of "false-positive-determination": https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml

ID:      CGA-jx5f-4jh9-95pr
Package: gitlab-runner-18.6
Aliases: CVE-2024-36623 GHSA-gh5c-3h97-2f3q
Events:
  - "scan/v1" at 2025-11-27 11:27:15 UTC
  - "false-positive-determination" at 2025-11-30 20:29:08 UTC

octo-sts[bot] avatar Dec 01 '25 10:12 octo-sts[bot]