Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trust-manager/0.14.0-r0: cve remediation #36842

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

trust-manager/0.14.0-r0: cve remediation #36842

wants to merge 2 commits into from
+6 −1

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 13, 2024

@octo-sts octo-sts bot added P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. automated pr GHSA-v778-237x-gjrc go/bump request-cve-remediation trust-manager/0.14.0-r0 labels Dec 13, 2024
@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Dec 13, 2024

Gen AI suggestions to solve the build error:

• Detected Error: None visible in the provided log - the build appears to stop without an explicit error message

• Error Category: Configuration/Build

• Failure Point: The log shows successful dependency installation but appears to terminate before completing the build process

• Root Cause Analysis: Based on the melange.yaml and the build log, there might be an issue with the go build command not having the necessary version information ldflags, which was mentioned in the comment "We can't use go/install because this requires specific ldflags to set the version"

• Suggested Fix:
Modify the build step to include version information via ldflags:

  - runs: |
      cd trust-manager
      mkdir ./bin
      VERSION=${{package.version}}
      go build -ldflags "-X main.Version=${VERSION}" -o ./bin/trust-manager ./cmd/trust-manager
      mkdir -p ${{targets.destdir}}/usr/bin
      install -Dm755 ./bin/trust-manager ${{targets.destdir}}/usr/bin/trust-manager

• Explanation:

  • The original comment indicates version information needs to be passed via ldflags
  • The trust-manager project likely expects version information at build time
  • Adding the -ldflags parameter with version information should properly embed the version into the binary
  • This is a common requirement for Go projects to embed version information at build time

• Additional Notes:

  • Consider checking the upstream Makefile for the exact ldflags used in official builds
  • The project might have additional build-time variables that need to be set
  • You might want to verify the version format matches upstream expectations

• References:

@hbh7 hbh7 self-assigned this Dec 13, 2024
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Dec 13, 2024
@hbh7 hbh7 requested a review from a team December 13, 2024 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@hbh7 hbh7

Labels
automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-v778-237x-gjrc go/bump manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation trust-manager/0.14.0-r0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hbh7