zot/2.1.13-r0: cve remediation

[octo-sts]

zot/2.1.13-r0: fix GHSA-4qg8-fj49-pxjh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/zot.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/project-zot/[email protected]

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3

Build Details

Category	Details
Build System	go
Failure Point	go/bump step during go get command execution

Root Cause Analysis 🔍

The dependency github.com/sigstore/[email protected] has an incompatible module path structure. The go.mod file specifies a post-v2 module path 'github.com/sigstore/timestamp-authority/v2' but the version tag v2.0.3 doesn't match this module path convention. Go modules with major version v2+ require the major version to be included in the module path.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• wolfictl/0.31.1-r0: cve remediation #47264

Suggested Changes

File: zot.yaml

• modification at line 25-28 (go/bump section)
  Original:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        github.com/sigstore/timestamp-authority/[email protected]

Content:

Update the dependency specification to use the correct v2 module path format

Click to expand fix analysis

Analysis

The similar fix shows a clear pattern for handling Go module v2+ dependency issues. When a package has upgraded to v2.x.x and uses the "/v2" module path suffix, the dependency specification in go/bump must be updated to include both the old v1.x path (for compatibility) and the new v2.x path with the correct module path format. The fix involved adding two entries: one for the legacy path with a v1.x version and another for the new v2 module path with the v2.x version.

Click to expand fix explanation

Explanation

The current error occurs because the timestamp-authority package has migrated to Go modules v2+ convention, which requires the major version to be included in the module path. The go.mod file in the upstream repository specifies the module path as 'github.com/sigstore/timestamp-authority/v2', but the dependency is being referenced as 'github.com/sigstore/[email protected]' without the '/v2' suffix. By changing the dependency specification to 'github.com/sigstore/timestamp-authority/[email protected]', we align with the correct module path format that Go expects for v2+ modules. This matches the pattern seen in the containerd fix where the v2 module path was explicitly specified with the '/v2' suffix.

Click to expand alternative approaches

Alternative Approaches

• If there are compatibility concerns, could add both v1 and v2 paths similar to the containerd fix, but this would require knowing what v1 version was previously used
• Could investigate if there's a newer v2.x.x version available that might have better compatibility
• Could check if the package actually needs this specific dependency or if it can be removed entirely

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-c92q-vh28-wcfp has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-c92q-vh28-wcfp
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/zot.advisories.yaml

ID:      CGA-c92q-vh28-wcfp
Package: zot
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-06 17:57:59 UTC
  - "pending-upstream-fix" at 2025-12-15 14:43:35 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-x848-9mpc-h56j, CGA-vx7p-fcwr-98f7).

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-c92q-vh28-wcfp has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-c92q-vh28-wcfp
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/zot.advisories.yaml

ID:      CGA-c92q-vh28-wcfp
Package: zot
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh
Events:
  - "scan/v1" at 2025-12-06 17:57:59 UTC
  - "pending-upstream-fix" at 2025-12-15 14:43:35 UTC

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-cg35-jq58-qrrx has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-cg35-jq58-qrrx

ID:      CGA-cg35-jq58-qrrx
Package: zot
Aliases: CVE-2025-66564 GHSA-4qg8-fj49-pxjh GO-2025-4192 CGA-m9c4-mx87-79fq
Events:
  - "DETECTION" at 2025-12-06 17:57:59 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-12-15 14:43:35 UTC