Skip to content

juicefs-1.3/1.3.1-r1: cve remediation #77735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

juicefs-1.3/1.3.1-r1: cve remediation #77735

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 10, 2026

@octo-sts octo-sts bot added automated pr request-cve-remediation go/bump GHSA-wf43-55jj-vwq8 p:juicefs-1.3 P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jan 10, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 10, 2026

🔢 Build Failed: Dependency Version Mismatch

go: go.etcd.io/[email protected]: invalid version: module contains a go.mod file, so module path must match major version ("go.etcd.io/etcd/v3")

Build Details

Category Details
Build System melange/gobump (Go module management)
Failure Point go/bump step during dependency update - specifically when running 'go get' for go.etcd.io/[email protected]

Root Cause Analysis 🔍

The go.etcd.io/etcd module version v3.4.0 has a go.mod file that requires the module path to include the major version suffix (/v3), but the gobump tool is trying to use the old module path without the version suffix. This is a Go module versioning compliance issue where the module path doesn't match the required major version format.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: juicefs-1.3.yaml

  • modification at line 22-29 (go/bump step deps section)
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/golang/[email protected]
        github.com/tidwall/[email protected]
        golang.org/x/[email protected]
        github.com/coredns/[email protected]
        golang.org/x/[email protected]
        go.etcd.io/[email protected]

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
        github.com/golang/[email protected]
        github.com/tidwall/[email protected]
        golang.org/x/[email protected]
        github.com/coredns/[email protected]
        golang.org/x/[email protected]
        go.etcd.io/etcd/[email protected]

Content:

Replace the etcd dependency line to use the correct v3 module path format required by Go module versioning for major version 3
Click to expand fix analysis

Analysis

Based on the similar fixed build failures, I observe a clear pattern: when Go modules use major version v2 or higher, they must include the major version suffix in their module path (e.g., /v2, /v3). Both previous fixes addressed this by adding the correct versioned module path alongside the original dependency. For containerd v2.x.x, the fixes added "github.com/containerd/containerd/[email protected]" while keeping the v1.x.x version for backward compatibility. The same pattern applies to etcd v3.x.x which requires "go.etcd.io/etcd/[email protected]" module path format.

Click to expand fix explanation

Explanation

This fix should work because it addresses the root cause of the Go module versioning error. The etcd project, like containerd, follows Go module semantic versioning conventions where major versions v2 and above must include the major version suffix in the module path. The error message specifically states that "module path must match major version" and indicates the path should be "go.etcd.io/etcd/v3" for v3.x.x versions. By changing "go.etcd.io/[email protected]" to "go.etcd.io/etcd/[email protected]", we're providing the correct module path that matches the go.mod file's module declaration, which will allow Go's module system to properly resolve and validate the dependency.

Click to expand alternative approaches

Alternative Approaches

  • Use a compatible v2.x.x version of etcd that doesn't require the /v3 suffix (e.g., go.etcd.io/[email protected]), though this would downgrade the dependency and potentially lose newer features
  • Pin to the latest etcd v3 client library (go.etcd.io/etcd/client/[email protected]) which is the recommended approach for etcd v3 client usage, though this might require code changes if the API differs
  • Check if the upstream juicefs project has updated their dependencies to use the correct etcd v3 module paths and align with their approach

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added ai/skip-comment Stop AI from commenting on PR cve-pr-closer/v2-adv-disagreement labels Jan 10, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 12, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-mvh3-v8v8-6jpj has the latest event type of "false-positive-determination"

View with: cg advisory show CGA-mvh3-v8v8-6jpj
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/juicefs-1.3.advisories.yaml

ID:      CGA-mvh3-v8v8-6jpj
Package: juicefs-1.3
Aliases: CVE-2018-1099 GHSA-wf43-55jj-vwq8
Events:
  - "scan/v1" at 2025-07-23 07:22:16 UTC
  - "pending-upstream-fix" at 2025-07-24 09:19:13 UTC
  - "false-positive-determination" at 2025-07-25 13:40:11 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-w686-4xf6-5ww3, CGA-qmfc-qqj8-jqp2).

@octo-sts octo-sts bot closed this Jan 12, 2026
@aborrero aborrero reopened this Jan 15, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 15, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-mvh3-v8v8-6jpj has the latest event type of "false-positive-determination"

View with: cg advisory show CGA-mvh3-v8v8-6jpj
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/juicefs-1.3.advisories.yaml

ID:      CGA-mvh3-v8v8-6jpj
Package: juicefs-1.3
Aliases: CVE-2018-1099 GHSA-wf43-55jj-vwq8
Events:
  - "scan/v1" at 2025-07-23 07:22:16 UTC
  - "pending-upstream-fix" at 2025-07-24 09:19:13 UTC
  - "false-positive-determination" at 2025-07-25 13:40:11 UTC

@octo-sts octo-sts bot closed this Jan 15, 2026
@aborrero aborrero reopened this Jan 15, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 15, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-q8pm-5jgw-5755 has the latest event type of "FALSE_POSITIVE_DETERMINATION"

View with: cg adv show CGA-q8pm-5jgw-5755

ID:      CGA-q8pm-5jgw-5755
Package: juicefs-1.3
Aliases: CVE-2018-1099 GHSA-wf43-55jj-vwq8 CGA-h8fw-vwmj-78p2
Events:
  - "DETECTION" at 2025-07-23 07:22:16 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-07-24 09:19:13 UTC
  - "FALSE_POSITIVE_DETERMINATION" at 2025-07-25 13:40:11 UTC

@octo-sts octo-sts bot closed this Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cve-pr-closer/v2-adv-disagreement GHSA-wf43-55jj-vwq8 go/bump p:juicefs-1.3 P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aborrero