qdrant/1.12.5-r0: cve remediation

[octo-sts]

qdrant/1.12.4-r0: fix GHSA-qg5g-gv98-5ffh/GHSA-wwq9-3cpr-mm53/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/qdrant.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

Error: failed to parse the pom file: failed to run cargo update 'error: There are multiple `hashbrown` packages in your project, and the specification `hashbrown` is ambiguous.
Please re-run this command with one of the following specifications:
  hashbrown@0.12.3
  hashbrown@0.14.2
  hashbrown@0.15.0'

• Error Category: Dependency

• Failure Point: The cargobump step in the pipeline

• Root Cause Analysis: The build is failing because there are multiple versions of the hashbrown crate in the project's dependency tree, and the cargobump tool cannot automatically resolve which version to use.

• Suggested Fix:
Create a cargobump-deps.yaml file in the root directory with explicit version specifications:

dependencies:
  hashbrown: "0.15.0"  # Use the latest version

• Explanation:
The cargobump tool needs explicit guidance on which version of hashbrown to use when there are multiple versions in the dependency tree. By creating a cargobump-deps.yaml file with the specific version we want, we resolve the ambiguity and allow the build to proceed.

• Additional Notes:

• Version 0.15.0 is suggested as it's the latest among the available versions
• This is a common issue in Rust projects with complex dependency trees
• The fix aligns with Wolfi's principle of using latest versions where possible

• References:

• Cargo documentation on dependency resolution: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
• Hashbrown crate: https://crates.io/crates/hashbrown
• Qdrant repository: https://github.com/qdrant/qdrant

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

solving "so:libgit2.so.1.8" constraint: libgit2-1.8.0-r0.apk disqualified because libgit2-1.9.0-r0.apk already provides cmd:git2

• Error Category: Dependency

• Failure Point: Package resolution during build environment setup

• Root Cause Analysis: There's a version mismatch between the installed libgit2 (1.9.0) and the version required by rust (1.8.x). The rust package specifically requires libgit2 1.8.x, but a newer version (1.9.0) is being pulled in.

• Suggested Fix:

1. Pin the libgit2 version explicitly in the environment section:

environment:
  contents:
    packages:
      - libgit2-dev=1.8.4-r0
      # ... other packages ...

• Explanation:
The error occurs because rust-1.83 requires libgit2 1.8.x, but the package manager is trying to use 1.9.0. By explicitly pinning the libgit2 version to 1.8.4-r0, we ensure compatibility with the rust package while maintaining a recent, stable version of libgit2.

• Additional Notes:

• This is a common issue when packages have strict version dependencies
• The fix follows Wolfi's principle of precise version control for security and stability
• Version 1.8.4 is chosen as it's the latest in the 1.8.x series that's compatible

• References:

• Rust's libgit2 version requirements: https://github.com/rust-lang/git2-rs/blob/master/Cargo.toml
• Libgit2 changelog: https://github.com/libgit2/libgit2/blob/main/CHANGELOG.md

[hbh7]

Hashbrown seems to be brought in multiple times through different dependencies, some of which cannot be updated due to the dependency lockfile disallowing some version bumps. Rustls seems to be in the same situation too. Not sure that we can remediate this, might have to be advisories.

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "solving 'so:libgit2.so.1.8' constraint: libgit2-1.8.0-r0.apk disqualified because libgit2-1.9.0-r0.apk already provides cmd:git2"

• Error Category: Dependency

• Failure Point: Package dependency resolution during build environment setup

• Root Cause Analysis: There's a version mismatch between the Rust package requiring libgit2 1.8.x and the system having libgit2 1.9.0. The rust-1.83 package specifically needs libgit2.so.1.8, but the system has 1.9.0 installed.

• Suggested Fix:

1. Pin the libgit2-dev version in the environment section:

environment:
  contents:
    packages:
      - libgit2-dev=1.8.4-r0

2. Alternatively, update to a newer Rust version that supports libgit2 1.9.x

• Explanation: The error occurs because the installed Rust version (1.83) was built against libgit2 1.8.x, but the system is trying to use libgit2 1.9.0. Pinning the libgit2-dev version ensures compatibility with the Rust toolchain.

• Additional Notes:

• This is a common issue when system libraries get updated but language toolchains still expect older versions
• The fix maintains ABI compatibility required by the Rust toolchain
• Alternative approach would be to update to a newer Rust version that supports libgit2 1.9.0

• References:

• Use llvm-config instead of download-ci-llvm in PGO script rust-lang/rust#113323 (Similar libgit2 version compatibility issue)
• https://github.com/libgit2/libgit2/releases (Version compatibility information)

[hbh7]

Upon closer analysis, this PR is actually no longer necessary as the CVEs are not present in the latest version of qdrant. This can be closed.