Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yara-x/0.13.0-r1: cve remediation #46904

Merged
merged 2 commits into from
Mar 18, 2025
Merged

yara-x/0.13.0-r1: cve remediation #46904

merged 2 commits into from
Mar 18, 2025

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Mar 15, 2025

yara-x/0.13.0-r1: fix GHSA-2gh3-rmm4-6rq5

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/yara-x.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Mar 15, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error:

error: failed to select a version for the requirement `protobuf = "=3.7.1"`
candidate versions found which didn't match: 3.7.2
location searched: crates.io index
required by package `protobuf-codegen v3.7.1`

• Error Category: Dependency/Version

• Failure Point: rust/cargobump step attempting to update protobuf from 3.7.1 to 3.7.2

• Root Cause Analysis: The cargobump tool is trying to update the protobuf dependency to 3.7.2, but the package has strict version requirements that pin it to exactly 3.7.1

• Suggested Fix:

  1. Remove or modify the cargobump step, as it's causing version conflicts
  2. Add this to the melange YAML:
  - uses: rust/cargobump
    with:
      skip-packages:
        - protobuf

• Explanation: The fix prevents cargobump from trying to update the protobuf package while still allowing other dependencies to be updated. This maintains the strict version requirement needed by the project while allowing the build to proceed.

• Additional Notes:

  • The yara-x project appears to have strict dependency requirements for protobuf
  • The cargobump tool is trying to be helpful by updating dependencies but in this case it's breaking the build
  • Alternative approach would be to update all protobuf-related dependencies together, but that would require more extensive testing

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Mar 15, 2025
@OddBloke OddBloke self-assigned this Mar 17, 2025
@OddBloke OddBloke force-pushed the cve-yara-x-d3e2f84ed7a0276d2b4b1bcba4ec841b branch from eec251c to e95c71f Compare March 17, 2025 22:11
@OddBloke
yara-x: use sed instead of cargobump
ce9ea93 
There are multiple protobuf dependencies which need to be updated all
togther: cargobump attmpted to bump them independently, and failed.
@OddBloke OddBloke force-pushed the cve-yara-x-d3e2f84ed7a0276d2b4b1bcba4ec841b branch from 4b1b67d to ce9ea93 Compare March 17, 2025 22:21
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Mar 17, 2025
@OddBloke OddBloke requested a review from a team March 18, 2025 13:44
@OddBloke OddBloke enabled auto-merge March 18, 2025 13:45
@OddBloke OddBloke merged commit 082dc34 into main Mar 18, 2025
21 checks passed
@OddBloke OddBloke deleted the cve-yara-x-d3e2f84ed7a0276d2b4b1bcba4ec841b branch March 18, 2025 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@powersj powersj powersj approved these changes

Assignees

@OddBloke OddBloke

Labels
ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-2gh3-rmm4-6rq5 manual/review-needed request-cve-remediation rust/cargobump
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@powersj @OddBloke