policy-controller/0.14.0-r0: cve remediation

[octo-sts]

policy-controller/0.14.0-r0: fix GHSA-whqx-f9j3-ch6m

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/policy-controller.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/sigstore/policy-controller@v0.14.0

[octo-sts]

🛑 Build Failed: Compilation

cannot use s.GetDefault().ToRawInfo() (value of type *"go.yaml.in/yaml/v3".Node) as *"gopkg.in/yaml.v3".Node value in argument to parseV3Interface

Build Details

Category	Details
Build System	Go + Make
Failure Point	CGO_ENABLED=0 go build command during policy-controller and policy-tester compilation

Root Cause Analysis 🔍

Type incompatibility between different YAML library versions. The code is trying to use a go.yaml.in/yaml/v3 Node type where gopkg.in/yaml.v3 Node type is expected. This suggests a dependency version conflict or incompatible YAML library imports in the k8s.io/kube-openapi package.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• k3s-1.33/1.33.5.1-r2: cve remediation #71458

Suggested Changes

File: policy-controller.yaml

• addition (after git-checkout step)
  Replacement:

  - uses: patch
    with:
      patches: yaml-deps.patch

Content:

Add patch step to fix YAML library version conflict

File: policy-controller/yaml-deps.patch

• creation
  Replacement:

--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,7 @@
+replace (
+	go.yaml.in/yaml/v3 => gopkg.in/yaml.v3 v3.0.1
+)
+
 module github.com/sigstore/policy-controller
 
 go 1.21

Content:

Create patch file to update YAML dependencies

Click to expand fix analysis

Analysis

The similar fix shows a pattern where YAML library version conflicts are resolved by updating dependencies to compatible versions. In the k3s fix, the issue was resolved by bumping containerd to v2.1.5 and kubelet to v0.34.0 through a patch file that updated go.mod dependencies. The root cause in both cases is the same: incompatible YAML library imports where go.yaml.in/yaml/v3 and gopkg.in/yaml.v3 types are being mixed, typically due to transitive dependency version conflicts in the k8s.io/kube-openapi package chain.

Click to expand fix explanation

Explanation

This fix addresses the core issue by ensuring that all YAML library references resolve to the same package (gopkg.in/yaml.v3) instead of having conflicting imports between go.yaml.in/yaml/v3 and gopkg.in/yaml.v3. The patch uses a Go module replace directive to redirect go.yaml.in/yaml/v3 imports to gopkg.in/yaml.v3 v3.0.1, which is the canonical and widely-used YAML library for Go. This approach directly resolves the type incompatibility error by ensuring all code paths use the same YAML Node type. The replace directive is a standard Go module mechanism for handling dependency conflicts and is commonly used in Kubernetes ecosystem projects to manage complex dependency trees.

Click to expand alternative approaches

Alternative Approaches

• Update the go/bump step to explicitly specify compatible versions of all transitive dependencies including k8s.io/kube-openapi
• Add a more comprehensive patch that updates multiple dependencies in go.mod and go.sum to ensure version alignment across the entire dependency tree
• Use go mod tidy and go mod download commands in a separate pipeline step before building to resolve dependency conflicts automatically

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.