keda-2.15/2.15.1-r3: cve remediation

[octo-sts]

keda-2.15/2.15.1-r3: fix GHSA-29wx-vh33-7x7r

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/keda-2.15.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the error log, here's how to fix the build error for the keda-2.15 package:

1. The main error is related to a version mismatch with the golang-jwt package:

Failed to running update. Error: package github.com/golang-jwt/jwt/v4 with v4.5.0 is less than the desired version v4.5.1

Here are the steps to resolve this:

1. Update the melange YAML file (keda-2.15.yaml) by:

   pipeline:
     - uses: git-checkout
     # Modify or remove the go/bump step to either:
     # Option 1: Remove version constraints for jwt package
     - uses: go/bump
       with:
         packages: ""  # Remove jwt package from bumping
     
     # Option 2: Specify the correct version
     - uses: go/bump
       with:
         packages: "github.com/golang-jwt/jwt/[email protected]"

2. Alternative fix - directly modify go.mod:

   # Add this to your build steps
   - uses: shell
     run: |
       go mod edit -replace github.com/golang-jwt/jwt/v4=github.com/golang-jwt/jwt/[email protected]
       go mod tidy

3. Update build dependencies in the YAML:

   environment:
     contents:
       packages:
         - go@>=1.23.2
         - build-base
         # Add other required packages

4. Clear melange cache and retry:

   rm -rf .melangecache
   make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/keda-2.15 -j1

These changes should resolve the version conflict and allow the build to proceed.

[github-actions]

Package keda-2.15: Click to expand/collapse

Package keda-2.15:
Modified: /usr/bin/keda

Package keda-2.15-metrics-apiserver: Click to expand/collapse

Package keda-2.15-metrics-apiserver:
Modified: /usr/bin/keda-adapter

Package keda-2.15-admission-webhooks: Click to expand/collapse

Package keda-2.15-admission-webhooks:
Modified: /usr/bin/keda-admission-webhooks

Package keda-2.15-compat: Click to expand/collapse

Package keda-2.15-compat:
Unchanged

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build output, it appears the build was successful but encountered an error during the test phase. The main issue seems to be with the ImgRef being empty when trying to run tests.

Here are some steps to debug and fix this:

1. Check your melange.yaml file for the test configuration section. Make sure you have properly defined:

test:
  environment:
    # Add any required env vars
  pipeline:
    - runs: |
        # Add test commands here

2. Verify the test runner configuration:

# At the top level of your melange.yaml
environment:
  contents:
    repositories:
      - https://packages.wolfi.dev/os
    keyring:
      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
    packages:
      - wolfi-base # Add other test dependencies

test:
  # Your test config here

3. Make sure required test dependencies are available:

• Add wolfi-base and any other required packages to test environment
• Verify repository and keyring configurations are correct

4. Try running with increased verbosity:

melange test --debug --verbose keda-2.15.yaml

5. Validate your pipeline directory structure:

./pipelines/
  ├── build.yml
  └── test.yml

The empty ImgRef suggests the test environment image isn't being created properly. Adding proper test configuration should resolve this issue.

[Aditvil-Dev]

Has multiple replaces for the same package in go.mod: https://github.com/kedacore/keda/blob/main/go.mod#L147

[debasishbsws]

Create a upstream PR to remove it from the go.mod file kedacore/keda#6315

[github-actions]

Package keda-2.15: Click to expand/collapse

Package keda-2.15:
Modified: /usr/bin/keda

Package keda-2.15-metrics-apiserver: Click to expand/collapse

Package keda-2.15-metrics-apiserver:
Modified: /usr/bin/keda-adapter

Package keda-2.15-admission-webhooks: Click to expand/collapse

Package keda-2.15-admission-webhooks:
Modified: /usr/bin/keda-admission-webhooks

Package keda-2.15-compat: Click to expand/collapse

Package keda-2.15-compat:
Unchanged

[JorTurFer]

Hello
I'm Jorge, one of KEDA maintainers 😄
github.com/dgrijalva/jwt-go is used as transitory dependency of github.com/spf13/viper with is a transitory dependency of github.com/spf13/cobra, so sadly it's in use and that's why we added the replace statement there.
We plan to ship v2.16 tomorrow and we have a PR opened with a lot of bumps, preparing tomorrow's release. I have included a bump of this dep to fix the issue -> fba853a (#6305).
Is it enough?
Removing the replaces isn't feasible because of transitory dependencies, e.g: golang-jwt/jwt/v4 is used with affected versions in multiple packages

go mod graph | grep github.com/golang-jwt/jwt/v4                       
github.com/kedacore/keda/v2 github.com/golang-jwt/jwt/[email protected]
github.com/Azure/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/azure/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/azure/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/bradleyfalzon/ghinstallation/[email protected] github.com/golang-jwt/jwt/[email protected]
k8s.io/[email protected] github.com/golang-jwt/jwt/[email protected]
k8s.io/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/[email protected] github.com/golang-jwt/jwt/[email protected]
github.com/Azure/go-autorest/autorest/[email protected] github.com/golang-jwt/jwt/[email protected]

I've checked all the replacement and all of them are used somehow with affected versions, although I've just updated the replacement with latest package versions