Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

solr/9.8.0-r0: cve remediation #42295

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

solr/9.8.0-r0: cve remediation #42295

wants to merge 1 commit into from
+7 −1

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Feb 11, 2025

solr/9.8.0-r0: fix GHSA-4g8c-wm8x-jfhw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/solr.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Feb 11, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the error output, let me analyze and provide a solution:

• Detected Error: Implicit failure in git-checkout step with no tag found (The build stops after attempting git clone)

• Error Category: Version/Configuration

• Failure Point: git-checkout pipeline step failing to find the specified tag

• Root Cause Analysis: The tag format specified in the git-checkout step (releases/solr/9.8.0) doesn't match Apache Solr's actual release tag format. Apache Solr uses different tag naming conventions.

• Suggested Fix:
Modify the git-checkout step in the YAML to use the correct tag format:

  - uses: git-checkout
    with:
      repository: https://github.com/apache/solr
      expected-commit: 8bf0100e502ade4b8161e4b90f762b117a6ef442
      tag: rel/solr/${{package.version}}

Also update the update section accordingly:

update:
  enabled: true
  github:
    use-tag: true
    identifier: apache/solr
    strip-prefix: rel/solr/
    tag-filter: rel/solr/

• Explanation: Apache Solr uses the prefix rel/solr/ for their release tags rather than releases/solr/. This can be verified in their GitHub repository tags section. The fix changes the tag format to match the actual format used by the upstream repository.

• Additional Notes:

  • The commit hash appears correct but the tag format is preventing checkout
  • This is a common issue when upstream projects change their tag naming conventions
  • The rest of the build configuration looks correct for Solr 9.8.0

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Feb 11, 2025
@jamie-albert jamie-albert self-assigned this Feb 13, 2025
@jamie-albert
Copy link
Member

wolfi-dev/advisories#13097

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jamie-albert jamie-albert

Labels
ai/skip-comment Stop AI from commenting on PR automated pr GHSA-4g8c-wm8x-jfhw maven/pombump request-cve-remediation solr/9.8.0-r0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jamie-albert