falcoctl/0.11.4-r3: cve remediation

[octo-sts]

falcoctl/0.11.4-r3: fix GHSA-whqx-f9j3-ch6m

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/falcoctl.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/falcosecurity/[email protected]

[octo-sts]

📦 Build Failed: Missing Dependency

go: github.com/falcosecurity/falcoctl/pkg/driver/distro imports github.com/falcosecurity/driverkit/pkg/driverbuilder imports k8s.io/kubectl/pkg/cmd/exec imports k8s.io/kubectl/pkg/polymorphichelpers imports k8s.io/kubectl/pkg/describe imports k8s.io/api/networking/v1alpha1: module k8s.io/api@latest found (v0.35.0), but does not contain package k8s.io/api/networking/v1alpha1

Build Details

Category	Details
Build System	go
Failure Point	go mod tidy command during go/bump step

Root Cause Analysis 🔍

The k8s.io/api module version v0.35.0 does not contain the required package k8s.io/api/networking/v1alpha1. This indicates that the networking/v1alpha1 API was either removed, moved, or renamed in the Kubernetes API version being used. The gobump tool is attempting to update dependencies but fails because of this missing package dependency.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• cluster-api-helm-controller/0.3.2-r4: cve remediation #63421

Suggested Changes

File: falcoctl.yaml

• addition at line 25-26 (pipeline go/bump section)
  Original:

      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/cosign/[email protected]

Replacement:

      deps: |-
        golang.org/x/[email protected]
        github.com/sigstore/cosign/[email protected]
      replaces: |-
        k8s.io/api=k8s.io/[email protected]

Content:

Add replaces directive to pin k8s.io/api to v0.31.12 which contains the networking/v1alpha1 package

Click to expand fix analysis

Analysis

The similar fixes show a consistent pattern of addressing Kubernetes API module compatibility issues by pinning specific versions of k8s.io modules that contain the required packages. In Fix Examples #1 and #2, the solution was to use the "replaces" directive in go/bump to downgrade k8s.io/apiserver from v0.33.4 to v0.31.12, which still contained the missing package. The current failure involves k8s.io/[email protected] missing networking/v1alpha1, which follows the same pattern - a newer Kubernetes API version removed a deprecated alpha API package.

Click to expand fix explanation

Explanation

The fix works by using Go's replace directive to override the automatic version resolution for k8s.io/api. The networking/v1alpha1 API was deprecated and removed in newer Kubernetes versions (v0.35.0), but it still exists in earlier versions like v0.31.12. By pinning k8s.io/api to v0.31.12, we ensure that the falcoctl dependency chain can find the required networking/v1alpha1 package while still allowing other dependencies to use newer versions. This approach mirrors the successful fixes in the similar cases where k8s.io/apiserver was pinned to v0.31.12 to resolve missing package issues.

Click to expand alternative approaches

Alternative Approaches

• Update the falcoctl source code to use the newer Kubernetes networking API (v1 or v1beta1) instead of the deprecated v1alpha1, though this would require upstream changes
• Pin to a different compatible k8s.io/api version between v0.31.12 and v0.34.x that still contains networking/v1alpha1
• Use go mod replace directives in a go.mod file if the project structure supports it, though the melange go/bump approach is more standard

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.