docker-machine-driver-harvester/1.0.5-r3: cve remediation

[octo-sts]

docker-machine-driver-harvester/1.0.5-r3: fix GHSA-7xgm-5prm-v5gc

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker-machine-driver-harvester.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/harvester/docker-machine-driver-harvester@v1.0.5

[octo-sts]

📦 Build Failed: Missing Dependency

go: module kubevirt.io/api@latest found (v1.7.0, replaced by github.com/kubevirt/api@v1.6.0), but does not contain package kubevirt.io/api/pool/v1beta1

Build Details

Category	Details
Build System	go
Failure Point	go mod tidy during go/bump step

Root Cause Analysis 🔍

The kubevirt.io/api module replacement to github.com/kubevirt/api@v1.6.0 does not contain the required package kubevirt.io/api/pool/v1beta1 that is imported by the dependency chain. This is a module compatibility issue where the replaced version lacks necessary packages.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Melange YAML pipeline section

• modification at line deps section (go/bump step deps section)
  Original:

kubevirt.io/kubevirt@v1.7.0

Replacement:

kubevirt.io/kubevirt@v1.6.0

Content:

Change the kubevirt.io/kubevirt dependency version to match the replaced api version

Click to expand fix analysis

Analysis

No similar build failures were found in the past records, so pattern analysis cannot be performed. However, the error indicates a module compatibility issue where kubevirt.io/api@v1.7.0 is being replaced by github.com/kubevirt/api@v1.6.0, but the older v1.6.0 version lacks the pool/v1beta1 package that is required by the dependency chain. This is a classic case where a module replacement points to an older version that doesn't have all the necessary packages.

Click to expand fix explanation

Explanation

The build failure occurs because there's a version mismatch between kubevirt.io/kubevirt@v1.7.0 and the replaced kubevirt.io/api module (github.com/kubevirt/api@v1.6.0). The v1.7.0 kubevirt module likely expects to use kubevirt.io/api@v1.7.0 which contains the pool/v1beta1 package, but the module replacement forces it to use v1.6.0 which doesn't have this package. By downgrading kubevirt.io/kubevirt to v1.6.0, we ensure version compatibility between the main kubevirt module and its api dependency. This should resolve the missing package error since both modules will be at the same compatible version level.

Click to expand alternative approaches

Alternative Approaches

• Remove the kubevirt.io/kubevirt dependency entirely if it's not actually needed by the application
• Check if there's a newer version of github.com/kubevirt/api that contains the pool/v1beta1 package and update the replacement accordingly
• Investigate if the pool/v1beta1 import can be removed or replaced with an alternative package that exists in v1.6.0

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-xf3h-xq82-4jqh has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-xf3h-xq82-4jqh
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/docker-machine-driver-harvester.advisories.yaml

ID:      CGA-xf3h-xq82-4jqh
Package: docker-machine-driver-harvester
Aliases: CVE-2025-64436 GHSA-7xgm-5prm-v5gc
Events:
  - "pending-upstream-fix" at 2025-11-18 23:15:40 UTC

🔀 v2 advisory logic would not have closed this PR: Found 6 advisories, but 2 of them are not resolved (CGA-4fg7-x8fj-qmr5, CGA-8phq-j9mq-86x8).

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-xf3h-xq82-4jqh has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-xf3h-xq82-4jqh
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/docker-machine-driver-harvester.advisories.yaml

ID:      CGA-xf3h-xq82-4jqh
Package: docker-machine-driver-harvester
Aliases: CVE-2025-64436 GHSA-7xgm-5prm-v5gc
Events:
  - "pending-upstream-fix" at 2025-11-18 23:15:40 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-f2c8-4gc7-96g7, CGA-46px-2frx-25fc).

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-f2c8-4gc7-96g7 has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-f2c8-4gc7-96g7

ID:      CGA-f2c8-4gc7-96g7
Package: docker-machine-driver-harvester
Aliases: CVE-2025-64436 GHSA-7xgm-5prm-v5gc GO-2025-4104 CGA-6j77-9g4p-7r55
Events:
  - "DETECTION" at 2025-11-19 09:36:22 UTC
  - "PENDING_UPSTREAM_FIX" at 2026-01-16 08:42:03 UTC