gitlab-runner-18.6/18.6.6-r0: cve remediation

[octo-sts]

gitlab-runner-18.6/18.6.6-r0: fix CVE-2024-36623

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories:

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

package github.com/docker/docker: requested version 'v25.0.4', is already at version 'v28.0.0+incompatible'

Build Details

Category	Details
Build System	melange/gobump
Failure Point	go/bump step using gobump tool

Root Cause Analysis 🔍

The gobump tool is attempting to downgrade the github.com/docker/docker package from version v28.0.0+incompatible to v25.0.4, which is not allowed. This indicates a version constraint conflict where the requested version is older than what's already available in the module.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• rancher-2.12/2.12.1-r0: cve remediation #64338

Suggested Changes

File: gitlab-runner-18.6.yaml

• modification at line 78-81 (pipeline go/bump step)
  Original:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/docker/docker@v25.0.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/docker/docker@v28.0.0

Content:

Update github.com/docker/docker from v25.0.4 to v28.0.0 to resolve the version conflict where the module already has v28.0.0+incompatible

Click to expand fix analysis

Analysis

Looking at the three similar fixes, there's a clear pattern: all failed builds involved attempts to downgrade github.com/docker/docker to older versions when newer versions were already present in the module graph. Fix #0 resolved this by explicitly adding github.com/docker/docker@v28.0.0 to the go/bump deps section. Fix #1 removed problematic replace directives and updated to use github.com/docker/docker@v28.3.3. Fix #2 was creating new package files but the pattern shows updating to newer compatible Docker versions. The consistent solution across all fixes is to specify a newer version of github.com/docker/docker in the go/bump step that's compatible with the existing module constraints rather than trying to force a downgrade.

Click to expand fix explanation

Explanation

The current build failure occurs because gobump is trying to downgrade github.com/docker/docker from v28.0.0+incompatible (which is already present in the module graph) to v25.0.4 (which is specified in the YAML). Go's module system prevents downgrades, causing the build to fail. By updating the version specification from v25.0.4 to v28.0.0, we align with what's already resolved in the module dependencies. This matches the exact pattern seen in Fix #0, where the same issue was resolved by updating the docker/docker version from v25.0.8 to v28.0.0. The v28.0.0 version is a stable release that should be compatible with gitlab-runner's requirements, and using this version eliminates the version conflict that's causing the build failure.

Click to expand alternative approaches

Alternative Approaches

• Remove the explicit github.com/docker/docker version constraint entirely and let Go's module resolution determine the appropriate version automatically
• Update to the latest Docker v28.x version (like v28.3.3 as seen in Fix Add binutils-2.39 configuration #1) for the most recent security patches and bug fixes
• Add a preliminary step to check the existing docker/docker version in go.mod and conditionally set the version based on what's already present

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-jx5f-4jh9-95pr has the latest event type of "false-positive-determination"

View with: cg advisory show CGA-jx5f-4jh9-95pr
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml

ID:      CGA-jx5f-4jh9-95pr
Package: gitlab-runner-18.6
Aliases: CVE-2024-36623 GHSA-gh5c-3h97-2f3q
Events:
  - "scan/v1" at 2025-11-27 11:27:15 UTC
  - "false-positive-determination" at 2025-11-30 20:29:08 UTC

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-jx5f-4jh9-95pr has the latest event type of "false-positive-determination"

View with: cg advisory show CGA-jx5f-4jh9-95pr
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/gitlab-runner-18.6.advisories.yaml

ID:      CGA-jx5f-4jh9-95pr
Package: gitlab-runner-18.6
Aliases: CVE-2024-36623 GHSA-gh5c-3h97-2f3q
Events:
  - "scan/v1" at 2025-11-27 11:27:15 UTC
  - "false-positive-determination" at 2025-11-30 20:29:08 UTC

[octo-sts]

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-85wf-m9xh-qmh3 has the latest event type of "FALSE_POSITIVE_DETERMINATION"

View with: cg adv show CGA-85wf-m9xh-qmh3

ID:      CGA-85wf-m9xh-qmh3
Package: gitlab-runner-18.6
Aliases: CVE-2024-36623 GHSA-gh5c-3h97-2f3q GO-2024-3305 CGA-r6j8-q9qv-pwh9
Events:
  - "DETECTION" at 2025-11-27 11:27:15 UTC
  - "FIXED" at 2025-11-28 09:10:38 UTC
  - "FALSE_POSITIVE_DETERMINATION" at 2025-11-30 20:29:08 UTC