extism/1.6.1-r0: cve remediation

[octo-sts]

Automated CVE update.
Needed a tweak to the go.mod root dir, as used to exist in sub-dir, that was refactored in this commit. Now inherits from parent go.mod.

---

extism/1.6.1-r0: fix GHSA-v778-237x-gjrc

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/extism.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: There's no explicit error message in the log, but the failure appears to be related to using Go 1.23.4 which is not a valid Go version.

• Error Category: Configuration/Version

• Failure Point: The go/bump step where it attempts to run with Go 1.23.4

• Root Cause Analysis: Go 1.23.4 is an invalid version number as Go versions follow the pattern 1.x where x is currently ≤ 21. The build system is trying to use a non-existent Go version.

• Suggested Fix:
Update the environment section to use a valid Go version by adding:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - openssf-compiler-options
      - go-1.21    # Replace go-1.23 with go-1.21

• Explanation:

• Go versioning follows a strict pattern of 1.x
• The latest stable version is Go 1.21.x
• The build system needs a valid Go toolchain to execute the go/bump and go/build steps
• Using go-1.21 will provide a supported and stable version of Go for building

• Additional Notes:

• The package appears to be a CLI tool written in Go
• Go 1.21.x is the current stable version recommended for production use
• Future updates should align with Go's release schedule
• Consider adding a minimum Go version requirement in the package metadata

• References:

• Go Release Policy: https://golang.org/doc/devel/release
• Current Go Releases: https://golang.org/dl/
• Wolfi Go Package Guidelines: https://github.com/wolfi-dev/os/tree/main/go.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Failed to running update. Error: unable to parse the go mod file with error: open go.mod: no such file or directory"

• Error Category: Build Configuration

• Failure Point: go/bump step trying to find go.mod file

• Root Cause Analysis: The build is failing because the go/bump step cannot find the go.mod file. This is because the repository's Go module files are in a different directory structure than what's specified in the melange configuration.

• Suggested Fix: Update the modroot path in both go/bump and go/build steps to match the repository structure:

  - uses: go/bump
    with:
      deps: golang.org/x/crypto@v0.31.0
      modroot: .

  - uses: go/build
    with:
      modroot: .
      packages: .
      output: extism

• Explanation: Looking at the extism/cli repository structure, the go.mod file is in the root directory, not in an "extism" subdirectory. The current configuration is looking for go.mod in an "extism" subdirectory which doesn't exist. Changing modroot to "." will make it look in the root directory where the go.mod actually exists.

• Additional Notes:

• The git checkout step is working correctly as it's getting the right commit
• The repository structure has the Go files in the root directory
• The modroot parameter should point to where go.mod is located
• This is a common issue when packaging Go applications with different directory structures

• References:

• https://github.com/extism/cli/blob/main/go.mod (Shows go.mod in root directory)
• https://github.com/chainguard-dev/melange/blob/main/pkg/build/types/pipeline.go#L73-L82 (Melange go/bump documentation)