fix(k8sgpt): Remediate GHSA-f6mr-38g8-39rg by bumping ollama #76609
Chainguard Internal / elastic-build
succeeded
Dec 22, 2025 in 3m 27s
APKs built successfully
Build ID: 39e422db-7894-4002-9639-c2a1c88786b5
Details
builds
x86_64 Logs
Click to expand
NVzRY%2FIIMl9ivMx1dthvHZpLxyU9388dWmWf%2Bayy9eNpyDvxLGBvwY%2Fre4jh73A%3D%3D]
command "curl" completed successfully
upload completed successfully
parsed env
using enhanced syft sbom melange runner
configuring puller identity "720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69"...
running command chainctl [auth login --audience apk.cgr.dev --identity 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69]
Successfully exchanged token.
Valid! Id: 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69
Updates are available for chainctl (current version: 0.2.185; latest: 0.2.187). To install, please run:
$ chainctl update
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
melange devel with runner qemu is testing:
image configuration:
contents:
build repositories: []
runtime repositories: []
repositories: []
keyring: []
packages: [busybox etcd k8sgpt kubernetes kwok kwokctl]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r24)
installing ca-certificates-bundle (20251003-r0)
installing libgcc (15.2.0-r6)
installing glibc-locale-posix (2.42-r4)
installing glibc (2.42-r4)
installing ld-linux (2.42-r4)
installing libxcrypt (4.5.2-r0)
installing libcrypt1 (2.42-r4)
installing busybox (1.37.0-r50)
installing etcd-3.6 (3.6.7-r0)
installing k8sgpt (0.4.27-r1)
installing kubernetes-1.34 (1.34.3-r0)
installing kwok (0.7.0-r6)
installing kwokctl (0.7.0-r6)
installing wolfi-keys (1-r12)
installing zlib (1.3.1-r51)
installing libcrypto3 (3.6.0-r6)
installing libssl3 (3.6.0-r6)
installing apk-tools (2.14.10-r9)
installing wolfi-base (1-r7)
populating workspace /tmp/melange-workspace-2131948248 from k8sgpt
qemu: generating ssh key pairs for ephemeral VM
qemu: generating SSH host key for VM
qemu: generating base initramfs
image configuration:
contents:
build repositories: [https://apk.cgr.dev/chainguard]
runtime repositories: []
repositories: []
keyring: []
packages: [microvm-init]
installing wolfi-baselayout (20230201-r24)
installing ca-certificates-bundle (20251003-r0)
installing libgcc (15.2.0-r6)
installing glibc-locale-posix (2.42-r4)
installing glibc (2.42-r4)
installing ld-linux (2.42-r4)
installing gnutar-rmt (1.35-r6)
installing gnutar (1.35-r6)
installing libattr1 (2.5.2-r54)
installing attr (2.5.2-r54)
installing zlib (1.3.1-r51)
installing libzstd1 (1.5.7-r5)
installing xz (5.8.2-r0)
installing libcrypto3 (3.6.0-r6)
installing kmod (34.2-r42)
installing libmnl (1.0.5-r6)
installing libbz2-1 (1.0.8-r21)
installing libelf (0.194-r0)
installing libbpf (1.6.2-r0)
installing libverto (0.3.2-r6)
installing krb5-conf (1.0-r7)
installing libcom_err (1.47.3-r1)
installing keyutils-libs (1.6.3-r37)
installing libssl3 (3.6.0-r6)
installing krb5-libs (1.22.1-r1)
installing libtirpc (1.3.7-r1)
installing libpcre2-8-0 (10.47-r0)
installing libsepol (3.9-r1)
installing libselinux (3.9-r1)
installing libnftnl (1.3.1-r0)
installing xtables (1.8.11-r30)
installing libcap (2.77-r0)
installing iproute2 (6.17.0-r2)
installing libstdc++ (15.2.0-r6)
installing inih (62-r1)
installing liburcu (0.15.5-r0)
installing libblkid (2.41.3-r0)
installing libuuid (2.41.3-r0)
installing xfsprogs-core (6.17.0-r2)
installing xfsprogs (6.17.0-r2)
installing libmount (2.41.3-r0)
installing mount (2.41.3-r0)
installing libxcrypt (4.5.2-r0)
installing libcrypt1 (2.42-r4)
installing linux-pam (1.7.1-r4)
installing openssh-keygen (10.2_p1-r2)
installing openssh-server-config (10.2_p1-r2)
installing openssh-server (10.2_p1-r2)
installing ncurses-terminfo-base (6.5_p20251025-r1)
installing ncurses (6.5_p20251025-r1)
installing setarch (2.41.3-r0)
installing libfdisk (2.41.3-r0)
installing sqlite-libs (3.51.1-r0)
installing util-linux (2.41.3-r0)
installing libsmartcols (2.41.3-r0)
installing util-linux-misc (2.41.3-r0)
installing busybox (1.37.0-r50)
installing microvm-init (0.0.1-r15)
qemu: starting VM
qemu: waiting for SSH
conn read: read tcp 127.0.0.1:35546->127.0.0.1:33447: i/o timeout
qemu: meta-data=/dev/vda isize=512 agcount=8, agsize=1638400 blks
qemu: = sectsz=4096 attr=2, projid32bit=1
qemu: = crc=1 finobt=1, sparse=1, rmapbt=1
qemu: = reflink=1 bigtime=1 inobtcount=1 nrext64=1
qemu: = exchange=0 metadir=0
qemu: data = bsize=4096 blocks=13107200, imaxpct=25
qemu: = sunit=0 swidth=0 blks
qemu: naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=0
qemu: log =internal log bsize=4096 blocks=16384, version=2
qemu: = sectsz=4096 sunit=1 blks, lazy-count=1
qemu: realtime =none extsz=4096 blocks=0, rtextents=0
qemu: = rgcount=0 rgsize=0 extents
qemu: = zoned=0 start=0 reserved=0
qemu: Discarding blocks...Done.
qemu: [INIT] Checking for init.d scripts...
qemu: [INIT] No /opt/melange/init.d directory (optional, skipping)
qemu: ssh-keygen: generating new host keys: RSA ECDSA
qemu: Server listening on 0.0.0.0 port 2223.
qemu: Server listening on 0.0.0.0 port 22.
conn read: read tcp 127.0.0.1:35554->127.0.0.1:33447: i/o timeout
qemu: VM started successfully, SSH server is up
qemu: Connection closed by 10.0.2.2 port 35556
qemu: verifying VM host key against pre-provisioned key
qemu: Accepted publickey for root from 10.0.2.2 port 35570 ssh2: ECDSA SHA256:UTKe0yO9uFLUPKjAsJRHA/af7h59TCfUUwPQ4PjakEw
qemu: VM host key successfully verified against pre-provisioned key
qemu: Connection closed by 10.0.2.2 port 35570
qemu: Accepted publickey for root from 10.0.2.2 port 35582 ssh2: ECDSA SHA256:UTKe0yO9uFLUPKjAsJRHA/af7h59TCfUUwPQ4PjakEw
qemu: Accepted publickey for root from 10.0.2.2 port 44816 ssh2: ECDSA SHA256:UTKe0yO9uFLUPKjAsJRHA/af7h59TCfUUwPQ4PjakEw
qemu: Accepted publickey for root from 10.0.2.2 port 35594 ssh2: ECDSA SHA256:UTKe0yO9uFLUPKjAsJRHA/af7h59TCfUUwPQ4PjakEw
qemu: running kernel version: 6.16.10-r2-qemu-generic #Chainguard SMP PREEMPT_DYNAMIC Fri Oct 3 22:31:32 UTC 2025
qemu: setting up local workspace
qemu: unmounting host workspace from guest
running the main test pipeline
Kubernetes debugging powered by AI
Usage:
k8sgpt [command]
Available Commands:
analyze This command will find problems within your Kubernetes cluster
auth Authenticate with your chosen backend
cache For working with the cache the results of an analysis
completion Generate the autocompletion script for the specified shell
custom-analyzer Manage a custom analyzer
dump Creates a dumpfile for debugging issues with K8sGPT
filters Manage filters for analyzing Kubernetes resources
generate Generate Key for your chosen backend (opens browser)
help Help about any command
integration Integrate another tool into K8sGPT
serve Runs k8sgpt as a server
version Print the version number of k8sgpt
Flags:
--config string Default config file (/root/.config/k8sgpt/k8sgpt.yaml)
-h, --help help for k8sgpt
--kubeconfig string Path to a kubeconfig. Only required if out-of-cluster.
--kubecontext string Kubernetes context to use. Only required if out-of-cluster.
-v, --verbose Show detailed tool actions (e.g., API calls, checks).
Use "k8sgpt [command] --help" for more information about a command.
k8sgpt: dev (e7b7a5d), built at: 2025-12-22T06:05:49Z
running step "test/kwok/cluster"
{"time":"2025-12-22T06:06:53.063990752Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":304},"msg":"Cluster is creating","cluster":"kwok"}
{"time":"2025-12-22T06:06:53.279267087Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":311},"msg":"Cluster is created","cluster":"kwok","elapsed":{"nanosecond":215282206,"human":"215.282206ms"}}
{"time":"2025-12-22T06:06:53.282657848Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":344},"msg":"Cluster is starting","cluster":"kwok"}
{"time":"2025-12-22T06:06:54.184841618Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":349},"msg":"Cluster is started","cluster":"kwok","elapsed":{"nanosecond":902176539,"human":"902.176539ms"}}
{"time":"2025-12-22T06:06:54.212100072Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/scale.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/scale/scale.go","line":112},"msg":"No resource found, use default resource","cluster":"kwok","resource":"node"}
{"time":"2025-12-22T06:06:54.233493118Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/snapshot.(*Loader).finishLoad","file":"sigs.k8s.io/kwok/pkg/kwokctl/snapshot/load.go","line":187},"msg":"Load resources","cluster":"kwok","name":"node","replicas":1,"resource":"nodes","counter":1,"elapsed":{"nanosecond":3813101,"human":"3.813101ms"}}
Attempt 1: /healthz not ready, retrying...
aarch64 Logs
Click to expand
ute: git config --global --add safe.directory /home/build
[git checkout] execute: git clone --quiet --origin=origin --config=user.name=Melange Build [email protected] --config=advice.detachedHead=false --branch=v0.4.27 --depth=1 https://github.com/k8sgpt-ai/k8sgpt /tmp/tmp.z5AEOJ
[git checkout] execute: cd /tmp/tmp.z5AEOJ
[git checkout] tar -c . | tar -C "/home/build" -x
[git checkout] execute: cd /home/build
[git checkout] execute: git config --global --add safe.directory /home/build
[git checkout] execute: git fetch --quiet origin --depth=1 --no-tags +refs/tags/v0.4.27:refs/origin/tags/v0.4.27
[git checkout] execute: git checkout --quiet origin/tags/v0.4.27
[git checkout] tag v0.4.27 is e7b7a5db47aaee418fbd2a4b9e5afeef6bebc0a4
running step "go/bump"
2025/12/22 06:05:34 Running go mod tidy with go version '1.25.5' ...
2025/12/22 06:05:38 Update package: golang.org/x/oauth2
2025/12/22 06:05:38 Running go mod edit -droprequire ...
2025/12/22 06:05:38 Running go get ...
2025/12/22 06:05:38 Update package: github.com/containerd/containerd
2025/12/22 06:05:38 Running go mod edit -droprequire ...
2025/12/22 06:05:38 Running go get ...
2025/12/22 06:05:39 Update package: golang.org/x/crypto
2025/12/22 06:05:39 Running go mod edit -droprequire ...
2025/12/22 06:05:39 Running go get ...
2025/12/22 06:05:40 Update package: github.com/expr-lang/expr
2025/12/22 06:05:40 Running go mod edit -droprequire ...
2025/12/22 06:05:40 Running go get ...
2025/12/22 06:05:40 Update package: github.com/ollama/ollama
2025/12/22 06:05:40 Running go mod edit -droprequire ...
2025/12/22 06:05:40 Running go get ...
2025/12/22 06:05:42 Running go mod tidy with go version '1.25.5' ...
go version go1.25.5 linux/arm64
===========> Building binary /home/build/bin/k8sgpt *[Git Info]: v0.4.27.dirty-e7b7a5db47aaee418fbd2a4b9e5afeef6bebc0a4
running step "strip"
retrieving workspace from builder:
retrieved and wrote post-build workspace to: /tmp/melange-workspace-2998287144
running package linters for k8sgpt
linting apk: k8sgpt
no lint findings to persist for package k8sgpt
checking license information
LICENSE: Apache-2.0 (0.996178) (notice)
checking gathered license information against the configuration
no license differences detected
license information check complete
generating enhanced Syft SBOMs merged with melange metadata
invalid license: NOASSERTION
created base melange SBOMs with build metadata
scanning package directory with Syft to enhance SBOM
generating SBOM from unpacked directory
finished Syft SBOM generation
successfully merged Syft scan results with melange SBOM
enhanced all SBOMs with Syft scan results
generating package k8sgpt-0.4.27-r1
scanning for ld.so.conf.d files...
scanning for shared object dependencies...
2025/12/22 06:06:03 INFO completed enhanced Syft SBOM generation with merged metadata
scanning for commands...
found command usr/bin/k8sgpt
scanning for -doc package...
scanning for pkg-config data...
scanning for python modules...
scanning for ruby gems...
scanning for shbang deps...
scanning for kernel dependencies...
runtime:
ca-certificates-bundle
provides:
cmd:k8sgpt=0.4.27-r1
installed-size: 104240500
data.tar.gz digest: 7af542f5c764d2dee5986f1b95037631a5691248311ca456e3494570415cee97
wrote packages/aarch64/k8sgpt-0.4.27-r1.apk
cleaning Workspace by removing 30 file/directories in /home/build
generating apk index from packages in packages/aarch64
processing package packages/aarch64/k8sgpt-0.4.27-r1.apk
updating index at packages/aarch64/APKINDEX.tar.gz with new packages: [k8sgpt-0.4.27-r1]
build completed successfully
running malcontent scan...
found 1 APK files to scan
scanning packages/aarch64/k8sgpt-0.4.27-r1.apk -> packages/k8sgpt-0.4.27-r1/mal-scan.json
running command mal [--format=json --exit-extraction=false --min-risk=critical --min-file-risk=critical --quantity-increases-risk=true --output=packages/k8sgpt-0.4.27-r1/mal-scan.json scan packages/aarch64/k8sgpt-0.4.27-r1.apk]
command "mal" completed successfully
malcontent scan completed successfully for 1 APKs in 10s
creating packages tarball...
running command tar [-C packages -cf packages.tar .]
command "tar" completed successfully
packages.tar sha256sum: d4e85291422043a089c8863812b5d11dfb184b35dd555043bff7eb56fac52659
sha256sum "d4e85291422043a089c8863812b5d11dfb184b35dd555043bff7eb56fac52659" written to /dev/termination-log
Built 1 packages, hash: d4e85291422043a089c8863812b5d11dfb184b35dd555043bff7eb56fac52659, size: 29680128 bytes
uploading final packages tarball...
running command curl [-s --upload-file packages.tar -H Content-Type: application/octet-stream https://storage.googleapis.com/prod-bundle-staging/wolfi/aarch64/1766383526510757558-k8sgpt-0.4.27-r1.tar.gz?Expires=1766426726&GoogleAccessId=ebuild-zasv64d5x1oc4m3epw39yod%40prod-enforce-fabc.iam.gserviceaccount.com&Signature=UR5NXTCini8%2BhcHDdp%2BDe54DaPa2vK7NWNVGVMy06RxCT7hP3q7Sh6Jh2DqfY7Wm9NdAI8Fu1xT093RcMBNMiRr1%2F6PX6egIjDJ8%2Fmh0%2BEbPEA8WKghSuuFX6gFWO7fth8oDEMFVbcFI7wV9wbnaPEwvGgT%2FSQZFcic9BP1gF2ox1ZjlVX0trDvpBVr1IcUKBid90kupMTuxovn%2BU%2FDMsOX9CFVDZhsfQmERe%2BhrdfTD3xEcKyxcC4PpDBZ2GD5lIoh3nSdszDm%2Bmdk91HgoVP0eNvMDSg9ruE%2BPQx96l0J0bdC%2F3jeqJs69SUCf7STdlmHC%2FNNmCYfYKwFTLcfSPw%3D%3D]
command "curl" completed successfully
upload completed successfully
parsed env
using enhanced syft sbom melange runner
configuring puller identity "720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69"...
running command chainctl [auth login --audience apk.cgr.dev --identity 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69]
Successfully exchanged token.
Valid! Id: 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69
Updates are available for chainctl (current version: 0.2.185; latest: 0.2.187). To install, please run:
$ chainctl update
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
melange devel with runner docker is testing:
image configuration:
contents:
build repositories: []
runtime repositories: []
repositories: []
keyring: []
packages: [busybox etcd k8sgpt kubernetes kwok kwokctl]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r24)
installing ca-certificates-bundle (20251003-r0)
installing libgcc (15.2.0-r6)
installing glibc-locale-posix (2.42-r4)
installing glibc (2.42-r4)
installing ld-linux (2.42-r4)
installing libxcrypt (4.5.2-r0)
installing libcrypt1 (2.42-r4)
installing busybox (1.37.0-r50)
installing etcd-3.6 (3.6.7-r0)
installing k8sgpt (0.4.27-r1)
installing kubernetes-1.34 (1.34.3-r0)
installing kwok (0.7.0-r6)
installing kwokctl (0.7.0-r6)
installing wolfi-keys (1-r12)
installing zlib (1.3.1-r51)
installing libcrypto3 (3.6.0-r6)
installing libssl3 (3.6.0-r6)
installing apk-tools (2.14.10-r9)
installing wolfi-base (1-r7)
layer digest: sha256:83f783f5ebe33494ba2a44e2ac8cd6257ad5977f90f6d71d72a80cbcff5aa701
layer diffID: sha256:c023615ea8295836dc314c2bfd878185964059d44c8fc2ed630c894eb761eb86
saving OCI image locally: apko.local/cache:34f056d1f375c4310971f744c4056854e42459bf319611acfb5a6fe5b2570e70
tagging local image apko.local/cache:34f056d1f375c4310971f744c4056854e42459bf319611acfb5a6fe5b2570e70 as index.docker.io/library/melange:latest
populating workspace /tmp/melange-workspace-2315638396 from k8sgpt
running the main test pipeline
Kubernetes debugging powered by AI
Usage:
k8sgpt [command]
Available Commands:
analyze This command will find problems within your Kubernetes cluster
auth Authenticate with your chosen backend
cache For working with the cache the results of an analysis
completion Generate the autocompletion script for the specified shell
custom-analyzer Manage a custom analyzer
dump Creates a dumpfile for debugging issues with K8sGPT
filters Manage filters for analyzing Kubernetes resources
generate Generate Key for your chosen backend (opens browser)
help Help about any command
integration Integrate another tool into K8sGPT
serve Runs k8sgpt as a server
version Print the version number of k8sgpt
Flags:
--config string Default config file (/home/build/.config/k8sgpt/k8sgpt.yaml)
-h, --help help for k8sgpt
--kubeconfig string Path to a kubeconfig. Only required if out-of-cluster.
--kubecontext string Kubernetes context to use. Only required if out-of-cluster.
-v, --verbose Show detailed tool actions (e.g., API calls, checks).
Use "k8sgpt [command] --help" for more information about a command.
k8sgpt: dev (e7b7a5d), built at: 2025-12-22T06:05:43Z
running step "test/kwok/cluster"
{"time":"2025-12-22T06:06:49.725787333Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":304},"msg":"Cluster is creating","cluster":"kwok"}
{"time":"2025-12-22T06:06:49.977793858Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":311},"msg":"Cluster is created","cluster":"kwok","elapsed":{"nanosecond":252014139,"human":"252.014139ms"}}
{"time":"2025-12-22T06:06:49.97928691Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster.runE","file":"sigs.k8s.io/kwok/pkg/kwokctl/cmd/create/cluster/cluster.go","line":344},"msg":"Cluster is starting","cluster":"kwok"}
Indexes
https://apk.cgr.dev/wolfi-presubmit/64f8d1d8678247a220fa113a6e1448fa719db842
Packages
- ✅ k8sgpt (success | 1m4s | x86_64 logs | aarch64 logs)
Tests
- ✅ k8sgpt (success | 21s | x86_64 logs | aarch64 logs)
More Observability
Command
cg build log \
--build-id 39e422db-7894-4002-9639-c2a1c88786b5 \
--project prod-wolfi-os \
--cluster elastic-pre-a \
--namespace pre-wolfi \
--start 2025-12-22T06:03:31Z \
--end 2025-12-22T06:16:59Z
Loading