starship/1.21.1-r0: cve remediation

[octo-sts]

starship/1.21.1-r0: fix GHSA-h97m-ww89-6jmq

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/starship.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

error: failed to select a version for the requirement `idna = "^0.5.0"`
candidate versions found which didn't match: 1.0.0
location searched: crates.io index
required by package `url v2.5.2`

• Error Category: Dependency/Version

• Failure Point: rust/cargobump step during dependency resolution

• Root Cause Analysis:
There's a version conflict in the Rust dependency chain. The package url v2.5.2 requires idna ^0.5.0, but only version 1.0.0 is available. This is a breaking change in the idna crate.

• Suggested Fix:
Add a cargo override in the pipeline to pin the specific version:

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/starship/starship
      tag: v${{package.version}}
      expected-commit: 47ccc3603dc20edf4bb59e56b26d19f78a41e770

  - runs: |
      cargo update -p idna --precise 0.5.0
      
  - uses: rust/cargobump

  - runs: |
      cargo auditable build --release
      install -Dm755 target/release/starship "${{targets.destdir}}"/usr/bin/starship

• Explanation:
The cargo update -p idna --precise 0.5.0 command will explicitly pin the idna crate to version 0.5.0 before the cargobump step runs, resolving the version conflict.

• Additional Notes:

• This is a common issue when upstream dependencies have breaking changes
• The fix ensures compatibility while maintaining the required version constraints
• Alternative approach would be to update url and its dependencies, but that could introduce more compatibility issues

• References:

• https://doc.rust-lang.org/cargo/commands/cargo-update.html
• https://github.com/starship/starship/blob/master/Cargo.toml
• https://crates.io/crates/idna/versions

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log provided, I can analyze the failure:

• Detected Error: No explicit error message is shown in the log, but the output stops after installing dependencies, suggesting the build fails during the Rust compilation phase.

• Error Category: Build Configuration

• Failure Point: After dependency installation, likely during cargo auditable build --release

• Root Cause Analysis:
The issue appears to be a mismatch between the installed Rust version (1.83.0) and the potential minimum required Rust version for Starship 1.21.1.

• Suggested Fix:
Modify the Melange YAML to specify the correct Rust version by adding:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - cargo-auditable
      - cmake
      - openssf-compiler-options
      - rust-1.70
      - rust # Change to latest compatible version

• Explanation:
Starship may require a specific minimum Rust version for compilation. The current build is using Rust 1.83.0 which could be incompatible. Looking at Starship's release history and rust-version requirements, ensuring we use a compatible Rust version should resolve the build failure.

• Additional Notes:

• Starship has specific Rust version requirements in its Cargo.toml
• The build environment is properly set up with all required dependencies
• Consider adding rust-src component if needed for full compilation
• Adding verbose flags to cargo build could provide more detailed error information

• References:

• Starship Repo: https://github.com/starship/starship
• Starship's minimum supported Rust version (MSRV) requirements are typically documented in their Cargo.toml
• Wolfi's Rust package documentation and version availability

Would you like me to suggest any additional debugging steps or provide more specific version requirements?