bat/0.24.0-r4: cve remediation

[octo-sts]

bat/0.24.0-r4: fix GHSA-h97m-ww89-6jmq

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/bat.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: No explicit error message shown in the log, but the build appears to stop after installing dependencies without completing the build process.

• Error Category: Build/Configuration

• Failure Point: After dependency installation, before cargo build process

• Root Cause Analysis: The issue appears to be related to Rust version compatibility. The package is using rust-1.83, but bat 0.24.0 may require a newer version of Rust.

• Suggested Fix:

1. Update the environment section to specify a newer Rust version:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - cargo-auditable
      - libgit2-dev
      - openssf-compiler-options
      - rust>=1.70.0
      - zlib-dev

2. Alternatively, add RUSTFLAGS environment variable:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - cargo-auditable
      - libgit2-dev
      - openssf-compiler-options
      - rust
      - zlib-dev
  environment:
    RUSTFLAGS: "-C target-feature=+crt-static"

• Explanation:

• bat 0.24.0 may have minimum Rust version requirements that aren't met
• The static linking flag helps avoid potential dynamic linking issues with glibc
• These changes ensure compatibility with the build environment

• Additional Notes:

• bat is a Rust project that typically requires recent Rust toolchain versions
• The package uses cargo-auditable which needs proper Rust toolchain setup
• Consider checking bat's Cargo.toml for minimum rust-version field

• References:

• bat repository: https://github.com/sharkdp/bat/blob/master/Cargo.toml
• Rust version requirements: https://github.com/sharkdp/bat/blob/master/rust-version
• Wolfi Rust packaging guidelines: https://github.com/wolfi-dev/os/tree/main/rust

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "solving 'so:libgit2.so.1.8' constraint: libgit2-1.8.0-r0.apk disqualified because libgit2-1.9.0-r0.apk already provides cmd:git2"

• Error Category: Dependency

• Failure Point: Package dependency resolution during build environment setup

• Root Cause Analysis: There's a version mismatch between the installed libgit2 (1.9.0) and the version required by rust (1.8.x). The rust package specifically requires libgit2 1.8.x, but a newer version (1.9.0) is being pulled in.

• Suggested Fix:

1. Pin the libgit2-dev package version in the environment section:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - cargo-auditable
      - libgit2-dev=1.8.4-r0
      - openssf-compiler-options
      - rust
      - zlib-dev

• Explanation: By explicitly pinning libgit2-dev to version 1.8.4-r0, we ensure compatibility with the rust package's requirements. This version satisfies the so:libgit2.so.1.8 dependency while avoiding conflicts with newer versions.

• Additional Notes:

• This is a common issue when dependencies get updated independently
• Once rust is updated to support libgit2 1.9.x, this pin can be removed
• Consider filing an upstream issue to track rust's compatibility with newer libgit2 versions

• References:

• Similar issue tracked in rust: Correctly handle miniz_oxide extern crate declaration rust-lang/rust#94220
• libgit2 changelog: https://github.com/libgit2/libgit2/blob/main/CHANGELOG.md