jaeger/1.63.0-r0: cve remediation

[octo-sts]

jaeger/1.63.0-r0: fix GHSA-v778-237x-gjrc

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/jaeger.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: error RangeError: Internal error. Icu error. during yarn install
• Error Category: Build/Configuration
• Failure Point: yarn install step in jaeger-all-in-one subpackage pipeline
• Root Cause Analysis: The error occurs due to an ICU (International Components for Unicode) compatibility issue between Node.js and the system's ICU libraries

• Suggested Fix:

1. Add icu and icu-full to the environment packages:

environment:
  contents:
    packages:
      - busybox
      - ca-certificates-bundle
      - nodejs-20
      - npm
      - yarn
      - icu
      - icu-full

2. Set the ICU environment variable before yarn install:

subpackages:
  - range: jaeger-components
    name: "${{package.name}}-${{range.key}}"
    pipeline:
      - runs: |
          if [[ "${{range.key}}" = "all-in-one" ]]; then
            export NODE_ICU_DATA=/usr/share/icu
            mkdir -p jaeger-ui/packages/jaeger-ui/build
            rm -rf cmd/query/app/ui/actual/*
            yarn install --frozen-lockfile --cwd jaeger-ui
            cd jaeger-ui/packages/jaeger-ui/build
            yarn build
          fi

• Explanation: The error occurs because Node.js requires proper ICU support for internationalization features, including string sorting used by yarn. Adding the ICU packages and setting NODE_ICU_DATA ensures proper locale handling.

• Additional Notes:

• This is a known issue when building Node.js applications in containers without proper ICU support
• The fix ensures proper internationalization support needed by yarn's dependency resolution
• Consider using --ignore-scripts with yarn install if security is a concern

• References:

• Node.js ICU requirements: https://nodejs.org/api/intl.html#internationalization-support
• Similar issue: Performance regression in pipe after v0.11.3 on OS X nodejs/node#3475
• Wolfi OS package documentation: https://packages.wolfi.dev/os/x86_64/icu

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: error RangeError: Internal error. Icu error. at String.localeCompare

• Error Category: Build/Configuration

• Failure Point: Yarn package installation during the jaeger-all-in-one subpackage build

• Root Cause Analysis: The error occurs due to an ICU (International Components for Unicode) localization issue when Yarn tries to sort packages. This is typically caused by missing or incompatible ICU data libraries.

• Suggested Fix:

1. Add icu-libs and icu-data-full to the environment contents section:

environment:
  contents:
    packages:
      - busybox
      - ca-certificates-bundle
      - nodejs-20
      - npm
      - yarn
      - icu-libs
      - icu-data-full

2. Set the LANG environment variable:

environment:
  contents:
    packages:
      # ... existing packages ...
  environment:
    LANG: "en_US.UTF-8"

• Explanation: The error occurs because Yarn's string sorting operations require proper ICU support. Adding the ICU libraries and setting the locale ensures proper internationalization support during the build process.

• Additional Notes:

• This is a known issue with Yarn when running in environments with incomplete locale/ICU support
• The fix ensures proper internationalization support for Node.js/Yarn operations
• The error specifically appears during package dependency resolution and linking
• Setting LANG ensures consistent locale behavior

• References:

• Node.js Internationalization: https://nodejs.org/api/intl.html
• Yarn Issue cue: update pipeline, fix CVEs #7266: Yarn empty space on Windows 10 and missing cursor yarnpkg/yarn#7266
• ICU Project: https://icu.unicode.org/
• Similar Docker build fix: gpg: keyserver receive failed: No keyserver available since sks-keyservers.net no longer publishes DNS addresses nodejs/docker-node#1500

[hbh7]

Looks to be suffering from https://chainguard-dev.slack.com/archives/C05CM0DM7RV/p1734381916719169, can't proceed until we have a fix.

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build error, here's my analysis and solution:

• Detected Error:

error during build:
src/components/common/LoadingIndicator.tsx (16:9): "LuLoader2" is not exported by "../../node_modules/react-icons/lu/index.mjs"

• Error Category: Dependency/Build

• Failure Point: React component build step in jaeger-ui frontend compilation

• Root Cause Analysis: The LoadingIndicator component is trying to import a non-existent icon (LuLoader2) from react-icons/lu package, likely due to a version mismatch or incorrect import path

• Suggested Fix:

1. Add missing react-icons dependency first:

environment:
  contents:
    packages:
      - busybox
      - ca-certificates-bundle
      - nodejs-20
      - npm
      - yarn
      # Add react-icons
      - react-icons

2. Update the LoadingIndicator.tsx import to use a different loader icon that exists in react-icons:

// Change from:
import { LuLoader2 } from 'react-icons/lu';
// To:
import { CgSpinner } from 'react-icons/cg';
// or
import { AiOutlineLoading } from 'react-icons/ai';

• Explanation: The build is failing because it cannot find the specified icon in the react-icons package. This is likely because either:

1. The react-icons version being used doesn't contain this specific icon
2. The import path is incorrect
3. The package is not properly installed

• Additional Notes:

• The build system is using Node.js 20.x
• This is a UI component build failure, not a backend service issue
• The error is happening during the Vite build process
• Consider adding a package.json check step to verify dependencies

• References:

• react-icons documentation: https://react-icons.github.io/react-icons/
• Vite build documentation: https://vitejs.dev/guide/build.html
• Original Jaeger UI component source: https://github.com/jaegertracing/jaeger-ui/

[hbh7]

No idea how to fix this issue as it has nothing to do with any changes made here (1.63.0 doesn't build at all anymore) and I can't find any info online. Escalating in the interest of sustaining focusing on CVEs this week.

[hbh7]

Reason for Escalation / Level of Urgency

Failing build blocking CVE remediation, somewhat urgent but not immediately critical.

If prospect/customer issue, please provide needed by date

N/A

Short Description (Context / Steps already done) / Error Messages / Logs

There's an error during build:
src/components/common/LoadingIndicator.tsx (16:9): "LuLoader2" is not exported by "../../node_modules/react-icons/lu/index.mjs"

Steps to Reproduce

1. Run build before or after CVE remediation (doesn't matter)
2. See error

Customers / Images / SLA affected

Unknown

Possible Solution

Unknown

[mamccorm]

Out of date PR with conflicts. this has been fixed in v1.65 which is the latest in wolfi. See fixed events:

• https://github.com/wolfi-dev/advisories/blob/cb42ecb601e1ed5df642471271d71221f0978e45/jaeger.advisories.yaml#L27