Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker/28.0.1-r2: cve remediation #46982

Merged
merged 2 commits into from
Mar 17, 2025
Merged

docker/28.0.1-r2: cve remediation #46982

merged 2 commits into from
Mar 17, 2025

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Mar 16, 2025

docker/28.0.1-r2: fix GHSA-qxp5-gwg8-xv66

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/docker.advisories.yaml

Source code for this service: https://go/cve-remedy-automation-source

Logs for this execution: https://go/cve-remedy-automation-logs

Docs for this service: (not provided yet)

@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Mar 16, 2025

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the error message and the melange YAML file, I'll provide a specific analysis and solution:

• Detected Error:

failed to run 'go mod tidy': exit status 1 with output: go: go.mod file not found in current directory or any parent directory

• Error Category: Build Configuration

• Failure Point: The go/bump step in the pipeline attempting to update dependencies

• Root Cause Analysis:
The error occurs because moby/moby uses a custom vendoring system with vendor.mod instead of the standard Go modules system. The go/bump action assumes a standard go.mod file exists.

• Suggested Fix:
Remove the go/bump step and incorporate the dependency update directly in the sed commands:

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/moby/moby
      tag: v${{package.version}}
      expected-commit: bbd0a17ccc67e48d4a69393287b7fcc4f0578683

  - runs: |
      # Update golang.org/x/net directly in vendor.mod
      sed -i 's|golang.org/x/net v0.33.0|golang.org/x/net v0.36.0|' vendor.mod
      # ... rest of your existing sed commands ...

• Explanation:
The Docker Engine (moby/moby) project intentionally uses a custom vendoring system with vendor.mod instead of go.mod. The go/bump action is incompatible with this approach. By removing it and handling the dependency update through direct modification of vendor.mod, we maintain the project's intended dependency management system.

• Additional Notes:

  • Docker's vendoring system is managed through hack/vendor.sh
  • All dependency updates should be done via vendor.mod modifications
  • The existing sed commands already handle the necessary security updates
  • This approach better aligns with upstream Docker's build system

• References:

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Mar 16, 2025
@mamccorm
Removes attempted go/bump and adds to vendor.mod section of modified …
f08bebd 
…deps

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
@mamccorm mamccorm self-assigned this Mar 16, 2025
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Mar 16, 2025
@mamccorm mamccorm requested a review from a team March 16, 2025 10:27
@mamccorm mamccorm enabled auto-merge (squash) March 16, 2025 10:27
@mamccorm mamccorm merged commit cfbc56f into main Mar 17, 2025
21 checks passed
@mamccorm mamccorm deleted the cve-docker-5ea6d856a3231441d06e0f3f027ae16a branch March 17, 2025 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnegreira dnegreira dnegreira approved these changes

Assignees

@mamccorm mamccorm

Labels
ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. GHSA-qxp5-gwg8-xv66 go/bump manual/review-needed request-cve-remediation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dnegreira @mamccorm