[VULN-59766] Remove direct dependency on github.com/docker/docker v28#31
Closed
[VULN-59766] Remove direct dependency on github.com/docker/docker v28#31
github.com/docker/docker v28#31Conversation
This change removes the following packages to reduce the size of the Trivy library: - magefiles - pkg/cloud - pkg/compliance - pkg/iac - pkg/k8s - pkg/misconf - pkg/policy
Co-Authored-By: David du Colombier <djc@datadoghq.com>
This change has been imported from: https://github.com/kovacs-levent/trivy/tree/parse-binary-versions
This change reverts parts of the the changes done in commit: Re-use existing `ErrorCallback` WalkOption in post-analysis fs walks Reading the content of the /var/lib/dpkg/info directory is optional and the /var/lib/dpkg/status.d directory is particularly uncommon. We should not trigger errors when these directory are not existing.
In RHEL 9 for Edge, /var/lib/rpm is a symlink to /usr/share/rpm.
Instead of specifying the tagged reference, let's allow creating a container artifact with multiple repository tags.
This reverts commit 916430a.
L3n41c
force-pushed
the
lenaic/VULN-59766-remove-docker-docker-v28-dependency
branch
from
cc1062b to
5ada670
Compare
6 tasks
…thub.com/moby/moby Migrate all direct imports of github.com/docker/docker to the equivalent github.com/moby/moby sub-modules (client v0.2.2 and api v1.53.0), eliminating the vulnerable dependency from production and test code. Production code: - pkg/fanal/image/daemon: migrate Docker client, types, and API calls to moby/moby/client and moby/moby/api/types/image - pkg/fanal/artifact/container: replace docker/docker/pkg/system with containerd/continuity/sysx for Lgetxattr Test code: - Replace HostConfigModifier callbacks with AutoRemove field on testcontainers.ContainerRequest in all integration tests - Migrate all test imports from docker/docker to moby/moby equivalents - Update test expected values for the new InspectResponse type go.mod: - Add direct dependencies on moby/moby/client and moby/moby/api - docker/docker demoted to indirect (transitive only) - Add replace directive redirecting docker/docker to patched moby/moby 27.x branch commit (v27.5.2-0.20250218170852-77446557b0f8) Jira: VULN-59766, VULN-59767, VULN-59774, VULN-59775 Jira: CONTINT-5217, CONTINT-5218, CONTINT-5219, CONTINT-5220 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
L3n41c
force-pushed
the
lenaic/VULN-59766-remove-docker-docker-v28-dependency
branch
from
5ada670 to
dce2871
Compare
L3n41c
changed the title
L3n41c
changed the title
github.com/docker/docker v28
sysx.LGetxattr (from containerd/continuity) returns an error for ENODATA (attribute not set), whereas the previous docker/docker system.Lgetxattr returned (nil, nil). Without this fix, the container layer walk would fail on every directory lacking the overlay opaque xattr — i.e. virtually all directories. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Member
Author
|
Superseded by #32. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
github.com/docker/dockerto the equivalentgithub.com/moby/mobysub-modules (clientv0.2.2 andapiv1.53.0)docker/docker/pkg/system.Lgetxattrwithcontainerd/continuity/sysx.LGetxattr(DataDog-specific container artifact)HostConfigModifiercallbacks withAutoRemovefield ontestcontainers.ContainerRequestin all integration testsreplacedirective redirecting the remaining indirectdocker/dockerto the patchedmoby/moby27.x branch commitContext
github.com/docker/dockerv27 has known security vulnerabilities. This PR eliminates all direct usage so thatDataDog/datadog-agentcan consume this trivy version without pulling in the vulnerable package.Ports the upstream migration from aquasecurity/trivy#10202 (Docker client SDK v29) adapted to the v27-era codebase of this branch.
Jira: VULN-59766, VULN-59767, VULN-59774, VULN-59775, CONTINT-5217, CONTINT-5218, CONTINT-5219, CONTINT-5220
Related: DataDog/datadog-agent#48777
Test plan
go mod tidycompletes successfullygo build ./...compiles without errors (pre-existinginternal/testutil/util.goissue excluded)go vetpasses on all modified packagesgo test ./pkg/fanal/image/daemon/...— all unit tests passgithub.com/docker/dockerimports in Go source filesdocker/dockeris now// indirectingo.mod, redirected viareplaceto patched moby/moby🤖 Generated with Claude Code