Skip to content

[VULN-59766] Remove direct dependency on github.com/docker/docker v28#3

Closed
L3n41c wants to merge 3944 commits intofossabot:masterfrom
DataDog:lenaic/VULN-59766-remove-docker-docker-v28-dependency
Closed

[VULN-59766] Remove direct dependency on github.com/docker/docker v28#3
L3n41c wants to merge 3944 commits intofossabot:masterfrom
DataDog:lenaic/VULN-59766-remove-docker-docker-v28-dependency

Conversation

@L3n41c
Copy link
Copy Markdown

@L3n41c L3n41c commented Apr 2, 2026

Summary

  • Remove direct github.com/docker/docker imports by replacing HostConfigModifier callbacks with AutoRemove: true on testcontainers.ContainerRequest
  • Upgrade google/go-containerregistry from v0.20.7 to v0.21.3 (which migrated to moby/moby sub-modules)
  • Add replace directive for the remaining indirect dependency, redirecting to the patched 28.x branch of moby/moby (security fixes for authz body size limit and plugin privilege validation)

Context

Jira tickets: VULN-59766, VULN-59767, VULN-59774, VULN-59775, CONTINT-5217, CONTINT-5218, CONTINT-5219, CONTINT-5220

Related: DataDog/datadog-agent#48777

Note

After merging, run go mod tidy (with GOEXPERIMENT=jsonv2) to finalize go.sum cleanup. The indirect dependency on docker/docker cannot be fully removed from go.mod until testcontainers-go and other transitive dependencies migrate to moby/moby sub-modules upstream.

Test plan

  • go mod tidy completes successfully
  • go build ./... compiles without errors
  • Integration tests with //go:build integration still pass
  • Verify go.sum references moby/moby pseudo-version instead of docker/docker v28.5.2

🤖 Generated with Claude Code

DmitriyLewen and others added 30 commits September 15, 2025 07:21
@DmitriyLewen
fix(vuln): compare nuget package names in lower case (#9456)
1ff9ac7
@knqyf263 @nikpivkin
refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
788f6fa 
Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
@knqyf263
ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
8dce58c
@teddygood @DmitriyLewen
feat(redhat): add os-release detection for RHEL-based images (#9458)
cb25a07 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@matt-andersen
docs: Fix typo in terraform docs (#9492)
8b2575b
@knqyf263 @DmitriyLewen
feat(cyclonedx): preserve SBOM structure when scanning SBOM files wit…
aff03eb 
…h vulnerability updates (#9439)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@nikpivkin
fix(misconf): strip build metadata suffixes from image history (#9498)
c938806 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@amitverse @DmitriyLewen
feat(sbom): added support for CoreOS (#9448)
6d562a3 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@DmitriyLewen @knqyf263
docs: move info about detection priority into coverage section (#9469)
842ebdc 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
@nikpivkin @DmitriyLewen
fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9…
267a970 
…497)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
@dependabot @nikpivkin
chore(deps): bump the common group across 1 directory with 24 updates…
366910b 
… (#9507)

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
@dependabot
chore(deps): bump the aws group with 6 updates (#9481)
331cf5d 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@knqyf263 @DmitriyLewen
refactor: remove google/wire dependency and implement manual DI (#9509)
d57b160 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
@nikpivkin
refactor(fs): use underlyingPath to determine virtual files more reli…
352855e 
…ably (#9302)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@DmitriyLewen
fix(nodejs): parse workspaces as objects for package-lock.json files …
404abb3 
…(#9518)
@knqyf263
feat(cli): change --list-all-pkgs default to true (#9510)
7b663d8
@nikpivkin
fix(misconf): unmark cty values before access (#9495)
8e40d27 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@nikpivkin
feat(cloudformation): support default values and list results in Fn::…
42b3bf3 
…FindInMap (#9515)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@tom1299 @DmitriyLewen
fix(db): Dowload database when missing but metadata still exists (#9393)
92ebc7e 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@knqyf263
feat: add documentation URL for database lock errors (#9531)
eba48af
@knqyf263
fix: close file descriptors and pipes on error paths (#9536)
a4cbd6a 
Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com>
@nikpivkin
docs: fix modules path and update code example (#9539)
e149094 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@DmitriyLewen
feat(seal): add seal support (#9370)
e4af279
@nikpivkin
fix(misconf): handle tofu files in module detection (#9486)
bfd2f6b 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@afdesk
fix(k8s): disable parallel traversal with fs cache for k8s images (#9…
c0c7a6b 
…534)
@nikpivkin
docs: clarify inline ignore limitations for resource-less checks (#9537)
c446a5c 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@nikpivkin @knqyf263
refactor(misconf): replace github.com/liamg/memoryfs with internal ma…
e7c16a7 
…pfs and testing/fstest (#9282)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
@DmitriyLewen
fix(aws): use BuildableClient insead of xhttp.Client (#9436)
fa6f1bf
@DmitriyLewen
fix(vex): don't suppress vulns for packages with infinity loop (#9465)
78f0d4a
@aqua-bot
release: v0.67.0 [main] (#9432)
adeb362
dependabot bot and others added 29 commits January 30, 2026 10:57
@dependabot
chore(deps): bump the aws group across 1 directory with 6 updates (#1…
cc64eeb 
…0068)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@sneaky-potato @DmitriyLewen
feat(python): add pylock.toml (PEP 751) parser (#9632)
1a72b32 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
@knqyf263
refactor(rust): use txtar format for cargo analyzer test data (#10104)
65e151f
@eschcam
fix(java): Disable overwriting exclusions (#10088)
9a3e0a8
@aqua-bot @actions-user
ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#…
73c64af 
…10103)

Co-authored-by: GitHub Actions <actions@github.com>
@nikpivkin
refactor: unify scanner error limit and compiler limit (#10106)
fc5f139 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@sastorsl
chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107)
7415661
@knqyf263
feat(server): include server version info in JSON output for client/s…
4c46d41 
…erver mode (#10075)
@carrodher
fix: update PhotonOS feed URL (#10122)
fa195b4 
Signed-off-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com>
@nikpivkin
docs(terraform): add limitation for data sources and computed resourc…
8d3d4ee 
…e attributes (#10128)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@nikpivkin
fix(misconf): apply check aliases when filtering results via .trivyig…
b775a1b 
…nore (#10112)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@knqyf263
ci: add composite action for Go setup (#10146)
5ffcdfc
@knqyf263
feat(vuln): skip third-party packages in common Detect function (#10129)
d6e6331
@Yamamoto-Ko-ki
docs: update version endpoint example in client/server documentation …
82019c3 
…(#10151)
@AndrewCharlesHay
feat(misconf): adapt ARM k8s clusters (#9696) (#10125)
66bdec4
@AndrewCharlesHay
refactor: reduce complexity of init in detect.go (#10163)
0b73503
@BrajamohanDas-afk
refactor: remove unused Insecure field from ServiceOption (#10113)
68c196f
@aqua-bot @actions-user
ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#…
580c4ac 
…10155)

Co-authored-by: GitHub Actions <actions@github.com>
@Dharma-09
feat(misconf): resolve Azure resources via resource_id (#10173)
823f363
@dependabot
chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (…
8662089 
…#10179)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@valentinstn
docs: fix incorrect count of Python package managers (#10175)
42216b5
@DmitriyLewen
feat(ubuntu): add eol data for 25.10 (#10181)
2c1f65b
@nikpivkin
fix(misconf): initialize custom annotation field if empty (#10123)
0f0d6db 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@DmitriyLewen
test: update Docker Engine integration tests for Docker API v0.29.0+ …
3a3d750 
…compatibility (#10199)
@DmitriyLewen
chore(deps): update Docker client SDK to v29 (#10202)
fb05196
@dependabot
chore(deps): bump the common group across 1 directory with 24 updates…
1c09181 
… (#10206)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@yusuke-koyoshi
docs: migrate private registry documentation from GCR to GAR (#10208)
5b54388 
Signed-off-by: yusuke.koyoshi <yusuke.koyoshi@assured.inc>
@knqyf263
feat(go): detect version from ELF symbol table for binaries built wit…
7acb5f6 
…h -trimpath (#10197)
@L3n41c @claude
[VULN-59766] chore(deps): remove direct dependency on github.com/dock…
65f6650 
…er/docker v28

Remove the direct dependency on github.com/docker/docker v28 which has
known security vulnerabilities in authz and plugin packages.

- Replace HostConfigModifier callbacks with the equivalent AutoRemove
  field on testcontainers.ContainerRequest in all integration tests
- Upgrade google/go-containerregistry from v0.20.7 to v0.21.3, which
  migrated from docker/docker to moby/moby sub-modules
- Bump transitive dependencies required by go-containerregistry v0.21.3
  (docker/cli, moby/moby/api, moby/moby/client, golang.org/x/*)
- Add replace directive redirecting the remaining indirect docker/docker
  dependency to moby/moby 28.x branch (commit 31a1689c) which contains
  the security fixes (authz body size limit, plugin privilege validation)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@L3n41c L3n41c closed this Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.