Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible #10302

Merged
merged 1 commit into from
Mar 25, 2024
Merged

🌱 bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible #10302

merged 1 commit into from
Mar 25, 2024

Conversation

mboersma
Copy link
Contributor

What this PR does / why we need it:

Bumps github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible.

Dependabot will probably get around to this, but I wanted to update it because it's problematic for CAPZ incorporating CAPI v1.7.0-beta.0. Docker becomes an indirect import in CAPZ, and then our dependency checker fails:

image

Which issue(s) this PR fixes:

See GHSA-mq39-4gv4-mvpx
See kubernetes-sigs/cluster-api-provider-azure#4646

/area dependency
/area security

@k8s-ci-robot k8s-ci-robot added area/dependency Issues or PRs related to dependency changes area/security Issues or PRs related to security labels Mar 21, 2024
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 21, 2024
@mboersma
Copy link
Contributor Author

/cc @nawazkh

@k8s-ci-robot k8s-ci-robot requested a review from nawazkh March 21, 2024 17:58
@nawazkh
Copy link
Member

nawazkh commented Mar 21, 2024
edited
Loading

Thank you for identifying this @mboersma
/cc @kubernetes-sigs/cluster-api-release-team This should have been fixed by dependabot, do we know why it was missed?

@nawazkh
Copy link
Member

nawazkh commented Mar 21, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 21, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: b5fda7c1f69f27af4cf3e4ff150a5be7d994ca5a

@killianmuldoon killianmuldoon changed the title 🌱 (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible 🌱 bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible Mar 21, 2024
killianmuldoon
killianmuldoon reviewed Mar 21, 2024
View reviewed changes
Copy link
Contributor

@killianmuldoon killianmuldoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@nawazkh
Copy link
Member

nawazkh commented Mar 21, 2024

Thank you for identifying this @mboersma /cc @kubernetes-sigs/cluster-api-release-team This should have been fixed by dependabot, do we know why it was missed?

I did a high-level triage. I don't see anything blocking Dependabot on fixing this CVE(as per dependabot's config at the root/.github folder). As Matt said, dependabot would have come around this eventually to fix the CVE.

@kranurag7
Copy link
Contributor

@mboersma thank you for the patch, we had the same alert via dependabot on an infra provider repository. Is there a reason not to directly update to 26.0.0 in this case.

This should have been fixed by dependabot, do we know why it was missed?

I think this is a repository settings and maybe we don't have it enabled for this repository.

Details

image

@sbueringer
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 25, 2024
@k8s-ci-robot k8s-ci-robot merged commit 56e7074 into kubernetes-sigs:main Mar 25, 2024
28 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.7 milestone Mar 25, 2024
@cahillsf
Copy link
Member

cahillsf commented Mar 25, 2024
edited
Loading

@sbueringer 👋 you see any issues with backporting this to release-1.5 and release-1.6 branches to address the failing security scans? https://github.com/kubernetes-sigs/cluster-api/actions/runs/8419719374/job/23052938757

@sbueringer
Copy link
Member

sbueringer commented Mar 25, 2024
edited
Loading

No that's fine, might need manual cherry-picks though

@sbueringer
Copy link
Member

/cherry-pick release-1.6

@sbueringer
Copy link
Member

/cherry-pick release-1.5

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: #10302 failed to apply on top of branch "release-1.6":

Applying: (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
Using index info to reconstruct a base tree...
M	hack/tools/go.mod
M	hack/tools/go.sum
M	test/go.mod
M	test/go.sum
Falling back to patching base and 3-way merge...
Auto-merging test/go.sum
CONFLICT (content): Merge conflict in test/go.sum
Auto-merging test/go.mod
CONFLICT (content): Merge conflict in test/go.mod
Auto-merging hack/tools/go.sum
CONFLICT (content): Merge conflict in hack/tools/go.sum
Auto-merging hack/tools/go.mod
CONFLICT (content): Merge conflict in hack/tools/go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: #10302 failed to apply on top of branch "release-1.5":

Applying: (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
Using index info to reconstruct a base tree...
M	hack/tools/go.mod
M	hack/tools/go.sum
M	test/go.mod
M	test/go.sum
Falling back to patching base and 3-way merge...
Auto-merging test/go.sum
CONFLICT (content): Merge conflict in test/go.sum
Auto-merging test/go.mod
CONFLICT (content): Merge conflict in test/go.mod
Auto-merging hack/tools/go.sum
CONFLICT (content): Merge conflict in hack/tools/go.sum
Auto-merging hack/tools/go.mod
CONFLICT (content): Merge conflict in hack/tools/go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 (deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sbueringer
Copy link
Member

@cahillsf Let's try to stay on the same docker major version when we open PRs for 1.6 & 1.5

This was referenced Mar 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@killianmuldoon killianmuldoon killianmuldoon left review comments

@enxebre enxebre Awaiting requested review from enxebre

@jackfrancis jackfrancis Awaiting requested review from jackfrancis

@nawazkh nawazkh Awaiting requested review from nawazkh

Assignees

@nawazkh nawazkh

@killianmuldoon killianmuldoon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/security Issues or PRs related to security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.7
Development

Successfully merging this pull request may close these issues.
8 participants
@mboersma @nawazkh @k8s-ci-robot @kranurag7 @sbueringer @cahillsf @k8s-infra-cherrypick-robot @killianmuldoon