From d3991f22149a18dd2555bdaac3d68985720877ac Mon Sep 17 00:00:00 2001 From: Reynier Ortiz Vega Date: Tue, 23 Jun 2026 15:15:44 -0400 Subject: [PATCH 1/2] bump docker cli --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e9162ad..5c4d94d 100644 --- a/go.mod +++ b/go.mod @@ -50,7 +50,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect - github.com/docker/cli v29.5.3+incompatible // indirect + github.com/docker/cli v29.6.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.3 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect diff --git a/go.sum b/go.sum index 9ebf249..ade4ae1 100644 --- a/go.sum +++ b/go.sum @@ -102,8 +102,8 @@ github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQM github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I= github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= -github.com/docker/cli v29.5.3+incompatible h1:nbEFfz774vBwQ5KRYv7c/AghjReqnGISvrRhzjV0evs= -github.com/docker/cli v29.5.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.6.0+incompatible h1:nw9himxMMZ7eIeherJNlKQq+acnlzGgHd+4uf10QRSc= +github.com/docker/cli v29.6.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= From a4621e719e86654f62546aaa0f444ced99c5b938 Mon Sep 17 00:00:00 2001 From: Reynier Ortiz Vega Date: Tue, 23 Jun 2026 15:22:40 -0400 Subject: [PATCH 2/2] chore: add grype ignore rule for GO-2026-4610 false positive Grype incorrectly flags github.com/docker/cli v29.6.0+incompatible for GO-2026-4610 due to a semver comparison bug with the +incompatible suffix. The OSV record marks this fixed in 29.2.0+incompatible; we run 29.6.0 which is already past the fix. The vuln is also Windows-only. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- .grype.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .grype.yaml diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..00009ec --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,12 @@ +# SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc. +# SPDX-License-Identifier: Apache-2.0 + +ignore: + # GO-2026-4610: Windows-only local privilege escalation in docker/cli CLI plugins + # via uncontrolled search path. The OSV record marks this fixed in 29.2.0+incompatible; + # we run 29.6.0+incompatible which is past the fix. Grype incorrectly flags it due to + # semver comparison issues with the +incompatible suffix. + - vulnerability: GO-2026-4610 + package: + name: github.com/docker/cli + type: go-module