vendor: github.com/docker/docker 70e46f2c7c2d (v26.0.0-rc3-dev)

[thaJeztah]

vendor: github.com/containerd/containerd v1.7.14

no changes in vendored files, but now requires go1.21

full diff: containerd/containerd@v1.7.13...v1.7.14

vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4

full diffs:

• protocolbuffers/protobuf-go@v1.31.0...v1.33.0
• golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
the google.golang.org/protobuf/encoding/protojson package which could cause
the Unmarshal function to enter an infinite loop when handling some invalid
inputs.

This condition could only occur when unmarshaling into a message which contains
a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
option is set. Unmarshal now correctly returns an error when handling these
inputs.

This is CVE-2024-24786.

In a follow-up post;

A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
option is set (as well as when unmarshaling into any message which contains a
google.protobuf.Any). There is no UnmarshalUnknown option.

In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
introduced an incompatibility with the older github.com/golang/protobuf
module. (golang/protobuf#1596) Users of the older
module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code shows that this does not affect the CLI:

govulncheck ./...
Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 1 vulnerability in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

vendor: github.com/docker/docker 70e46f2c7c2d (v26.0.0-rc3-dev)

full diff: moby/moby@v26.0.0-rc2...70e46f2

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

Hmm.. looks like the containerd update forces go 1.21 to be set here, and also inserts a toolchain. Not sure if we want/need that? Looks like it's possible to manually remove it (and won't add it back)

[codecov-commenter]

Codecov Report

Merging #4944 (38c3ff6) into master (38fcd1c) will increase coverage by 0.00%.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4944   +/-   ##
=======================================
  Coverage   61.43%   61.44%           
=======================================
  Files         289      289           
  Lines       20241    20241           
=======================================
+ Hits        12435    12437    +2     
+ Misses       6904     6903    -1     
+ Partials      902      901    -1     

[thaJeztah]

Hm.. CodeQL looks to be having a hard time;

Attempting to automatically build go code
  /opt/hostedtoolcache/CodeQL/2.16.4/x64/codeql/go/tools/autobuild.sh 
  2024/03/16 15:54:34 Autobuilder was built with go1.22.0, environment has go1.21.8
  2024/03/16 15:54:34 LGTM_SRC is /home/runner/work/cli/cli
  2024/03/16 15:54:34 Found no go.work files in the workspace; looking for go.mod files...
  2024/03/16 15:54:34 Found stray Go source file in cli/cobra.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/cobra_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/builder/client_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/builder/cmd.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/builder/prune.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/builder/prune_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/client_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/cmd.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/create.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/create_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/formatter.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/formatter_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/list.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/list_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/remove.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/checkpoint/remove_test.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/cli.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/cli_options.go.
  2024/03/16 15:54:34 Found stray Go source file in cli/command/cli_options_test.go.

/opt/hostedtoolcache/CodeQL/2.16.4/x64/codeql/codeql version --format=json
{
  "productName" : "CodeQL",
  "vendor" : "GitHub",
  "version" : "2.16.4",
  "sha" : "9727ba3cd3d5a26f8b9347bf3c3eb4f565ac077b",
  "branches" : [
    "codeql-cli-2.16.4"
  ],
  "copyright" : "Copyright (C) 2019-2024 GitHub, Inc.",
  "unpackedLocation" : "/opt/hostedtoolcache/CodeQL/2.16.4/x64/codeql",
  "configFileLocation" : "/home/runner/.config/codeql/config",
  "configFileFound" : false,
  "features" : {
    "analysisSummaryV2Option" : true,
    "buildModeOption" : true,
    "bundleSupportsIncludeDiagnostics" : true,
    "featuresInVersionResult" : true,
    "indirectTracingSupportsStaticBinaries" : false,
    "informsAboutUnsupportedPathFilters" : true,
    "supportsPython312" : true,
    "mrvaPackCreate" : true,
    "threatModelOption" : true,
    "traceCommandUseBuildMode" : true,
    "v2ramSizing" : true,
    "mrvaPackCreateMultipleQueries" : true,
    "setsCodeqlRunnerEnvVar" : true
  }
}

[thaJeztah]

Previous run on #4929 completed in 2 minutes, and shows this instead (looks to be a slightly older version; 2.16.3 vs 2.16.4, so maybe they broke something;

/opt/hostedtoolcache/CodeQL/2.16.3/x64/codeql/codeql version --format=json
{
  "productName" : "CodeQL",
  "vendor" : "GitHub",
  "version" : "2.16.3",
  "sha" : "89973abb6e1d3083dfb8426eb0e210df19ca36be",
  "branches" : [
    "codeql-cli-2.16.3"
  ],
  "copyright" : "Copyright (C) 2019-2024 GitHub, Inc.",
  "unpackedLocation" : "/opt/hostedtoolcache/CodeQL/2.16.3/x64/codeql",
  "configFileLocation" : "/home/runner/.config/codeql/config",
  "configFileFound" : false,
  "features" : {
    "analysisSummaryV2Option" : true,
    "buildModeOption" : true,
    "bundleSupportsIncludeDiagnostics" : true,
    "featuresInVersionResult" : true,
    "indirectTracingSupportsStaticBinaries" : false,
    "supportsPython312" : true,
    "mrvaPackCreate" : true,
    "threatModelOption" : true,
    "traceCommandUseBuildMode" : true,
    "v2ramSizing" : true,
    "mrvaPackCreateMultipleQueries" : true,
    "setsCodeqlRunnerEnvVar" : true
  }
}

/opt/hostedtoolcache/CodeQL/2.16.3/x64/codeql/go/tools/autobuild.sh 
2024/03/11 14:59:40 Autobuilder was built with go1.21.7, environment has go1.21.7
2024/03/11 14:59:40 LGTM_SRC is /home/runner/work/cli/cli
2024/03/11 14:59:40 Import path is 'github.com/docker/cli'
2024/03/11 14:59:40 Temporary directory is /home/runner/work/cli/cli/scratch2256545796.
2024/03/11 14:59:40 Moving /home/runner/work/cli/cli/templates to /home/runner/work/cli/cli/scratch2256545796/templates.
2024/03/11 14:59:40 Moving /home/runner/work/cli/cli/cmd to /home/runner/work/cli/cli/scratch2256545796/cmd.
2024/03/11 14:59:40 Moving /home/runner/work/cli/cli/.mailmap to /home/runner/work/cli/cli/scratch2256545796/.mailmap.
2024/03/11 14:59:40 Moving /home/runner/work/cli/cli/CONTRIBUTING.md to /home/runner/work/cli/cli/scratch2256545796/CONTRIBUTING.md.
2024/03/11 14:59:40 Moving /home/runner/work/cli/cli/LICENSE to /home/runner/work/cli/cli/scratch2256545796/LICENSE.
2024/03/11 14:59:40 Moving /home/runner/work/cli/cli/Makefile to /home/runner/work/cli/cli/scratch2256545796/Makefile.

[thaJeztah]

That one also used a different version of go;

2024/03/11 14:59:40 Autobuilder was built with go1.21.7, environment has go1.21.7

vs

2024/03/16 15:54:34 Autobuilder was built with go1.22.0, environment has go1.21.8

[thaJeztah]

Looks like it somewhat completed after an hour and a half 😂

But not sure if it did the right thing (logs attached);

2024-03-16T17:20:33.9317991Z �[1mWARNING�[0m: you are not in a container.
2024-03-16T17:20:33.9318491Z 
2024-03-16T17:20:33.9319023Z Use "�[1mmake dev�[0m" to start an interactive development container,
2024-03-16T17:20:33.9319951Z use "�[1mmake -f docker.Makefile �[0m" to execute this target
2024-03-16T17:20:33.9320572Z in a container, or set �[1mDISABLE_WARN_OUTSIDE_CONTAINER=1�[0m to
2024-03-16T17:20:33.9321027Z disable this warning.
2024-03-16T17:20:33.9321355Z 
2024-03-16T17:20:33.9321686Z Press �[1mCtrl+C�[0m now to abort, or wait for the script to continue..
2024-03-16T17:20:33.9322064Z 
2024-03-16T17:20:38.9348585Z ./scripts/build/binary
2024-03-16T17:20:38.9891712Z Building static docker-linux-amd64
2024-03-16T17:20:38.9939792Z + go build -o build/docker-linux-amd64 -tags  osusergo pkcs11 -ldflags  -X "github.com/docker/cli/cli/version.GitCommit=38c3ff6" -X "github.com/docker/cli/cli/version.BuildTime=2024-03-16T17:20:38Z" -X "github.com/docker/cli/cli/version.Version=38c3ff6.m" -extldflags -static -buildmode=pie github.com/docker/cli/cmd/docker
2024-03-16T17:20:38.9977613Z cannot find package "github.com/docker/cli/cmd/docker" in any of:
2024-03-16T17:20:38.9978917Z 	/opt/hostedtoolcache/go/1.21.8/x64/src/github.com/docker/cli/cmd/docker (from $GOROOT)
2024-03-16T17:20:38.9980247Z 	/home/runner/go/src/github.com/docker/cli/cmd/docker (from $GOPATH)
2024-03-16T17:20:38.9986326Z make: *** [Makefile:62: binary] Error 1
2024-03-16T17:20:38.9989981Z 2024/03/16 17:20:38 Running /usr/bin/make [make] failed, continuing anyway: exit status 2
2024-03-16T17:20:38.9991126Z 2024/03/16 17:20:38 Build failed, continuing to install dependencies.
2024-03-16T17:20:38.9992277Z 2024/03/16 17:20:38 The code in vendor/gotest.tools/v3/skip seems to be missing a go.mod file. Attempting to initialize one...
2024-03-16T17:20:38.9993325Z 2024/03/16 17:20:38 Import path is 'github.com/docker/cli'

It's doing a lot of weird things, such as creating new modules for each and every package, including vendored dependencies 🙈

The code in e2e/cli-plugins/plugins/nopersistentprerun seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/cli-plugins/plugins/presocket seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/container seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/context seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/global seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/image seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/internal seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/plugin seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/stack seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/system seems to be missing a go.mod file. Attempting to initialize one...
The code in e2e/trust seems to be missing a go.mod file. Attempting to initialize one...
The code in internal seems to be missing a go.mod file. Attempting to initialize one...
The code in internal/test seems to be missing a go.mod file. Attempting to initialize one...
The code in internal/test/builders seems to be missing a go.mod file. Attempting to initialize one...
The code in internal/test/environment seems to be missing a go.mod file. Attempting to initialize one...
The code in internal/test/network seems to be missing a go.mod file. Attempting to initialize one...
The code in internal/test/notary seems to be missing a go.mod file. Attempting to initialize one...
The code in internal/test/output seems to be missing a go.mod file. Attempting to initialize one...
The code in opts seems to be missing a go.mod file. Attempting to initialize one...
The code in service seems to be missing a go.mod file. Attempting to initialize one...
The code in service/logs seems to be missing a go.mod file. Attempting to initialize one...
The code in templates seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/dario.cat seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/dario.cat/mergo seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Azure seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Azure/go-ansiterm seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Azure/go-ansiterm/winterm seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Microsoft seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Microsoft/go-winio seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Microsoft/go-winio/internal seems to be missing a go.mod file. Attempting to initialize one...
The code in vendor/github.com/Microsoft/go-winio/internal/fs seems to be missing a go.mod file. Attempting to initialize one...

👇 raw logs below

logs_21791740737.zip