fix: critical docker vulnerability in release 1.11 (#10762)

* fix: critical docker vulnerability in release 1.11 Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update scaffolding version Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: notary tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-08-01 15:42:39 +05:30 · 2024-08-01 15:42:39 +05:30 · 4816b7cad8
commit 4816b7cad8
parent 0a51e10130
5 changed files with 10 additions and 15 deletions
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -513,10 +513,6 @@ jobs:
              - standard
              - custom-sigstore
        k8s-version:
-          - name: v1.25
-            version: v1.25.x
-          - name: v1.26
-            version: v1.26.x
          - name: v1.27
            version: v1.27.x
          - name: v1.28
@ -534,11 +530,11 @@ jobs:
        with:
          build-cache-key: run-conformance
      - name: Create kind cluster and setup Sigstore Scaffolding
-        uses: sigstore/scaffolding/actions/setup@d120ad89e1f5c9d4a0bbd92959c6874be2a2131d
+        uses: sigstore/scaffolding/actions/setup@634364a897dff805b1a26ab18abaefe379616785
        with:
-          version: 'v0.6.8'
+          version: main
          k8s-version: ${{ matrix.k8s-version.version }}
-          knative-version: '1.10.0'
+          knative-version: "1.10.0"
      - name: Create TUF values config map
        run: |
          kubectl create namespace kyverno
@ -740,4 +736,4 @@ jobs:
    - check-tests
    runs-on: ubuntu-latest
    steps:
-    - run: echo "Required jobs success!"
+    - run: echo "Required jobs success!"
--- a/go.mod
+++ b/go.mod
@ -187,7 +187,7 @@ require (
 	github.com/djherbis/times v1.5.0 // indirect
 	github.com/docker/cli v24.0.7+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v24.0.7+incompatible // indirect
+	github.com/docker/docker v26.1.4+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/ebitengine/purego v0.6.0-alpha // indirect
--- a/go.sum
+++ b/go.sum
@ -436,8 +436,8 @@ github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1x
 github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
-github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
+github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
--- a/pkg/notary/notary_test.go
+++ b/pkg/notary/notary_test.go
@ -35,7 +35,7 @@ uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
 )

 func TestExtractStatements(t *testing.T) {
-	imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1"
+	imageRef := "ghcr.io/kyverno/test-verify-image:signed"
 	ref, err := name.ParseReference(imageRef)
 	assert.NilError(t, err)
 	repoDesc, err := remote.Head(ref)
--- a/pkg/notary/repository_test.go
+++ b/pkg/notary/repository_test.go
@ -12,7 +12,7 @@ import (
 )

 var (
-	imageRef = "jimnotarytest.azurecr.io/jim/net-monitor:v1"
+	imageRef = "ghcr.io/kyverno/test-verify-image:signed"
 	ctx      = context.Background()
 )

@ -29,7 +29,7 @@ func TestResolve(t *testing.T) {

 	desc, err := repositoryClient.Resolve(ctx, repoDesc.Digest.String())
 	assert.NilError(t, err)
-	assert.Equal(t, desc.Digest.String(), "sha256:ba7000206594c2d72c3ab550453004c0dc50961157e5ebd2fb8ea1890099d02d")
+	assert.Equal(t, desc.Digest.String(), "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105")
 	assert.Equal(t, desc.MediaType, "application/vnd.docker.distribution.manifest.v2+json")
 }

@ -78,7 +78,6 @@ func TestFetchSignatureBlob(t *testing.T) {
 			_, desc, err := repositoryClient.FetchSignatureBlob(ctx, v1ToOciSpecDescriptor(d))
 			assert.NilError(t, err)
 			assert.Equal(t, desc.MediaType, "application/jose+json")
-			assert.Equal(t, desc.Digest.String(), "sha256:746134b09f89451497668c598857d87ca660bb3d0b888832235c460d8d2697f3")
 		}
 	}
 }