fix: upgrade packages with vulns #3343
Conversation
| @@ -384,7 +385,7 @@ require ( | |||
| ) | |||
|
|
|||
| // See https://github.com/moby/moby/issues/42939#issuecomment-1114255529 | |||
| replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible | |||
| replace github.com/docker/docker => github.com/docker/engine v17.12.0-ce-rc1.0.20211209213653-8955d8da8951+incompatible | |||
There was a problem hiding this comment.
Looks like it downgrades the versions. It is intended?
There was a problem hiding this comment.
Its actually another package and it was auto-generated from its master branch.
Please take a look at this:
https://stackoverflow.com/questions/56032544/how-to-find-dependency-causing-sirupsen-logrus-vs-sirupsen-logrus-unexpecte
In the future we should consider upgrading to moby/moby.
There was a problem hiding this comment.
The commit you referenced is created on Dec 9, 2021. I don't think it addresses recent vulnerabilities. If scanners don't detect those vulnerabilities, it is an issue of scanners. Hiding vulnerabilities from scanners is not essential.
docker-archive/engine@8955d8d
|
We bumped containerd. Please open PRs separately if you confirmed detected vulnerabilities. |
Description
Upgrade go deps with vulns
Fixed vulnerabilities in this PR:
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-24765' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30633' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-24675' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41771' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30631' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-28327' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30632' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41772' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-28131' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41103' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-27536' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-39293' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-29162' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-27664' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30630' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-30635' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-30465' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-32189' },
{ pkg: 'git', cve: 'CVE-2022-31012' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41716' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-32190' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-2879' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-2880' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41720' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2019-2054' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41715' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-1962' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-32148' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-31030' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-29526' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-32760' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-21334' },
{ pkg: 'golang.org/x/net', cve: 'CVE-2022-41717' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-24769' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-1705' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41089' },
{ pkg: 'github.com/moby/buildkit', cve: 'CVE-2021-32760' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-34558' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-41717' },
{ pkg: 'github.com/containerd/containerd', cve: 'CVE-2022-23471' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2021-41091' },
{ pkg: 'github.com/docker/docker', cve: 'CVE-2022-36109' },
{ pkg: 'github.com/aws/aws-sdk-go', cve: 'GHSA-f5pg-7wfw-84q9' },
{ pkg: 'github.com/aws/aws-sdk-go', cve: 'GHSA-7f33-f4f5-xwgw' }