fix: address Docker and Prometheus CVEs (GHSA-x744-4wpc-v9h2, GHSA-pxq6-2prw-chj9, GHSA-vffh-x6r8-xx99)#864
Merged
karimra merged 5 commits intoMay 13, 2026
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
ronan-nexthop
force-pushed
the
fix/cve-docker-prometheus
branch
from
f46dd2a to
25a3426
Compare
Resolves GHSA-x744-4wpc-v9h2 (HIGH) and GHSA-pxq6-2prw-chj9 (MEDIUM), both of which require docker/docker v29.3.1+. Docker upstream moved the module to github.com/moby/moby/v2 with split submodules for the API (github.com/moby/moby/api) and the client (github.com/moby/moby/client), so the import-path swap is the only path to a fixed version. The migration is API-breaking, not just an import rewrite: - The filters package was removed: filters.NewArgs/filters.Args/ filters.KeyValuePair are gone. Replaced by client.Filters (a map[string]map[string]bool with chainable Add). - container.ListOptions and network.ListOptions moved into the client package as ContainerListOptions and NetworkListOptions. - ContainerList and NetworkList now return result structs rather than slices; callers must use .Items to get the underlying list. - Client.Ping requires a PingOptions argument. - EndpointSettings.IPAddress / .GlobalIPv6Address and PortSummary.IP are now netip.Addr instead of string. String comparisons against "" / "0.0.0.0" / "::" become IsValid() / IsUnspecified() and a String() conversion at format-time. Smoke tested against a real Docker 29.4.1 daemon: the loader discovered two labelled containers and resolved their published-port addresses (172.17.0.2:57400, 172.17.0.3:57401) correctly. After this change github.com/docker/docker is no longer in the module graph (verified via go mod why).
Resolves GHSA-vffh-x6r8-xx99 (MEDIUM) by upgrading github.com/prometheus/prometheus from v0.306.0 to v0.311.2. The straight bump alone causes go mod tidy to fail because of a broken transitive test dep: k8s.io/kube-openapi -> github.com/go-openapi/swag -> github.com/go-openapi/swag/loading (test file) -> github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 -> github.com/go-openapi/testify/v2/assert/yaml (does not exist) go-openapi/testify already fixed this at enable/yaml/v2.5.0 by renaming the import to .../v2/enable/stubs/yaml. We pin both go-openapi/testify modules to v2.5.0 (// indirect) to push MVS past the broken floor. After this change tidy succeeds and the full build is clean.
ronan-nexthop
force-pushed
the
fix/cve-docker-prometheus
branch
from
25a3426 to
eb90b2f
Compare
The prometheus and otel/k8s/x/* deps in the previous commit raise the go.mod floor to go 1.25.0. CI and the Dockerfile still pinned 1.24.12, which means every CI run wasted time auto-downloading 1.25 to satisfy the directive. Bump them to 1.25.9 (the latest 1.25 patch as of writing) so CI and the published Docker image match the actual floor.
karimra
requested changes
May 13, 2026
when n.IPAddress is invalid and n.GlobalIPv6Address is also the zero netip.Addr, calling .String() on the zero Addr returns the literal "invalid IP" rather than "". That bogus value survived the downstream `tc.Address == ""` guard and would have propagated as a target address. Wrap the GlobalIPv6Address assignment in an IsValid() check, mirroring the guard already present on the IPAddress side. When neither is valid the loop exits with tc.Address unset and the existing `no address found` log path fires correctly.
Resolves go.mod / go.sum conflicts from the dependabot bumps that landed on main (openconfig#841, openconfig#844, openconfig#855) and the log2slog refactor (openconfig#866). Resolution strategy: kept our side of go.mod (every direct dep we touched was already at a higher version than main, because the CVE-driven upgrades pulled the otel / x/* / k8s.io graph forward), then explicitly applied main's two security bumps: - github.com/go-jose/go-jose/v4 v4.1.3 -> v4.1.4 (openconfig#844) - github.com/nats-io/nats-server/v2 v2.12.4 -> v2.12.6 (openconfig#841) main's otel 1.40 -> 1.41 bump (openconfig#855) was a no-op for us since our prometheus 0.311.2 bump had already pulled otel to 1.42. Reran go mod tidy to rebuild go.sum from the resolved go.mod. Confirmed github.com/docker/docker (v28.5.2 transitive only) is not consumed by any package via go mod why -m. Confirmed prometheus v0.311.2 and moby/moby/client v0.4.1 / moby/moby/api v1.54.2 survived the merge. Verification: go build ./..., go vet ./..., go test -short ./... all clean across 40 packages.
Contributor
Author
|
merge conflicts in go.mod, resolved them, re-generated the go.mod/go.sum and re-ran the unit tests to confirm no regressions |
karimra
approved these changes
May 13, 2026
Contributor
Author
|
thanks @karimra, can we get a new release publish that contains these fixes please |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
gnmic v0.45.0 carries three known CVEs in its dependency tree that downstream packagers cannot work around with
go get @latest:github.com/docker/dockergithub.com/moby/moby/v2)github.com/docker/dockergithub.com/prometheus/prometheusThe Docker fixes can't land via the existing
github.com/docker/dockerimport path because Docker's v29 source code only ships under the renamedgithub.com/moby/moby/v2module — there is no v29.x.y tag at the old path. The Prometheus bump failsgo mod tidybecause it pulls ink8s.io/kube-openapi, whose transitivegithub.com/go-openapi/swag/loadingtest imports a since-renamed package (testify/v2/assert/yaml) that no longer exists.What
Three commits:
1.
fix(docker_loader): migrate from docker/docker to moby/moby/v2The migration is API-breaking, not just an import rewrite —
pkg/loaders/docker_loader/docker_loader.gois the only consumer:filterspackage was removed entirely.filters.NewArgs / filters.Args / filters.KeyValuePairare gone, replaced byclient.Filters(amap[string]map[string]boolwith chainableAdd).container.ListOptionsandnetwork.ListOptionsmoved into theclientpackage asContainerListOptionsandNetworkListOptions.ContainerListandNetworkListnow return result structs rather than slices; callers must use.Itemsto get the underlying list.Client.Pingrequires aPingOptionsargument.EndpointSettings.IPAddress/.GlobalIPv6AddressandPortSummary.IPare nownetip.Addrinstead ofstring. String comparisons against""/"0.0.0.0"/"::"becomeIsValid()/IsUnspecified()and aString()conversion at format-time.After this change
github.com/docker/dockeris no longer in the module graph (go mod whyreports "main module does not need package";go list -m all | grep docker/dockeris empty).2.
chore(deps): bump prometheus to v0.311.2 to address GHSA-vffh-x6r8-xx99Bumps
github.com/prometheus/prometheuspast the CVE-fixed bar and pinsgithub.com/go-openapi/testify/enable/yaml/v2andgithub.com/go-openapi/testify/v2to v2.5.0 (// indirect) so MVS picks the version where the upstream maintainers already corrected the broken import (renamedtestify/v2/assert/yamltotestify/v2/enable/stubs/yaml).After this commit
go mod tidysucceeds.3.
chore(ci): bump Go toolchain to 1.25.9The prometheus bump (and its transitive otel/k8s/x/* updates) raises the
go.modfloor togo 1.25.0. CI workflows and the published Dockerfile still pinned1.24.12, which means every CI run wasted time auto-downloading 1.25 to satisfy the directive. This commit bumps:.github/workflows/test.ymlGOVER: 1.24.12 → 1.25.9.github/workflows/lint.ymlGOVER: 1.24.12 → 1.25.9.github/workflows/release.ymlGOVER: 1.24.12 → 1.25.9DockerfileFROM golang:1.24.12 → golang:1.25.9Verification
go mod tidy— cleango build ./...— cleango vet ./...— cleandocker_loader.RunOncewith two labellednginx:alpinecontainers and confirmed it discovered both with correct addresses derived from published ports +gnmic-portlabels (172.17.0.2:57400,172.17.0.3:57401).netip.Addrrewrites would benefit from a second set of eyes.Risk / blast radius
gnmicas a library at Go ≥ 1.25 (or with the defaultGOTOOLCHAIN=auto, which auto-downloads 1.25) is unaffected; the public API ofpkg/loaders/docker_loaderis unchanged.GOTOOLCHAIN=localon a Go 1.24 install will need to upgrade to Go 1.25 — but they would have hit the same wall the moment any of the bumped transitive deps (prometheus, otel, k8s.io/*, x/crypto, x/net, x/oauth2, etc.) reached their machine via MVS, regardless of gnmic'sgodirective. The bump is honest documentation of the floor that already exists.dockerloader at runtime gets identical behavior — same target name, same address resolution rules.