chore: suppress unreachable docker daemon CVEs in grype config#2644
Merged
Conversation
The grype scan against the pack binary still flagged six docker findings that our .grype.yaml intended to ignore. The existing ignore rules listed the GHSA aliases, but grype matches the printed primary ID and the go-module scan prints the GO-2026-* IDs, so the suppressions never fired. All six are non-impactful for pack: - docker/docker GO-2026-4887, GO-2026-4883, GHSA-x86f-5xw2-fm2r, GHSA-rg2x-37c3-w2rh, GHSA-vp62-88p7-qqf5 are daemon-side (AuthZ bypass, plugin-privilege off-by-one, docker cp races, decompression RCE). pack only uses docker as a client (api/types, client, volume/mounts, pkg/* helpers) and never runs the daemon paths. None are fixed in the github.com/docker/docker module; the fix exists only in the rewritten github.com/moby/moby/v2 module, which the ecosystem has not adopted. - docker/cli GO-2026-4610 is already remediated: we ship v29.4.3, newer than the fixed v29.2.0; grype mis-orders the +incompatible version. Listing every ID form (GO + GHSA) makes the suppressions apply across both the go-module binary scan and the released-image scan. With this, `grype out/pack` reports no vulnerabilities. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Juan Bustamante <[email protected]>
This was referenced Jun 23, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The grype scan against the pack binary (and the released image) still flagged six docker findings that
.grype.yamlwas meant to ignore. The existing rules listed the GHSA aliases, but grype matches the printed primary ID — and the go-module scan prints theGO-2026-*IDs — so the suppressions never fired.All six are non-impactful for pack and none are fixable by a bump:
docker/dockerGO-2026-4887,GO-2026-4883,GHSA-x86f-5xw2-fm2r,GHSA-rg2x-37c3-w2rh,GHSA-vp62-88p7-qqf5— all daemon-side (AuthZ bypass, plugin-privilege off-by-one,docker cpraces, decompression RCE). pack only uses docker as a client (api/types,client,volume/mounts,pkg/*helpers) and never runs the daemon paths. There is no fixed version in thegithub.com/docker/dockermodule — the fix exists only in the rewrittengithub.com/moby/moby/v2module, which the ecosystem (lifecycle, kaniko) has not adopted and which pack doesn't need.docker/cliGO-2026-4610— already remediated: we shipv29.4.3, newer than the fixedv29.2.0; grype mis-orders the+incompatiblepseudo-version.Listing every ID form (GO + GHSA) makes the suppressions apply across both the go-module binary scan and the released-image scan.
Output
Before
After
Documentation
Related
Context: dependabot #2643 cannot fix these (it does not touch
docker/docker, anddocker/cliis already past its fix), while it reintroduces themoby/moby/client0.5.0 +go-containerregistry0.21.7 bumps that break daemon rebase andmanifest annotateagainst the current imgutil. The long-term remediation is the upstreammoby/moby/v2migration.