Skip to content

Address phase 2 docker-up critical CVE findings#21497

Merged
geropl merged 1 commit into
mainfrom
ona/phase-2-docker-up-critical-cve-remediation
Jun 22, 2026
Merged

Address phase 2 docker-up critical CVE findings#21497
geropl merged 1 commit into
mainfrom
ona/phase-2-docker-up-critical-cve-remediation

Conversation

@geropl

@geropl geropl commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Implements Phase 2 of the CLC-2255 critical CVE remediation plan for components/docker-up:

  • Rebuilds Docker Compose v2.40.3 from source during go generate, preserving the current Compose version while overriding vulnerable modules:
    • golang.org/x/crypto@v0.52.0
    • golang.org/x/net@v0.55.0
    • google.golang.org/grpc@v1.79.3
  • Rebuilds runc from the existing v1.1.15 source line, preserving the major/minor/patch version while building with fixed golang.org/x/net@v0.55.0 and the current Go toolchain.
  • Keeps runc seccomp support enabled during the rebuild.
  • Removes the duplicate Docker Compose copy from the scratch image by copying only:
    • /usr/bin/docker-up
    • /usr/bin/runc-facade
    • /usr/local/bin/docker-compose
  • Drops upstream Compose release provenance/SBOM sidecar handling because the Compose binary is now locally rebuilt rather than downloaded as an upstream release asset.

Issues

Relates to CLC-2255

Validation

  • git diff --check
  • bash -n components/docker-up/dependencies.sh
  • leeway build components/docker-up:docker --dont-test -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
  • leeway sbom scan components/docker-up:docker --with-dependencies --output-dir /tmp/docker-up-phase2-final-scan -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
    • components/docker-up:bin-docker-up: critical=0 high=43 ignored=1
    • components/docker-up:app: critical=0 high=39 ignored=1
    • components/docker-up:docker: critical=0 high=39 ignored=1
    • components/docker-up:bin-runc-facade: critical=0 high=6 ignored=0
    • components/common-go:lib: critical=0 high=0 ignored=0
    • components/scrubber:lib: critical=0 high=0 ignored=0
  • docker run --rm 221a0d1b6b3551448cfca53f3a3d75b4b8ced8c3:latest /usr/local/bin/docker-compose version
    • Docker Compose version v2.40.3
  • Confirmed /usr/bin/docker-compose is absent from the scratch image; container exits 127 for that path.

Notes

Phase 1 was merged in #21496 before this PR was opened, so this draft targets main directly.

@geropl @codex
Rebuild docker-up runtime artifacts for CVE fixes
c725e8f 
Co-authored-by: Codex <noreply@openai.com>
@geropl geropl marked this pull request as ready for review June 22, 2026 10:23
@geropl geropl requested a review from a team as a code owner June 22, 2026 10:23
@geropl geropl changed the title Draft: Address phase 2 docker-up critical CVE findings Address phase 2 docker-up critical CVE findings Jun 22, 2026
@geropl geropl enabled auto-merge (squash) June 22, 2026 10:23
@geropl geropl merged commit c88514b into main Jun 22, 2026
26 checks passed
@geropl geropl deleted the ona/phase-2-docker-up-critical-cve-remediation branch June 22, 2026 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

Assignees

No one assigned

Labels

team: team-enterprise

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@geropl @corneliusludmann