rancher-agent-2.10/2.10.0-r0: cve remediation

[octo-sts]

rancher-agent-2.10/2.10.0-r0: fix GHSA-v778-237x-gjrc/GHSA-xw73-rw38-6vjc/GHSA-c5q2-7r4c-mv6g/GHSA-29wx-vh33-7x7r/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/rancher-agent-2.10.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Failed to running update. Error: package github.com/docker/docker with version 'v24.0.9' is already at version v25.0.6+incompatible"

• Error Category: Version/Dependency

• Failure Point: go/bump step in the pipeline attempting to update github.com/docker/docker dependency

• Root Cause Analysis: The go/bump step is trying to downgrade github.com/docker/docker from v25.0.6+incompatible to v24.0.9, which is not allowed by Go's module system

• Suggested Fix:

1. Remove the github.com/docker/[email protected] from the go/bump step
2. Update the go/bump step to:

  - uses: go/bump
    with:
      deps: github.com/golang-jwt/jwt/[email protected] github.com/go-jose/go-jose/[email protected] golang.org/x/[email protected]

• Explanation:

• Go's module system prevents downgrading dependencies to older versions
• The existing module already has a newer version (v25.0.6+incompatible)
• Removing the explicit version constraint will allow the build to proceed with the existing compatible version

• Additional Notes:

• If v24.0.9 is specifically required, you may need to use replace directives instead
• Consider testing the build with the newer docker client version as it should maintain backwards compatibility
• The +incompatible suffix indicates this is a v0/v1 module being used at a v2+ version

• References:

• https://golang.org/ref/mod#incompatible-versions
• https://github.com/docker/docker/blob/master/CHANGELOG.md
• https://github.com/rancher/rancher/blob/release/v2.10/go.mod

[hbh7]

The docker CVE is going to take additional work to fix since it's got a weird replace setup (replaced and also required). I tried for a while to get it to work but I didn't get anywhere with it.

replace (
       ...
        github.com/docker/docker => github.com/docker/docker v20.10.27+incompatible // rancher-machine requires a replace is set
        ...
)
...
require (
        ...
        github.com/docker/docker v25.0.6+incompatible
        ...
)
...

[cmwilson21]

Removing the help wanted label since @kbsteere picked it up. If you run into any issues, please feel free to re-add the label! 👍

[kbsteere]

@cmwilson21 @powersj @philroche can this be closed since we are addressing the issues in this cve-remediation? #35370

[powersj]

@kbsteere I think so, but let's have @philroche confirm.

[philroche]

Yes. Closing. Looks like automation is creating duplicate remediations though.