Skip to content

Fix/dependabot bumps #751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
raharper wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Fix/dependabot bumps #751

raharper wants to merge 10 commits into from

Conversation

@raharper
Copy link
Contributor

@raharper raharper commented Dec 22, 2025

What type of PR is this?

cleanup

Which issue does this PR fix:

#742
#734
#732
#730
#725
#724
#722
#708
#704

What does this PR do / Why do we need it:

Fix Critical/High/Medium CVEs against golang dependencies in stacker.

If an issue # is not available please add repro steps and logs showing the issue:

grype stacker

Testing done on this change:

make test priv and unpriv on amd64

Automation added to e2e:

none

Will this break upgrades or downgrades?

no

Does this PR introduce any user-facing change?:

Yes. Dropping stacker-bom support. The stacker-bom project is out-of-date with newer synk API which prevents updating it to newer go.mods which then keeps stacker down to be compatible with the stacker-bom go API.

Dropping stacker-bom support

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@raharper

This comment was marked as outdated.

Sign in to view
@codecov
Copy link

codecov bot commented Dec 22, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 12.50000% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.17%. Comparing base (ebb4855) to head (c20d613).

Files with missing lines Patch % Lines
pkg/container/idmap/idmap.go 0.00% 14 Missing ⚠️
pkg/container/userns.go 0.00% 14 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #751      +/-   ##
==========================================
+ Coverage   52.84%   54.17%   +1.32%     
==========================================
  Files          59       55       -4     
  Lines        6492     5855     -637     
==========================================
- Hits         3431     3172     -259     
+ Misses       2418     2108     -310     
+ Partials      643      575      -68

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@raharper raharper force-pushed the fix/dependabot-bumps branch from 23121cd to e82e7ce Compare January 6, 2026 17:06
@raharper
Copy link
Contributor Author

raharper commented Jan 6, 2026

Need to look into the make lint failure; complains about containers/image/storage go module not being importable. However stacker-dynamic and stacker builds just fine.

/home/runner/work/stacker/stacker/hack/tools/golangci-lint/v2.7.2/golangci-lint run --build-tags "exclude_graphdriver_btrfs exclude_graphdriver_devicemapper containers_image_openpgp osusergo netgo skipembed"
Error: pkg/lib/containers_storage/lib.go:8:2: could not import github.com/containers/image/v5/storage (.build/gopath/pkg/mod/github.com/containers/image/[email protected]/storage/storage_dest.go:32:2: could not import github.com/containers/storage (-: # github.com/containers/storage
Error: .build/gopath/pkg/mod/github.com/containers/[email protected]/userns.go:334:29: undefined: securejoin.OpenInRoot
Error: .build/gopath/pkg/mod/github.com/containers/[email protected]/userns.go:340:20: undefined: securejoin.Reopen)) (typecheck)
	"github.com/containers/image/v5/storage"
	^
1 issues:
* typecheck: 1
make: *** [Makefile:130: lint] Error 1

This took way longer than I wanted. Two issues:

  1. Had to move filepath-securejoin to v0.4.1 which still had these functions
  2. Had to move containers/storage to v1.58.0 to deal with GetDiffer -> NewDiffer breaking API change (containers/storage@c9260b97)

@raharper raharper force-pushed the fix/dependabot-bumps branch 3 times, most recently from d0a12b8 to 1ae968f Compare January 6, 2026 23:42
raharper and others added 10 commits January 6, 2026 17:46
@raharper
fix: Drop stacker-bom to fix CVEs
15eeb87 
stacker-bom support is really far behind where it needs to be
to not keep stacker back in go dependencies.

Once stacker-bom is ported to recent syft go library we can
re-introduce support in stacker itself.

Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: Makefile download and install specific version of golangci-lint
a8ac973 
Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: drop referrer{_test}.go onlyused for uploading sbom artifacts
8186ac3 
Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: bump docker/docker to v25.0.6 and c/image/v5 to v5.34.3, no crits
8c10431 
Bump the major Critical CVE components. Once built a grype scan
shows now Critial CVEs anymore, just Highs/Mediums

Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
Don't ever touch Layer struct, it makes Cache mad
8311716 
Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fold: fix don't use storage v1.59.0
a63a6ab 
Pulls in new gotest v3 which appears to break our tests

Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: bump fulcio to v1.8.3
8133c91 
fulcio bump requires:

- move to go 1.25.5
- latest grpc 1.77.0 had issues with some undefined header so
  drop replace to 1.76.0 release

Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: bump incus to incus/v6 v6.20.0
a6c2c54 
Fix the remaining high CVE by bumping to modern incus v6
shared golang API for idmap support

  - reworked idmap struct member IDs and
  - umoci version bumped and updated calls with time.Now()
  - carefully bump to storage v1.58.0 as our containers/images
    release v5.34.0 requires a containers/storage release 1.58.0
    which is the last release before the API change of
    GetDiffer -> NewDiffer which breaks the storage_dest.go in
    the v5.34.0.  Note this is only detectable via `make lint` as
    the stacker binary does not utilize the pkg/lib code; but we have
    downstream tools which do import this which may be affected.

Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: bump go versions to 1.25.x as newer stacker go modules require
9ec4c12 
Signed-off-by: Ryan Harper <[email protected]>
Signed-off-by: Ryan Harper <[email protected]>
@raharper
fix: drop mtree and compress bumps which break gzip buff size
c20d613 
The various tar.gz test fails when we move up, keep previous values:
  compress v1.18.0
  mtree v0.5.4

Signed-off-by: Ryan Harper <[email protected]>
@raharper raharper force-pushed the fix/dependabot-bumps branch from 1ae968f to c20d613 Compare January 6, 2026 23:47
@raharper
Copy link
Contributor Author

raharper commented Jan 7, 2026

\o/

All these go deps are rather gnarly. A little surprised at the end here that not long were we dependent on umoci compress size (fixed since umoci 0.5.0) but it seems klauspost/compress and go-mtree affect our compressed blobs.

Will clean up these sets of commits tomorrow.

Stacker at this point is squeezy clean via grype:

ubuntu@build-stacker2:~/stacker$ grype --version
grype 0.104.3
ubuntu@build-stacker2:~/stacker$ grype stacker
 ✔ Indexed file system                                                                  stacker
 ✔ Cataloged contents          57747f80a24ceeb3f2e6499f0cde785761a752e4dbe4f0d7a6bd58e2ad42efb0
   ├── ✔ Packages                        [126 packages]
   ├── ✔ Executables                     [1 executables]
   ├── ✔ File digests                    [1 files]
   └── ✔ File metadata                   [1 locations]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
No vulnerabilities found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rchincha rchincha Awaiting requested review from rchincha rchincha will be requested when the pull request is marked ready for review rchincha is a code owner

@smoser smoser Awaiting requested review from smoser smoser will be requested when the pull request is marked ready for review smoser is a code owner

@hallyn hallyn Awaiting requested review from hallyn hallyn will be requested when the pull request is marked ready for review hallyn is a code owner

@tych0 tych0 Awaiting requested review from tych0 tych0 will be requested when the pull request is marked ready for review tych0 is a code owner

@mikemccracken mikemccracken Awaiting requested review from mikemccracken mikemccracken will be requested when the pull request is marked ready for review mikemccracken is a code owner

@rchamarthy rchamarthy Awaiting requested review from rchamarthy rchamarthy will be requested when the pull request is marked ready for review rchamarthy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raharper