Update module github.com/moby/buildkit to v0.11.4 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/moby/buildkit	require	minor	v0.10.6 -> v0.11.4

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-26054

When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation.

Git URL can be passed in two ways:

1. Invoking build directly from a URL with credentials.

buildctl build --frontend dockerfile.v0 --context https://<credentials>@&#8203;url/repo.git

Equivalent in docker buildx would be

docker buildx build https://<credentials>@&#8203;url/repo.git

2. If the client sends additional VCS info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from .git/config file.

Thanks to Oscar Alberto Tovar for discovering the issue.

Impact

When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation.

Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable.

In v0.10, when building directly from Git URL, the same URL could be visible in BuildInfo structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable.

Note: Docker Build-push Github action builds from Git URLs by default but is not affected by this issue even when working with private repositories because the credentials are passed with build secrets and not with URLs.

Patches

Bug is fixed in v0.11.4 .

Workarounds

It is recommended to pass credentials with build secrets when building directly from Git URL as a more secure alternative than modifying the URL.

In Docker Buildx, VCS info hint can be disabled by setting BUILDX_GIT_INFO=0. buildctl does not set VCS hints based on .git directory, and values would need to be passed manually with --opt.

References

• Inline credentials in URLs deprecated in RFC3986 https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1

---

Release Notes

moby/buildkit

v0.11.4

Compare Source

https://hub.docker.com/r/moby/buildkit

Notable changes:

This release contains two security fixes.

• Fix the issue where credentials inlined to Git URLs could end up in provenance attestation GHSA-gc89-7gcr-jxqc

• Containerd has been updated to 1.6.18 , fixing issue with supplementary groups not being set up properly GHSA-hmfx-3pcx-653p #​3651

Other updates

• Fix possible panic with writing annotations #​3670
• Fix possible panic with passing nil frontend input #​3659
• Fix file capabilities in merged snapshots by changing chown order #​3671

v0.11.3

Compare Source

Welcome to the 0.11.3 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Notable Changes

• Builtin Dockerfile frontend updated to v1.5.2
• Fix not mounting optional secrets missing from build requests #​3561
• Fix an issue with Github cache backend that could cause invalid range requests #​3618
• Fix possible cache loading error when loading local cache created by BuildKit releases older than v0.10 #​3605
• Fix issues with missing layer metadata in SBOMs in latest releases #​3594
• Fix possible "digest not found" error on exporting build results #​3566
• Make sure timezones are dropped on handling SOURCE_DATE_EPOCH #​3559

Dependency Changes

• github.com/containerd/containerd 1709cfe -> v1.6.16

Previous release can be found at v0.11.2

v0.11.2

Compare Source

Welcome to the 0.11.2 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Notable changes

• Update containerd patches to fix regression in handling push errors #​3531
• Multiple fixes for History API #​3530
• Fix issue with parallel build requests using local cache imports #​3493

Dependency Changes

• github.com/containerd/containerd v1.6.14 -> 1709cfe
• github.com/pelletier/go-toml v1.9.4 -> v1.9.5

Previous release can be found at v0.11.1

v0.11.1

Compare Source

Welcome to the 0.11.1 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Notable changes

• Builtin Dockerfile frontend has been updated to 1.5.1, fixing possible panic in certain warning condition #​3505
• Fix possible hang when closing down the SSH forwarding socket in v0.11.0 #​3506
• Fix typo in an environment variable used to configure OpenTelemetry endpoints #​3508

v0.11.0

Compare Source

Welcome to the 0.11.0 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.5.0 https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.0

• BuildKit and compatible frontends can now produce SBOM (Software Bill of Materials) attestations for the build results to show the dependencies of the build. These attestations can be added to images and locally exported files. Using Dockerfiles, SBOM information can be configured to be produced also based on files in intermediate build stages or build context, or run processes that manually define the SBOM dependencies. When exporting an image, layer mapping is also produced that allows tracing a SBOM package to a specific build step. #​3258 #​3290 #​3249 #​2983 #​3358 #​3312 #​3407 #​3408 #​3410 #​3414 #​3422 Read documentation

• BuildKit can now produce a Provenance attestation for the build result in SLSA format. Provenance attestations describe how a build was produced, and what sources/parameters were used. In addition to fields part of the SLSA specification, Buildkit's provenance also exports BuildKit-specific metadata like LLB steps with their source- and layer mapping. Provenance attestation will capture all the build sources visible to BuildKit, for example, not only the Git repository where the project's source is coming from but also the digests of all the container images used during the build. #​3240 #​3428 #​3428 #​3462 Read documentation

• BuildKit now supports reproducible builds by setting SOURCE_DATE_EPOCH build argument or source-date-epoch exporter attribute. This deterministic date will be used in image metadata instead of the current time. #​2918 #​3262 #​3152 Read documentation

• OCI annotations can now be set to build results exported as images or OCI layouts. Annotations can be set on both image manifests and indexes, as well as descriptors to them. #​3283 #​3061 #​2975 #​2879 Read documentation

• New Build History API allows listening to events about builds starting and completing, and streaming progress of active builds. New commands buildctl debug monitor, buildctl debug logs and buildctl debug get have been added to use this API. Build records also keep OpenTelemetry traces, provenance attestations, and image manifests if they were created by the build. #​3294 #​3339 #​3440

• Build results exported with image, local or tar exporters now support attestations. In addition to builtin SBOM and Provenance attestations, frontends can produce custom attestations in in-toto format #​3197 #​3070 #​3129 #​3073 #​3063 #​2935 #​3289 #​3389 #​3321 #​3342 #​3461 Read documentation

• New Source type oci-layout:// allows builds to import images from OCI directory structure on the client side. This allows using local versions of the image. #​3112 #​3300 #​3122 #​3034 #​2971 #​2827 #​3397

• Build requests now support sending a Source policy definition. A policy can be used to deny access to specific sources (e.g. images or URLs) or only allow access to specific image namespaces. Policies can also be used to modify sources when they are requested by the build, for example, pin a tag requested by the build to a specific digest even if it has already changed in the registry. #​3332

• New remote cache backend: Azure Blob Storage #​3010

• New remote cache backend: S3 #​2824 #​3065

• BuildKit now supports Nydus compression type #​2581

• OCI exporter now supports attribute tar=false to export OCI layout into a directory instead of downloading a tarball. #​3162

• Setting multiple cache exporters for a single build is now supported #​3024 #​3271

• Cache exporters can now be configured to ignore exporting errors #​3430

• Remote cache import/export to client-side local files now supports tag parameter for scoping cache #​3111

• CNI network namespaces are now provisioned from a pool for increased performance #​3107

• New Info service has been added to control API for asking BuildKit daemon's version #​2725

• Gateway API now has a new Evaluate method to control the lazy solve behavior #​3137

• Allow mounting secrets with empty contents #​3081

• New RemoveMountStubsRecursive option has been added to LLB ExecOp to control the cleanup behavior of mounts. By default, empty mount stubs are now cleaned up recursively in new frontends. #​3314

• LLB Image source now allows pulling partial layer chains from image #​2795

• Allow hostname to be set by network provider (K8S_POD_NAME) #​3044

• Improve handling and logging of API health checks #​2998

• RegistryToken auth from Docker config is now allowed as authentication input #​2868

• Image exporter with containerd worker now allows skipping adding image to containerd image store with store=false. If not set then images stored images are now guaranteed to be unlazied and unpacked. #​2800

• buildctl now loads Github runtime environment when using GHA remote cache #​2707

• Support for conflist when configuring CNI networking #​3029

• Platform info has been added to the build result descriptor metadata #​2993

• Allow sourcemaps to link single LLB vertex to multiple source locations #​2859

• Support for SSH connection helper #​2843

• Empty stub paths created by mount points when build container runs are now cleaned up and do not remain in the final image. #​3307 #​3149

• Improve performance on BoltDB commits #​3261

• Indentation of some of the image manifests has been fixed to use double spaces #​3259

• Fix caching checksum error on copying files with custom UID/GID #​3295

• Fix cases where copy operation left behind nondeterministic timestamps for better support for reproducible builds #​3298

• Fix SSH forwarding incompatibility with OpenSSH >= 8.9 #​3274

• Stargz has been updated to v0.13.0 #​3280

• Embedded QEMU emulators have been updated to v7.1.0 with new patches for path handling. #​3386

• Fix unpacking images with no layers #​3251

• Fix possible nil pointer exception in LLB bridge #​3233 #​3169 #​3066

• Fix cleanup of containerd tasks if a start fails #​3253

• Fix handling Windows paths in content checksums #​3227

• Fix possible missing newline in progress output #​3072

• Fix possible early EOF on SSH forwarding #​3431

• Fix possible panic in concurrent OpenTelemetry access #​3058

• Previously deprecated old cache options have been removed #​2982

• Daemonless script has been updated to handle already stopped process #​3005

• Fix closing session if shared by multiple clients #​2995

• buildctl du command now supports JSON formatting #​2992

• Registry push errors now show additional context #​2981

• Improve default description of FileOp vertexes #​2932

• Make sure progress from exporting is properly keyed on parallel requests #​2953

• Terminal colors are now configurable #​2954

• Build errors now always print stacktraces to daemon logs in debug mode #​2903

Contributors

• Tõnis Tiigi
• Justin Chadwell
• CrazyMax
• Akihiro Suda
• Erik Sipsma
• Sebastiaan van Stijn
• Yan Song
• Kohei Tokunaga
• Alex Suraci
• Jonny Stoten
• Aaron Lehmann
• Avi Deitcher
• Bertrand Paquet
• Brian Goff
• Corey Larson
• Cory Bennett
• Cory Snider
• David Gageot
• Eng Zer Jun
• Fiona Klute
• Gabriel Adrian Samfira
• Petr Fedchenkov
• Pierre Fenoll
• Pranav Pandit
• Sascha Schwarze
• Sean P. Kane
• Steve Lohr
• Tianon Gravi
• Alex Couture-Beil
• Ce Gao
• Daniel Duvall
• Fred Cox
• Frank Yang
• Gahl Saraf
• Guilhem C
• Jacob Gillespie
• Jitender Kumar
• Jordan Goasdoue
• Julian Goede
• Luca Visentin
• Manu Gupta
• Marcus Comstedt
• Morlay
• Nick Santos
• Omer Duchovne
• Tom C
• a-palchikov

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.0 new
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 new
• github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 new
• github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1 new
• github.com/AzureAD/microsoft-authentication-library-for-go v0.6.0 new
• github.com/Microsoft/go-winio v0.5.1 -> v0.5.2
• github.com/Microsoft/hcsshim v0.9.2 -> v0.9.6
• github.com/aws/aws-sdk-go-v2 v1.16.3 new
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1 new
• github.com/aws/aws-sdk-go-v2/config v1.15.5 new
• github.com/aws/aws-sdk-go-v2/credentials v1.12.0 new
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 new
• github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.10 new
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10 new
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.4 new
• github.com/aws/aws-sdk-go-v2/internal/ini v1.3.11 new
• github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.1 new
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.1 new
• github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.5 new
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.4 new
• github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.4 new
• github.com/aws/aws-sdk-go-v2/service/s3 v1.26.9 new
• github.com/aws/aws-sdk-go-v2/service/sso v1.11.4 new
• github.com/aws/aws-sdk-go-v2/service/sts v1.16.4 new
• github.com/aws/smithy-go v1.11.2 new
• github.com/containerd/cgroups v1.0.3 -> v1.0.4
• github.com/containerd/containerd 5ff8fce -> v1.6.14
• github.com/containerd/continuity d132b28 -> v0.3.0
• github.com/containerd/go-cni v1.1.4 -> v1.1.6
• github.com/containerd/nydus-snapshotter v0.3.1 new
• github.com/containerd/stargz-snapshotter v0.11.3 -> v0.13.0
• github.com/containernetworking/cni v1.0.1 -> v1.1.1
• github.com/docker/cli v20.10.13 -> v23.0.0-rc.1
• github.com/docker/docker 61404de -> v23.0.0-rc.1
• github.com/docker/docker-credential-helpers v0.6.4 -> v0.7.0
• github.com/docker/go-units v0.4.0 -> v0.5.0
• github.com/go-logr/logr v1.2.2 -> v1.2.3
• github.com/gofrs/flock v0.7.3 -> v0.8.1
• github.com/google/go-cmp v0.5.7 -> v0.5.9
• github.com/hashicorp/go-retryablehttp v0.7.0 -> v0.7.1
• github.com/hashicorp/golang-lru v0.5.3 -> v0.5.4
• github.com/in-toto/in-toto-golang v0.5.0 new
• github.com/jmespath/go-jmespath v0.4.0 new
• github.com/klauspost/compress v1.15.1 -> v1.15.12
• github.com/kylelemons/godebug v1.1.0 new
• github.com/moby/patternmatcher v0.5.0 new
• github.com/moby/sys/sequential v0.5.0 new
• github.com/opencontainers/image-spec c5a74bc -> 02efb9a
• github.com/opencontainers/runc v1.1.1 -> v1.1.3
• github.com/opencontainers/selinux v1.10.0 -> v1.10.2
• github.com/package-url/packageurl-go 8907843 new
• github.com/pkg/browser ce105d0 new
• github.com/prometheus/client_golang v1.12.1 -> v1.14.0
• github.com/prometheus/client_model v0.2.0 -> v0.3.0
• github.com/prometheus/common v0.32.1 -> v0.37.0
• github.com/prometheus/procfs v0.7.3 -> v0.8.0
• github.com/secure-systems-lab/go-securesystemslib v0.4.0 new
• github.com/shibumi/go-pathspec v1.3.0 new
• github.com/sirupsen/logrus v1.8.1 -> v1.9.0
• github.com/spdx/tools-golang d6f5855 new
• github.com/stretchr/testify v1.7.0 -> v1.8.0
• github.com/tonistiigi/fsutil 9ed6126 -> fb43384
• golang.org/x/crypto 5770296 -> v0.2.0
• golang.org/x/net fe4d628 -> v0.4.0
• golang.org/x/sync 036812b -> v0.1.0
• golang.org/x/sys da31bd3 -> v0.3.0
• golang.org/x/time 1f47c86 -> v0.1.0
• google.golang.org/genproto 3a66f56 -> 7780775
• google.golang.org/grpc v1.45.0 -> v1.50.1
• gopkg.in/yaml.v3 v3.0.0 -> v3.0.1

Previous release can be found at v0.10.6

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: docker run --rm --name=renovate_sidecar --label=renovate_child -v "/tmp/worker/4fcd80/76683b/repos/github/acorn-io/acorn":"/tmp/worker/4fcd80/76683b/repos/github/acorn-io/acorn" -v "/tmp/worker/4fcd80/76683b/cache":"/tmp/worker/4fcd80/76683b/cache" -e GOPATH -e GOPROXY -e GOSUMDB -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e BUILDPACK_CACHE_DIR -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/4fcd80/76683b/repos/github/acorn-io/acorn" docker.io/renovate/sidecar bash -l -c "install-tool golang 1.20.2 && go get -d -t ./... && go mod tidy && go mod tidy"

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Pages

Latest commit:	3812f71
Status:	✅  Deploy successful!
Preview URL:	https://df89bae4.acorn.pages.dev
Branch Preview URL:	https://renovate-go-github-com-moby.acorn.pages.dev

View logs

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[jacobdonenfeld]

Ran go mod tidy and pushed a new commit to get other tests to pass

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.