* Fix High CVE's in buildkit and rekor

[nshelke777]

This PR fixes below CVE's present in packages/modules,

Module - github.com/moby/buildkit
CVE-2019-5736
CVE-2021-43565
CVE-2022-23648
CVE-2022-27191
CVE-2022-27664
CVE-2022-28948
CVE-2023-25173
Module - github.com/sigstore/rekor
CVE-2023-30551

Motivation

We need this to be deployed on Production, so wanted to get this fixed asap.

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

Reviewer's Checklist

• If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
• Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
• A release note has been added or the changelog/no-changelog label has been applied.
• Changed code has automated tests for its functionality.
• Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
• At least one team/.. label has been applied, indicating the team(s) that should QA this change.
• If applicable, docs team has been notified or an issue has been opened on the documentation repo.
• If applicable, the need-change/operator and need-change/helm labels have been applied.
• If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
• If applicable, the config template has been updated.

[bits-bot]

All committers have signed the CLA.

[vickenty]

Thank you for bringing this up.

I believe the vulnerabilities in dependencies of moby/buildkit are false positives, as we ship newer versions of packages mentioned in those CVEs:

| CVE            | Package                          | Vulnerable version                  | Agent 7.44.1 version | Agent 7.45.0 version |
|----------------+----------------------------------+-------------------------------------+----------------------+----------------------|
| CVE-2019-5736  | github.com/opencontainers/runc   | <1.0-rc6                            |                1.1.3 |                1.1.5 |
| CVE-2021-43565 | golang.org/x/crypto              | < 0.0.0-20211202192323-5770296d904e |                0.6.0 |                0.8.0 |
| CVE-2022-23648 | github.com/containerd/containerd | < 1.6.1                             |               1.6.19 |               1.6.20 |
| CVE-2022-27191 | golang.org/x/crypto              | < 0.0.0-20220314234659-1baeb1ce4c0b |                0.6.0 |                0.8.0 |
| CVE-2022-27664 | golang.org/x/net                 | < 0.0.0-20220906165146-f3363e06e74c |                0.7.0 |               0.10.0 |
| CVE-2022-28948 | gopkg.in/yaml.v3                 | 3.0.0-20130425192426-8171f560dedc   |                3.0.1 |                3.0.1 |
| CVE-2023-25173 | github.com/containerd/containerd | < 1.6.18                            |               1.6.19 |               1.6.20 |

github.com/sigstore/rekor was updated in #17418 and should the updated version be included in the upcoming 7.46.0 release.

[AliDatadog]

Thank you for your contribution again.

Regarding rekor. This package is imported by Trivy for a feature that we do not use so we are not impacted.