Docker Scout flags v0.106.1 with CVE-2024-41110

[aheusser]

Component(s)

Multiple

What happened?

Docker Scout scan fails with a critical CVE.

Description

When I pull and build from the 106.1 opentelemetry-collector-contrib image, the Docker Scout scan flags a "9.9" critical issue (CVE-2024-41110) against usage of github.com/docker/docker v26.1.4

Searching the 106.1 codebase, it appears that github.com/docker/docker v26.1.4 version is referenced ~45 times across the codebase.

According to the scan, this CVE is addressed in github.com/docker/docker v26.1.5.

See:

• docker scout CVE-2024-4110 report
• snyk.io CVE-2024-41110 report
• Bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible in /exporter/splunkhecexporter #34584

Steps to Reproduce

Dockerfile

FROM otel/opentelemetry-collector-contrib:0.106.1
# ...

Expected Result

successful scan

Actual Result

Collector version

v0.106.1

Environment information

Scanning using Docker Desktop 4.33.1

OpenTelemetry Collector configuration

No response

Log output

No response

Additional context

No response

[mx-psi]

This was fixed by #34591 and will be released in v0.107.0 this week