Merge pull request wolfi-dev#1187 from hectorj2f/skaffold_adv

skaffold: pending-upstream-fix
sergio-chainguard · Feb 11, 2024 · e24e069 · e24e069
2 parents c07c57c + 8f6d811
commit e24e069
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/skaffold.advisories.yaml b/skaffold.advisories.yaml
@@ -101,6 +101,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/skaffold
             scanner: grype
+      - timestamp: 2024-02-11T12:48:47Z
+        type: pending-upstream-fix
+        data:
+          note: Upgrading runc to a non-vulnerable version creates conflicts with other old dependencies required by skaffold such as go.opentelemetry.io/otel which is using v1.15.0.
 
   - id: CVE-2024-23650
     aliases:
@@ -169,6 +173,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/skaffold
             scanner: grype
+      - timestamp: 2024-02-11T12:50:32Z
+        type: pending-upstream-fix
+        data:
+          note: Upgrading buildkit to a non-vulnerable version requires to bump github.com/docker/docker to v25.0.3 (currently using v24.0.7) and as a consequence needs multiple code changes to adapt the source code to this new version.
 
   - id: GHSA-7ww5-4wqc-m92c
     events: