Component(s)
opentelemetry-operator
What happened?
Description
The opentelemetry-operator has indirect dependency on github.com/docker/docker:
|
github.com/docker/docker v28.5.2+incompatible // indirect |
and that version of docker has couple of reported CVEs (one of them has severity: high):
┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2026-34040 │ HIGH │ fixed │ v28.5.2+incompatible │ 29.3.1 │ Moby has AuthZ plugin bypass when provided oversized request │
│ │ │ │ │ │ │ bodies │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-34040 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2026-33997 │ MEDIUM │ │ │ │ moby: docker: github.com/moby/moby: Moby: Privilege │
│ │ │ │ │ │ │ validation bypass during plugin installation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33997 │
├──────────────────────────┼────────────────┼──────────┤ ├──────────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
The CVEs are fixed in a newer version of docker but looks like the github module has been changed to github.com/moby/moby and github.com/docker/docker is discontinued after v28.5.2.
Wanted to first check if this is already in plans for the next release. Due to the switch in module name, tackling this in a custom dockerfile isn't trivial either and hence raising this issue to fix this in the upstream dependency.
Steps to Reproduce
- Run a docker build of opentelemetry-operator from this repo
- Run trivy on the built image to find the above CVEs
Expected Result
Expecting to see no CVEs
Actual Result
Seeing two CVEs coming from github.com/docker/docker
┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2026-34040 │ HIGH │ fixed │ v28.5.2+incompatible │ 29.3.1 │ Moby has AuthZ plugin bypass when provided oversized request │
│ │ │ │ │ │ │ bodies │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-34040 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2026-33997 │ MEDIUM │ │ │ │ moby: docker: github.com/moby/moby: Moby: Privilege │
│ │ │ │ │ │ │ validation bypass during plugin installation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33997 │
├──────────────────────────┼────────────────┼──────────┤ ├──────────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
Kubernetes Version
1.33.8
Operator version
0.148.0
Collector version
not-relevant
Environment information
Environment
Applies to any environment
Log output
Additional context
No response
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.
Component(s)
opentelemetry-operator
What happened?
Description
The opentelemetry-operator has indirect dependency on github.com/docker/docker:
opentelemetry-operator/go.mod
Line 93 in 97d1355
and that version of docker has couple of reported CVEs (one of them has severity: high):
The CVEs are fixed in a newer version of docker but looks like the github module has been changed to
github.com/moby/mobyandgithub.com/docker/dockeris discontinued after v28.5.2.Wanted to first check if this is already in plans for the next release. Due to the switch in module name, tackling this in a custom dockerfile isn't trivial either and hence raising this issue to fix this in the upstream dependency.
Steps to Reproduce
Expected Result
Expecting to see no CVEs
Actual Result
Seeing two CVEs coming from
github.com/docker/dockerKubernetes Version
1.33.8
Operator version
0.148.0
Collector version
not-relevant
Environment information
Environment
Applies to any environment
Log output
Additional context
No response
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding
+1orme too, to help us triage it. Learn more here.