Skip to content

[2.13] fix cves in docker client library + go-jwt + bump golang version + bump base image#371

Merged
thatmidwesterncoder merged 2 commits into
rancher:release/v2.13from
thatmidwesterncoder:cve_remediations_213
Jun 4, 2026
Merged

[2.13] fix cves in docker client library + go-jwt + bump golang version + bump base image#371
thatmidwesterncoder merged 2 commits into
rancher:release/v2.13from
thatmidwesterncoder:cve_remediations_213

Conversation

@thatmidwesterncoder
Copy link
Copy Markdown

@thatmidwesterncoder thatmidwesterncoder commented Jun 3, 2026
edited
Loading

Issue: rancher/rancher#55285

Parent Issue: rancher/rancher#55280

Bumping a few things to lower the CVE count, notably:

  • docker/docker library
  • go-jwt library
  • golang version to latest minor
  • bci version

@thatmidwesterncoder thatmidwesterncoder marked this pull request as ready for review June 3, 2026 18:23
@thatmidwesterncoder thatmidwesterncoder requested review from a team and Copilot June 3, 2026 18:23
Copilot AI reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR is a maintenance/security update for the rancher/machine build and runtime artifacts, intended to reduce the reported CVE count by updating the base image and key Go dependencies (Docker client library, JWT), and by bumping the Go toolchain patch version.

Changes:

  • Bump SUSE BCI base image version used by package/Dockerfile from 15.6 to 15.7.
  • Update github.com/docker/docker dependency to v28.5.2+incompatible and adjust Docker client code to use the newer pull options type.
  • Update github.com/golang-jwt/jwt/v4 to v4.5.2 and bump the Go toolchain patch version (go1.24.7go1.24.12).

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
package/Dockerfile Bumps the BCI base image version used for building/packaging.
libmachine/mcndockerclient/docker_client.go Adjusts Docker ImagePull options type after Docker library bump.
go.mod Updates Docker and JWT dependencies and bumps Go toolchain patch version; adds new indirect deps.
go.sum Updates module checksums to match the dependency bumps.
Comments suppressed due to low confidence (1)

libmachine/mcndockerclient/docker_client.go:60

  • cli.ImagePull returns a streamed response body that should be fully consumed and closed. Currently the code discards the reader and immediately proceeds to ContainerCreate, which can both leak resources and race with the pull (container creation may happen before the image is actually present).
	ctx := context.Background()

	_, err = cli.ImagePull(ctx, config.Image, image.PullOptions{})
	if err != nil {
		return fmt.Errorf("unable to pull image: %s", err)
	}

	resp, err := cli.ContainerCreate(ctx, config, hostConfig, nil, nil, name)
	if err != nil {

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@HarrisonWAffel HarrisonWAffel requested a review from a team June 3, 2026 18:35
@HarrisonWAffel HarrisonWAffel requested a review from a team June 4, 2026 20:10
@thatmidwesterncoder thatmidwesterncoder merged commit 1a61c09 into rancher:release/v2.13 Jun 4, 2026
1 check passed
@thatmidwesterncoder thatmidwesterncoder deleted the cve_remediations_213 branch June 4, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@HarrisonWAffel HarrisonWAffel HarrisonWAffel approved these changes

@snasovich snasovich snasovich approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thatmidwesterncoder @HarrisonWAffel @snasovich