buildx icon indicating copy to clipboard operation
buildx copied to clipboard

Published 20 hours ago verified publisher icon docker

Trivy triggers on go.mod dependency github.com/docker/cli

Open HammerNL89 opened this issue 2 years ago • 1 comments

We scan our dev-container with Trivy, currently it triggers on a vulnerability regarding docker- buildx binary / docker-cli: image It triggers on docker-cli versoin v20.10.3-0.20220226190722-8667ccd1124c+incompatible in the go.mod file

Is there a reason for having this dependency pinned on this old version, or could this be upgraded?

HammerNL89 avatar Apr 15 '22 09:04 HammerNL89

The version is newer than 20.10.9, but is a version from the master/main branch. go modules do not support release branches, so the pseudo version it generates is based on the last tag it finds in the master / main branch in docker/cli (v20.10.2), which it then increments with 1 minor version (v20.10.3), followed by the date of the commit and the commit sha.

thaJeztah avatar Apr 15 '22 15:04 thaJeztah