Updating docker dependency version to https://github.com/google/cadvisor:v28.0.2+incompatible(latest) to fix security vuln

[pbettadapura]

We found vulnerabilities in Go Docker module v26.1.4:

cadvisor/cmd/go.mod

Line 67 in f6e31a3

github.com/docker/docker v26.1.4+incompatible // indirect
More details:
GO (Go) Security Update for github.com/docker/docker (GHSA-v23v-6jw2-98fq)

A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.

Refer to Github security advisory [https://github.com/advisories/https://github.com/advisories/GHSA-v23v-6jw2-98fq] GHSA-v23v-6jw2-98fq for updates and patch information. Patch: Following are links for downloading patches to fix the vulnerabilities: [https://github.com/advisories/https://github.com/advisories/GHSA-v23v-6jw2-98fq] https://github.com/advisories/GHSA-v23v-6jw2-98fq:github.com/docker/docker

Fix for this vuln is to update github.com/docker/docker v26.1.4 to at least v26.1.5](GHSA-v23v-6jw2-98fq).

[pbettadapura]

@dims @iwankgb Could you please help review this ?

[iwankgb]

Is cAdvisor using this authorization code? I would rather say that it is server side of Docker, that makes use of them.

[pbettadapura]

Is cAdvisor using this authorization code? I would rather say that it is server side of Docker, that makes use of them.

@iwankgb In my opinion, we still need to update the dependency package version because the vulnerability exists in the binaries ? Please let me know your thoughts.

[pbettadapura]

@iwankgb
Gentle reminder to consider this fix again. As part of Microsoft's ongoing efforts to ensure the security and reliability of our cloud services, we have conducted a thorough vulnerability assessment in compliance with FEDRAMP requirements. The vulnerabilities were discovered during this assessment. I think it would help the entire user base to have the vulnerabilities fixed in cadvisor. Thanks!

[thaJeztah]

Is cAdvisor using this authorization code? I would rather say that it is server side of Docker, that makes use of them.

No, the vulnerability should not impact cAdvisor, and would not impact 99.9999 percent of the docker installations; only installations that run the daemon with a custom "authz" plugin to limit access to the API (also see the related blog-post).

Updating the dependency could still make sense to be on a version that's actively maintained though.

[pbettadapura]

@thaJeztah Hi, Checking if you'd be able to approve of these changes ? Thanks!

[thaJeztah]

Generally looks good, but I'm not a maintainer on this project, so we'd need a maintainer to review 😅

[pbettadapura]

@iwankgb Hi, it would be great if you could review!

[thaJeztah]

Looks like some code-changes are needed;

Error: container/podman/podman.go:159:35: SA1019: dockertypes.ContainerJSON is deprecated: use [container.InspectResponse]. It will be removed in the next release. (staticcheck)
func InspectContainer(id string) (dockertypes.ContainerJSON, error) {
                                  ^
Error: container/podman/podman.go:160:11: SA1019: dockertypes.ContainerJSON is deprecated: use [container.InspectResponse]. It will be removed in the next release. (staticcheck)
	var data dockertypes.ContainerJSON
	         ^
make: *** [Makefile:89: lint] Error 1
Error: Process completed with exit code 2.

[dims]

Done in https://github.com/google/cadvisor/pull/3692/files

thanks!