Merge lifecycle image fix & deps upgrade from release/0.16.1 into main (

#1049) * Ready release/0.16.1 (#1041) * Fix log message when run image not found (#1004) Before: "Previous image with name <run image name> not found" After: "Image with name <run image name> not found" Signed-off-by: Natalie Arellano <narellano@vmware.com> * Bump containerd (#1015) Signed-off-by: Natalie Arellano <narellano@vmware.com> * Replace print with logger in image_cache.go, fixes formatting (#1012) * Replace print with logger in image_cache.go, fixes formatting Signed-off-by: Harshal Mittal <harshalmittal4@gmail.com> * Add tests for image_cache logger Signed-off-by: Harshal Mittal <harshalmittal4@gmail.com> --------- Signed-off-by: Harshal Mittal <harshalmittal4@gmail.com> * Bump golang.org/x/net from 0.5.0 to 0.7.0 (#1017) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.5.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Merge pull request #1036 from benri/bl/archive-pax-global-header Ignore pax global header in tar extract * Bump golang.org/x/sys from 0.5.0 to 0.6.0 (#1029) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.5.0 to 0.6.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](golang/sys@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#1040) * Bump github.com/containerd/containerd from 1.6.18 to 1.7.0 Signed-off-by: Natalie Arellano <narellano@vmware.com> * Only bump to 1.6.19 instead of 1.7.x until we can upgrade docker/docker docker/docker 20.10.23 is incompatible with containerd 1.7.x+ due to the removal of sys/userns_deprecated.go (upgrading containerd results in lifecycle compile errors like go/pkg/mod/github.com/docker/docker@v20.10.23+incompatible/pkg/archive/archive_unix.go:96:42: undefined: sys.RunningInUserNS) Signed-off-by: Natalie Arellano <narellano@vmware.com> --------- Signed-off-by: Natalie Arellano <narellano@vmware.com> --------- Signed-off-by: Natalie Arellano <narellano@vmware.com> Signed-off-by: Harshal Mittal <harshalmittal4@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Harshal Mittal <harshalmittal4@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jesse Brown <jabrown85@gmail.com> * Add sleep to "publish images" workflow (#1042) It takes a few seconds for the image to be available Signed-off-by: Natalie Arellano <narellano@vmware.com> * Fix buildpacksio/lifecycle manifest create (#1043) * Force lifecycle images to have docker media types Signed-off-by: Natalie Arellano <narellano@vmware.com> * Update go.mod to use latest imgutil Signed-off-by: Natalie Arellano <narellano@vmware.com> --------- Signed-off-by: Natalie Arellano <narellano@vmware.com> * Bump kaniko & docker and unpin deps (#1045) * Update kaniko & docker, unpin deps Signed-off-by: Natalie Arellano <narellano@vmware.com> * Update containerd Signed-off-by: Natalie Arellano <narellano@vmware.com> * Remove CVE ignores now that runc is unpinned Signed-off-by: Natalie Arellano <narellano@vmware.com> * Update to released kaniko Signed-off-by: Natalie Arellano <narellano@vmware.com> --------- Signed-off-by: Natalie Arellano <narellano@vmware.com> * Ignore non-impactful runc CVE (#1047) Signed-off-by: Natalie Arellano <narellano@vmware.com> * Fix unit Signed-off-by: Natalie Arellano <narellano@vmware.com> --------- Signed-off-by: Natalie Arellano <narellano@vmware.com> Signed-off-by: Harshal Mittal <harshalmittal4@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Harshal Mittal <harshalmittal4@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jesse Brown <jabrown85@gmail.com>
buildpacks · Mar 29, 2023 · b7f652a · b7f652a
1 parent 2b6ddbb
commit b7f652a
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 1,211 deletions.
diff --git a/.grype.yaml b/.grype.yaml
@@ -1,5 +1,4 @@
 ignore:
   - vulnerability: CVE-2015-5237 # false positive, see https://github.com/anchore/grype/issues/558
   - vulnerability: CVE-2021-22570 # false positive, see https://github.com/anchore/grype/issues/558
-  - vulnerability: GHSA-f3fp-gc8g-vw66 # can't update github.com/opencontainers/runc until it is updated in github.com/docker/docker
-  - vulnerability: GHSA-v95c-p5hm-xq8f # can't update github.com/opencontainers/runc until it is updated in github.com/docker/docker
+  - vulnerability: GHSA-vpvm-3wq2-2wvm # unpatched as of 3/28/23, non-impactful as the lifecycle doesn't create containers
diff --git a/buildpack/generate_test.go b/buildpack/generate_test.go
@@ -286,7 +286,7 @@ func testGenerate(t *testing.T, when spec.G, it spec.S) {
 									filepath.Join(appDir, "run.Dockerfile-A-v1"),
 								)
 								_, err := executor.Generate(descriptor, inputs, logger)
-								h.AssertError(t, err, "failed to parse run.Dockerfile for extension A: dockerfile parse error line 1: unknown instruction: SOME-INVALID-CONTENT")
+								h.AssertError(t, err, "failed to parse run.Dockerfile for extension A: dockerfile parse error on line 1: unknown instruction: SOME-INVALID-CONTENT")
 							})
 
 							when("switching the runtime base image", func() {
@@ -330,7 +330,7 @@ func testGenerate(t *testing.T, when spec.G, it spec.S) {
 								)
 
 								_, err := executor.Generate(descriptor, inputs, logger)
-								h.AssertError(t, err, "failed to parse build.Dockerfile for extension A: dockerfile parse error line 1: unknown instruction: SOME-INVALID-CONTENT")
+								h.AssertError(t, err, "failed to parse build.Dockerfile for extension A: dockerfile parse error on line 1: unknown instruction: SOME-INVALID-CONTENT")
 							})
 						})
 					})

diff --git a/go.mod b/go.mod
@@ -2,19 +2,19 @@ module github.com/buildpacks/lifecycle
 
 require (
 	github.com/BurntSushi/toml v1.2.1
-	github.com/GoogleContainerTools/kaniko v1.9.2-0.20220928141902-4d077e2a4084
+	github.com/GoogleContainerTools/kaniko v1.9.2
 	github.com/apex/log v1.9.0
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230110223219-40efa3093a22
 	github.com/buildpacks/imgutil v0.0.0-20230324153732-a6c0ed910692
-	github.com/chrismellard/docker-credential-acr-env v0.0.0-20221129204813-6a4d6ed5d396
-	github.com/containerd/containerd v1.6.15
-	github.com/docker/docker v20.10.23+incompatible
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
+	github.com/containerd/containerd v1.7.0
+	github.com/docker/docker v23.0.1+incompatible
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.13.0
+	github.com/google/go-containerregistry v0.14.0
 	github.com/google/uuid v1.3.0
 	github.com/heroku/color v0.0.6
-	github.com/moby/buildkit v0.11.1
+	github.com/moby/buildkit v0.11.4
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
 	golang.org/x/sync v0.1.0
@@ -35,7 +35,7 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.10.0-rc.7 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.17.3 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.18.9 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.9 // indirect
@@ -56,27 +56,22 @@ require (
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
-	github.com/coreos/etcd v3.3.27+incompatible // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/cli v20.10.23+incompatible // indirect
+	github.com/docker/cli v23.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/docker/swarmkit v1.12.1-0.20180726190244-7567d47988d8 // indirect
 	github.com/ePirat/docker-credential-gitlabci v1.0.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-memdb v1.3.4 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
@@ -89,8 +84,12 @@ require (
 	github.com/minio/highwayhash v1.0.2 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/patternmatcher v0.5.0 // indirect
+	github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83 // indirect
 	github.com/moby/sys/mount v0.3.3 // indirect
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/sys/symlink v0.2.0 // indirect
 	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
@@ -104,23 +103,23 @@ require (
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.39.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/rootless-containers/rootlesskit v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spf13/afero v1.9.3 // indirect
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/tonistiigi/fsutil v0.0.0-20230105215944-fb433841cbfa // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	go.opencensus.io v0.24.0 // indirect
+	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
 	golang.org/x/crypto v0.5.0 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/mod v0.9.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.5.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/grpc v1.53.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.29.0 // indirect
 )
 
 go 1.19
@@ -129,12 +128,4 @@ go 1.19
 replace github.com/BurntSushi/toml => github.com/BurntSushi/toml v1.1.0
 
 // Ensure we only pull in the latest version of containerd
-replace github.com/containerd/containerd => github.com/containerd/containerd v1.6.19
-
-// Ensure compatibility with kaniko; match dependencies configured in:
-// https://github.com/GoogleContainerTools/kaniko/blob/f9aaa9fca7bf4077778ed527c1a8a6e09e60c53c/go.mod (v1.9.1)
-replace (
-	github.com/moby/buildkit => github.com/moby/buildkit v0.8.3
-	github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.0-rc95
-	github.com/tonistiigi/fsutil => github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
-)
+replace github.com/containerd/containerd => github.com/containerd/containerd v1.7.0