Address CVE-2024-41110

[BRONSOLO]

An upgrade of the Docker Golang package is needed to address: https://github.com/advisories/GHSA-v23v-6jw2-98fq

pkg	current	fixed
github.com/docker/docker	v25.0.5+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6
github.com/docker/docker	v25.0.5+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6

[diarmuidie]

This was fixed in lifecycle v0.20.1 (kpack currently uses v0.17.2) but they noted that it is "Non-impactful as the lifecycle uses only the docker client library" : https://github.com/buildpacks/lifecycle/issues/1391#issuecomment-2286941393

[BRONSOLO]

Thanks @diarmuidie! Is the lifecycle dependency the only source of the github.com/docker/docker import? In other words, could we safely assume all images built for the kpack project that report this vulnerability are not impacted because the reported vulnerability is stemming from the lifecycle dependency, which uses only the docker client library?

[tomkennedy513]

ya this appears to only affect docker engine itself, so we should be okay

[BRONSOLO]

Thanks @tomkennedy513. I suspect we can close this ticket out in that case (or leave it open until the lifecycle upgrade is applied).