fix(deps): update module github.com/docker/docker to v24 [security] - autoclosed

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/docker/docker	v23.0.12+incompatible -> v24.0.9+incompatible

---

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-24557

The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss.

An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.

For example, an attacker could create an image that is considered as a valid cache candidate for:

FROM scratch
MAINTAINER Pawel

when in fact the malicious image used as a cache would be an image built from a different Dockerfile.

In the second case, the attacker could for example substitute a different HEALTCHECK command.

Impact

23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint (which uses the classic builder by default).

All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.

Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default.

Patches

Patches are included in Moby releases:

• v25.0.2
• v24.0.9
• v23.0.10

Workarounds

• Use --no-cache or use Buildkit if possible (DOCKER_BUILDKIT=1, it's default on 23.0+ assuming that the buildx plugin is installed).
• Use Version = types.BuilderBuildKit or NoCache = true in ImageBuildOptions for ImageBuild call.

---

Release Notes

docker/docker (github.com/docker/docker)

### [`v24.0.9+incompatible`](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) ### [`v24.0.8+incompatible`](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8) ### [`v24.0.7+incompatible`](https://togithub.com/docker/docker/compare/v24.0.6...v24.0.7) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.6...v24.0.7) ### [`v24.0.6+incompatible`](https://togithub.com/docker/docker/compare/v24.0.5...v24.0.6) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.5...v24.0.6) ### [`v24.0.5+incompatible`](https://togithub.com/docker/docker/compare/v24.0.4...v24.0.5) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.4...v24.0.5) ### [`v24.0.4+incompatible`](https://togithub.com/docker/docker/compare/v24.0.3...v24.0.4) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.3...v24.0.4) ### [`v24.0.3+incompatible`](https://togithub.com/docker/docker/compare/v24.0.2...v24.0.3) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.2...v24.0.3) ### [`v24.0.2+incompatible`](https://togithub.com/docker/docker/compare/v24.0.1...v24.0.2) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.1...v24.0.2) ### [`v24.0.1+incompatible`](https://togithub.com/docker/docker/compare/v24.0.0...v24.0.1) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.0...v24.0.1) ### [`v24.0.0+incompatible`](https://togithub.com/docker/docker/compare/v23.0.9...v24.0.0) [Compare Source](https://togithub.com/docker/docker/compare/v23.0.12...v24.0.0)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[coveralls]

Pull Request Test Coverage Report for Build 9424966425

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 33.838%

---

Totals
Change from base Build 9424963144:	0.0%
Covered Lines:	1967
Relevant Lines:	5813

---

💛 - Coveralls

[coveralls]

Pull Request Test Coverage Report for Build 9457534142

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall first build on renovate/go-github.com/docker/docker-vulnerability at 33.838%

---

Totals
Change from base Build 9457527930:	33.8%
Covered Lines:	1967
Relevant Lines:	5813

---

💛 - Coveralls

[coveralls]

Pull Request Test Coverage Report for Build 9475299856

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 33.838%

---

Totals
Change from base Build 9475293993:	0.0%
Covered Lines:	1967
Relevant Lines:	5813

---

💛 - Coveralls

[coveralls]

Pull Request Test Coverage Report for Build 9491724306

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 33.838%

---

Totals
Change from base Build 9491714671:	0.0%
Covered Lines:	1967
Relevant Lines:	5813

---

💛 - Coveralls

[coveralls]

Pull Request Test Coverage Report for Build 9508188507

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 33.838%

---

Totals
Change from base Build 9508182972:	0.0%
Covered Lines:	1967
Relevant Lines:	5813

---

💛 - Coveralls