When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation.
Git URL can be passed in two ways:
1) Invoking build directly from a URL with credentials.
2) If the client sends additional VCS info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from .git/config file.
Thanks to Oscar Alberto Tovar for discovering the issue.
Impact
When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation.
Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable.
In v0.10, when building directly from Git URL, the same URL could be visible in BuildInfo structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable.
Note: Docker Build-push Github action builds from Git URLs by default but is not affected by this issue even when working with private repositories because the credentials are passed with build secrets and not with URLs.
Patches
Bug is fixed in v0.11.4 .
Workarounds
It is recommended to pass credentials with build secrets when building directly from Git URL as a more secure alternative than modifying the URL.
In Docker Buildx, VCS info hint can be disabled by setting BUILDX_GIT_INFO=0. buildctl does not set VCS hints based on .git directory, and values would need to be passed manually with --opt.
moby/buildkit (github.com/moby/buildkit)
### [`v0.11.4`](https://togithub.com/moby/buildkit/releases/tag/v0.11.4)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.3...v0.11.4)
https://hub.docker.com/r/moby/buildkit
##### Notable changes:
##### This release contains two security fixes.
- Fix the issue where credentials inlined to Git URLs could end up in provenance attestation https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc
- Containerd has been updated to 1.6.18 , fixing issue with supplementary groups not being set up properly https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p [#3651](https://togithub.com/moby/buildkit/issues/3651)
##### Other updates
- Fix possible panic with writing annotations [#3670](https://togithub.com/moby/buildkit/issues/3670)
- Fix possible panic with passing nil frontend input [#3659](https://togithub.com/moby/buildkit/issues/3659)
- Fix file capabilities in merged snapshots by changing chown order [#3671](https://togithub.com/moby/buildkit/issues/3671)
### [`v0.11.3`](https://togithub.com/moby/buildkit/releases/tag/v0.11.3)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.2...v0.11.3)
Welcome to the 0.11.3 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable Changes
- Builtin Dockerfile frontend updated to v1.5.2
- Fix not mounting optional secrets missing from build requests [#3561](https://togithub.com/moby/buildkit/issues/3561)
- Fix an issue with Github cache backend that could cause invalid range requests [#3618](https://togithub.com/moby/buildkit/issues/3618)
- Fix possible cache loading error when loading local cache created by BuildKit releases older than v0.10 [#3605](https://togithub.com/moby/buildkit/issues/3605)
- Fix issues with missing layer metadata in SBOMs in latest releases [#3594](https://togithub.com/moby/buildkit/issues/3594)
- Fix possible "digest not found" error on exporting build results [#3566](https://togithub.com/moby/buildkit/issues/3566)
- Make sure timezones are dropped on handling `SOURCE_DATE_EPOCH` [#3559](https://togithub.com/moby/buildkit/issues/3559)
##### Dependency Changes
- **github.com/containerd/containerd** [`1709cfe`](https://togithub.com/moby/buildkit/commit/1709cfe273d9) -> v1.6.16
Previous release can be found at [v0.11.2](https://togithub.com/moby/buildkit/releases/tag/v0.11.2)
### [`v0.11.2`](https://togithub.com/moby/buildkit/releases/tag/v0.11.2)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.1...v0.11.2)
Welcome to the 0.11.2 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable changes
- Update containerd patches to fix regression in handling push errors [#3531](https://togithub.com/moby/buildkit/issues/3531)
- Multiple fixes for History API [#3530](https://togithub.com/moby/buildkit/issues/3530)
- Fix issue with parallel build requests using local cache imports [#3493](https://togithub.com/moby/buildkit/issues/3493)
##### Dependency Changes
- **github.com/containerd/containerd** v1.6.14 -> [`1709cfe`](https://togithub.com/moby/buildkit/commit/1709cfe273d9)
- **github.com/pelletier/go-toml** v1.9.4 -> v1.9.5
Previous release can be found at [v0.11.1](https://togithub.com/moby/buildkit/releases/tag/v0.11.1)
### [`v0.11.1`](https://togithub.com/moby/buildkit/releases/tag/v0.11.1)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.0...v0.11.1)
Welcome to the 0.11.1 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable changes
- Builtin Dockerfile frontend has been updated to [1.5.1](https://togithub.com/moby/buildkit/releases/tag/dockerfile%2F1.5.1), fixing possible panic in certain warning condition [#3505](https://togithub.com/moby/buildkit/issues/3505)
- Fix possible hang when closing down the SSH forwarding socket in v0.11.0 [#3506](https://togithub.com/moby/buildkit/issues/3506)
- Fix typo in an environment variable used to configure OpenTelemetry endpoints [#3508](https://togithub.com/moby/buildkit/issues/3508)
### [`v0.11.0`](https://togithub.com/moby/buildkit/releases/tag/v0.11.0)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.6...v0.11.0)
Welcome to the 0.11.0 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable Changes
- Builtin Dockerfile frontend has been updated to v1.5.0 https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.0
- BuildKit and compatible frontends can now produce SBOM (Software Bill of Materials) attestations for the build results to show the dependencies of the build. These attestations can be added to images and locally exported files. Using Dockerfiles, SBOM information can be configured to be produced also based on files in intermediate build stages or build context, or run processes that manually define the SBOM dependencies. When exporting an image, layer mapping is also produced that allows tracing a SBOM package to a specific build step. [#3258](https://togithub.com/moby/buildkit/issues/3258) [#3290](https://togithub.com/moby/buildkit/issues/3290) [#3249](https://togithub.com/moby/buildkit/issues/3249) [#2983](https://togithub.com/moby/buildkit/issues/2983) [#3358](https://togithub.com/moby/buildkit/issues/3358) [#3312](https://togithub.com/moby/buildkit/issues/3312) [#3407](https://togithub.com/moby/buildkit/issues/3407) [#3408](https://togithub.com/moby/buildkit/issues/3408) [#3410](https://togithub.com/moby/buildkit/issues/3410) [#3414](https://togithub.com/moby/buildkit/issues/3414) [#3422](https://togithub.com/moby/buildkit/issues/3422) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/attestations/sbom.md)
- BuildKit can now produce a Provenance attestation for the build result in [SLSA](https://slsa.dev/provenance/v0.2) format. Provenance attestations describe how a build was produced, and what sources/parameters were used. In addition to fields part of the SLSA specification, Buildkit's provenance also exports BuildKit-specific metadata like LLB steps with their source- and layer mapping. Provenance attestation will capture all the build sources visible to BuildKit, for example, not only the Git repository where the project's source is coming from but also the digests of all the container images used during the build. [#3240](https://togithub.com/moby/buildkit/issues/3240) [#3428](https://togithub.com/moby/buildkit/issues/3428) [#3428](https://togithub.com/moby/buildkit/issues/3428) [#3462](https://togithub.com/moby/buildkit/issues/3462) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/attestations/slsa-definitions.md)
- BuildKit now supports reproducible builds by setting `SOURCE_DATE_EPOCH` build argument or `source-date-epoch` exporter attribute. This deterministic date will be used in image metadata instead of the current time. [#2918](https://togithub.com/moby/buildkit/issues/2918) [#3262](https://togithub.com/moby/buildkit/issues/3262) [#3152](https://togithub.com/moby/buildkit/issues/3152) [Read documentation](https://togithub.com/moby/buildkit/blob/918b19a77f985676ffa2390e14dc0c001fd70f0c/docs/build-repro.md#source_date_epoch)
- OCI annotations can now be set to build results exported as images or OCI layouts. Annotations can be set on both image manifests and indexes, as well as descriptors to them. [#3283](https://togithub.com/moby/buildkit/issues/3283) [#3061](https://togithub.com/moby/buildkit/issues/3061) [#2975](https://togithub.com/moby/buildkit/issues/2975) [#2879](https://togithub.com/moby/buildkit/issues/2879) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/annotations.md)
- New Build History API allows listening to events about builds starting and completing, and streaming progress of active builds. New commands `buildctl debug monitor`, `buildctl debug logs` and `buildctl debug get` have been added to use this API. Build records also keep OpenTelemetry traces, provenance attestations, and image manifests if they were created by the build. [#3294](https://togithub.com/moby/buildkit/issues/3294) [#3339](https://togithub.com/moby/buildkit/issues/3339) [#3440](https://togithub.com/moby/buildkit/issues/3440)
- Build results exported with image, local or tar exporters now support attestations. In addition to builtin SBOM and Provenance attestations, frontends can produce custom attestations in in-toto format [#3197](https://togithub.com/moby/buildkit/issues/3197) [#3070](https://togithub.com/moby/buildkit/issues/3070) [#3129](https://togithub.com/moby/buildkit/issues/3129) [#3073](https://togithub.com/moby/buildkit/issues/3073) [#3063](https://togithub.com/moby/buildkit/issues/3063) [#2935](https://togithub.com/moby/buildkit/issues/2935) [#3289](https://togithub.com/moby/buildkit/issues/3289) [#3389](https://togithub.com/moby/buildkit/issues/3389) [#3321](https://togithub.com/moby/buildkit/issues/3321) [#3342](https://togithub.com/moby/buildkit/issues/3342) [#3461](https://togithub.com/moby/buildkit/issues/3461) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/attestations/attestation-storage.md)
- New Source type `oci-layout://` allows builds to import images from OCI directory structure on the client side. This allows using local versions of the image. [#3112](https://togithub.com/moby/buildkit/issues/3112) [#3300](https://togithub.com/moby/buildkit/issues/3300) [#3122](https://togithub.com/moby/buildkit/issues/3122) [#3034](https://togithub.com/moby/buildkit/issues/3034) [#2971](https://togithub.com/moby/buildkit/issues/2971) [#2827](https://togithub.com/moby/buildkit/issues/2827) [#3397](https://togithub.com/moby/buildkit/issues/3397)
- Build requests now support sending a Source policy definition. A policy can be used to deny access to specific sources (e.g. images or URLs) or only allow access to specific image namespaces. Policies can also be used to modify sources when they are requested by the build, for example, pin a tag requested by the build to a specific digest even if it has already changed in the registry. [#3332](https://togithub.com/moby/buildkit/issues/3332)
- New remote cache backend: Azure Blob Storage [#3010](https://togithub.com/moby/buildkit/issues/3010)
- New remote cache backend: S3 [#2824](https://togithub.com/moby/buildkit/issues/2824) [#3065](https://togithub.com/moby/buildkit/issues/3065)
- BuildKit now supports Nydus compression type [#2581](https://togithub.com/moby/buildkit/issues/2581)
- OCI exporter now supports attribute `tar=false` to export OCI layout into a directory instead of downloading a tarball. [#3162](https://togithub.com/moby/buildkit/issues/3162)
- Setting multiple cache exporters for a single build is now supported [#3024](https://togithub.com/moby/buildkit/issues/3024) [#3271](https://togithub.com/moby/buildkit/issues/3271)
- Cache exporters can now be configured to ignore exporting errors [#3430](https://togithub.com/moby/buildkit/issues/3430)
- Remote cache import/export to client-side local files now supports tag parameter for scoping cache [#3111](https://togithub.com/moby/buildkit/issues/3111)
- CNI network namespaces are now provisioned from a pool for increased performance [#3107](https://togithub.com/moby/buildkit/issues/3107)
- New Info service has been added to control API for asking BuildKit daemon's version [#2725](https://togithub.com/moby/buildkit/issues/2725)
- Gateway API now has a new `Evaluate` method to control the lazy solve behavior [#3137](https://togithub.com/moby/buildkit/issues/3137)
- Allow mounting secrets with empty contents [#3081](https://togithub.com/moby/buildkit/issues/3081)
- New RemoveMountStubsRecursive option has been added to LLB ExecOp to control the cleanup behavior of mounts. By default, empty mount stubs are now cleaned up recursively in new frontends. [#3314](https://togithub.com/moby/buildkit/issues/3314)
- LLB Image source now allows pulling partial layer chains from image [#2795](https://togithub.com/moby/buildkit/issues/2795)
- Allow hostname to be set by network provider (K8S_POD_NAME) [#3044](https://togithub.com/moby/buildkit/issues/3044)
- Improve handling and logging of API health checks [#2998](https://togithub.com/moby/buildkit/issues/2998)
- RegistryToken auth from Docker config is now allowed as authentication input [#2868](https://togithub.com/moby/buildkit/issues/2868)
- Image exporter with containerd worker now allows skipping adding image to containerd image store with `store=false`. If not set then images stored images are now guaranteed to be unlazied and unpacked. [#2800](https://togithub.com/moby/buildkit/issues/2800)
- `buildctl` now loads Github runtime environment when using GHA remote cache [#2707](https://togithub.com/moby/buildkit/issues/2707)
- Support for `conflist` when configuring CNI networking [#3029](https://togithub.com/moby/buildkit/issues/3029)
- Platform info has been added to the build result descriptor metadata [#2993](https://togithub.com/moby/buildkit/issues/2993)
- Allow sourcemaps to link single LLB vertex to multiple source locations [#2859](https://togithub.com/moby/buildkit/issues/2859)
- Support for SSH connection helper [#2843](https://togithub.com/moby/buildkit/issues/2843)
- Empty stub paths created by mount points when build container runs are now cleaned up and do not remain in the final image. [#3307](https://togithub.com/moby/buildkit/issues/3307) [#3149](https://togithub.com/moby/buildkit/issues/3149)
- Improve performance on BoltDB commits [#3261](https://togithub.com/moby/buildkit/issues/3261)
- Indentation of some of the image manifests has been fixed to use double spaces [#3259](https://togithub.com/moby/buildkit/issues/3259)
- Fix caching checksum error on copying files with custom UID/GID [#3295](https://togithub.com/moby/buildkit/issues/3295)
- Fix cases where copy operation left behind nondeterministic timestamps for better support for reproducible builds [#3298](https://togithub.com/moby/buildkit/issues/3298)
- Fix SSH forwarding incompatibility with OpenSSH >= 8.9 [#3274](https://togithub.com/moby/buildkit/issues/3274)
- Stargz has been updated to v0.13.0 [#3280](https://togithub.com/moby/buildkit/issues/3280)
- Embedded QEMU emulators have been updated to v7.1.0 with new patches for path handling. [#3386](https://togithub.com/moby/buildkit/issues/3386)
- Fix unpacking images with no layers [#3251](https://togithub.com/moby/buildkit/issues/3251)
- Fix possible nil pointer exception in LLB bridge [#3233](https://togithub.com/moby/buildkit/issues/3233) [#3169](https://togithub.com/moby/buildkit/issues/3169) [#3066](https://togithub.com/moby/buildkit/issues/3066)
- Fix cleanup of containerd tasks if a start fails [#3253](https://togithub.com/moby/buildkit/issues/3253)
- Fix handling Windows paths in content checksums [#3227](https://togithub.com/moby/buildkit/issues/3227)
- Fix possible missing newline in progress output [#3072](https://togithub.com/moby/buildkit/issues/3072)
- Fix possible early EOF on SSH forwarding [#3431](https://togithub.com/moby/buildkit/issues/3431)
- Fix possible panic in concurrent OpenTelemetry access [#3058](https://togithub.com/moby/buildkit/issues/3058)
- Previously deprecated old cache options have been removed [#2982](https://togithub.com/moby/buildkit/issues/2982)
- Daemonless script has been updated to handle already stopped process [#3005](https://togithub.com/moby/buildkit/issues/3005)
- Fix closing session if shared by multiple clients [#2995](https://togithub.com/moby/buildkit/issues/2995)
- `buildctl du` command now supports JSON formatting [#2992](https://togithub.com/moby/buildkit/issues/2992)
- Registry push errors now show additional context [#2981](https://togithub.com/moby/buildkit/issues/2981)
- Improve default description of FileOp vertexes [#2932](https://togithub.com/moby/buildkit/issues/2932)
- Make sure progress from exporting is properly keyed on parallel requests [#2953](https://togithub.com/moby/buildkit/issues/2953)
- Terminal colors are now configurable [#2954](https://togithub.com/moby/buildkit/issues/2954)
- Build errors now always print stacktraces to daemon logs in debug mode [#2903](https://togithub.com/moby/buildkit/issues/2903)
##### Contributors
- Tõnis Tiigi
- Justin Chadwell
- CrazyMax
- Akihiro Suda
- Erik Sipsma
- Sebastiaan van Stijn
- Yan Song
- Kohei Tokunaga
- Alex Suraci
- Jonny Stoten
- Aaron Lehmann
- Avi Deitcher
- Bertrand Paquet
- Brian Goff
- Corey Larson
- Cory Bennett
- Cory Snider
- David Gageot
- Eng Zer Jun
- Fiona Klute
- Gabriel Adrian Samfira
- Petr Fedchenkov
- Pierre Fenoll
- Pranav Pandit
- Sascha Schwarze
- Sean P. Kane
- Steve Lohr
- Tianon Gravi
- Alex Couture-Beil
- Ce Gao
- Daniel Duvall
- Fred Cox
- Frank Yang
- Gahl Saraf
- Guilhem C
- Jacob Gillespie
- Jitender Kumar
- Jordan Goasdoue
- Julian Goede
- Luca Visentin
- Manu Gupta
- Marcus Comstedt
- Morlay
- Nick Santos
- Omer Duchovne
- Tom C
- a-palchikov
##### Dependency Changes
- **github.com/Azure/azure-sdk-for-go/sdk/azcore** v1.1.0 ***new***
- **github.com/Azure/azure-sdk-for-go/sdk/azidentity** v1.1.0 ***new***
- **github.com/Azure/azure-sdk-for-go/sdk/internal** v1.0.0 ***new***
- **github.com/Azure/azure-sdk-for-go/sdk/storage/azblob** v0.4.1 ***new***
- **github.com/AzureAD/microsoft-authentication-library-for-go** v0.6.0 ***new***
- **github.com/Microsoft/go-winio** v0.5.1 -> v0.5.2
- **github.com/Microsoft/hcsshim** v0.9.2 -> v0.9.6
- **github.com/aws/aws-sdk-go-v2** v1.16.3 ***new***
- **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.4.1 ***new***
- **github.com/aws/aws-sdk-go-v2/config** v1.15.5 ***new***
- **github.com/aws/aws-sdk-go-v2/credentials** v1.12.0 ***new***
- **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.12.4 ***new***
- **github.com/aws/aws-sdk-go-v2/feature/s3/manager** v1.11.10 ***new***
- **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.1.10 ***new***
- **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.4.4 ***new***
- **github.com/aws/aws-sdk-go-v2/internal/ini** v1.3.11 ***new***
- **github.com/aws/aws-sdk-go-v2/internal/v4a** v1.0.1 ***new***
- **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.9.1 ***new***
- **github.com/aws/aws-sdk-go-v2/service/internal/checksum** v1.1.5 ***new***
- **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.9.4 ***new***
- **github.com/aws/aws-sdk-go-v2/service/internal/s3shared** v1.13.4 ***new***
- **github.com/aws/aws-sdk-go-v2/service/s3** v1.26.9 ***new***
- **github.com/aws/aws-sdk-go-v2/service/sso** v1.11.4 ***new***
- **github.com/aws/aws-sdk-go-v2/service/sts** v1.16.4 ***new***
- **github.com/aws/smithy-go** v1.11.2 ***new***
- **github.com/containerd/cgroups** v1.0.3 -> v1.0.4
- **github.com/containerd/containerd** [`5ff8fce`](https://togithub.com/moby/buildkit/commit/5ff8fce1fcc6) -> v1.6.14
- **github.com/containerd/continuity** [`d132b28`](https://togithub.com/moby/buildkit/commit/d132b287edc8) -> v0.3.0
- **github.com/containerd/go-cni** v1.1.4 -> v1.1.6
- **github.com/containerd/nydus-snapshotter** v0.3.1 ***new***
- **github.com/containerd/stargz-snapshotter** v0.11.3 -> v0.13.0
- **github.com/containernetworking/cni** v1.0.1 -> v1.1.1
- **github.com/docker/cli** v20.10.13 -> v23.0.0-rc.1
- **github.com/docker/docker** [`61404de`](https://togithub.com/moby/buildkit/commit/61404de7df1a) -> v23.0.0-rc.1
- **github.com/docker/docker-credential-helpers** v0.6.4 -> v0.7.0
- **github.com/docker/go-units** v0.4.0 -> v0.5.0
- **github.com/go-logr/logr** v1.2.2 -> v1.2.3
- **github.com/gofrs/flock** v0.7.3 -> v0.8.1
- **github.com/google/go-cmp** v0.5.7 -> v0.5.9
- **github.com/hashicorp/go-retryablehttp** v0.7.0 -> v0.7.1
- **github.com/hashicorp/golang-lru** v0.5.3 -> v0.5.4
- **github.com/in-toto/in-toto-golang** v0.5.0 ***new***
- **github.com/jmespath/go-jmespath** v0.4.0 ***new***
- **github.com/klauspost/compress** v1.15.1 -> v1.15.12
- **github.com/kylelemons/godebug** v1.1.0 ***new***
- **github.com/moby/patternmatcher** v0.5.0 ***new***
- **github.com/moby/sys/sequential** v0.5.0 ***new***
- **github.com/opencontainers/image-spec** [`c5a74bc`](https://togithub.com/moby/buildkit/commit/c5a74bcca799) -> [`02efb9a`](https://togithub.com/moby/buildkit/commit/02efb9a75ee1)
- **github.com/opencontainers/runc** v1.1.1 -> v1.1.3
- **github.com/opencontainers/selinux** v1.10.0 -> v1.10.2
- **github.com/package-url/packageurl-go** [`8907843`](https://togithub.com/moby/buildkit/commit/89078438f170) ***new***
- **github.com/pkg/browser** [`ce105d0`](https://togithub.com/moby/buildkit/commit/ce105d075bb4) ***new***
- **github.com/prometheus/client_golang** v1.12.1 -> v1.14.0
- **github.com/prometheus/client_model** v0.2.0 -> v0.3.0
- **github.com/prometheus/common** v0.32.1 -> v0.37.0
- **github.com/prometheus/procfs** v0.7.3 -> v0.8.0
- **github.com/secure-systems-lab/go-securesystemslib** v0.4.0 ***new***
- **github.com/shibumi/go-pathspec** v1.3.0 ***new***
- **github.com/sirupsen/logrus** v1.8.1 -> v1.9.0
- **github.com/spdx/tools-golang** [`d6f5855`](https://togithub.com/moby/buildkit/commit/d6f58551be3f) ***new***
- **github.com/stretchr/testify** v1.7.0 -> v1.8.0
- **github.com/tonistiigi/fsutil** [`9ed6126`](https://togithub.com/moby/buildkit/commit/9ed612626da3) -> [`fb43384`](https://togithub.com/moby/buildkit/commit/fb433841cbfa)
- **golang.org/x/crypto** [`5770296`](https://togithub.com/moby/buildkit/commit/5770296d904e) -> v0.2.0
- **golang.org/x/net** [`fe4d628`](https://togithub.com/moby/buildkit/commit/fe4d6282115f) -> v0.4.0
- **golang.org/x/sync** [`036812b`](https://togithub.com/moby/buildkit/commit/036812b2e83c) -> v0.1.0
- **golang.org/x/sys** [`da31bd3`](https://togithub.com/moby/buildkit/commit/da31bd327af9) -> v0.3.0
- **golang.org/x/time** [`1f47c86`](https://togithub.com/moby/buildkit/commit/1f47c861a9ac) -> v0.1.0
- **google.golang.org/genproto** [`3a66f56`](https://togithub.com/moby/buildkit/commit/3a66f561d7aa) -> [`7780775`](https://togithub.com/moby/buildkit/commit/7780775163c4)
- **google.golang.org/grpc** v1.45.0 -> v1.50.1
- **gopkg.in/yaml.v3** v3.0.0 -> v3.0.1
Previous release can be found at [v0.10.6](https://togithub.com/moby/buildkit/releases/tag/v0.10.6)
### [`v0.10.6`](https://togithub.com/moby/buildkit/releases/tag/v0.10.6)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.5...v0.10.6)
https://hub.docker.com/r/moby/buildkit
##### Notable changes:
- Fix possible panic on scanning files from local filesystem [https://github.com/tonistiigi/fsutil/pull/122](https://togithub.com/tonistiigi/fsutil/pull/122)
- Make SELinux opt-in for OCI worker so it can be disabled on certain hosts [https://github.com/moby/buildkit/pull/3255](https://togithub.com/moby/buildkit/pull/3255)
### [`v0.10.5`](https://togithub.com/moby/buildkit/releases/tag/v0.10.5)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.4...v0.10.5)
https://hub.docker.com/r/moby/buildkit
##### Notable changes:
##### This release contains two security fixes.
- Provide mitigation for Git vulnerability [CVE-2022-39253](https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253). In systems with Git version lower than 2.38.1 invoking a build of a maliciously crafted Git repository with `BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` build-arg could lead to copying arbitrary file system paths into resulting containers/images.
- Add additional validation when loading content for `image@digest` references from the local build cache. The new validation makes sure that the same repository name populated the local data and invalid name and digest combinations are detected.
### [`v0.10.4`](https://togithub.com/moby/buildkit/releases/tag/v0.10.4)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.3...v0.10.4)
https://hub.docker.com/r/moby/buildkit
##### Notable changes:
- Default Dockerfile frontend has been updated to v1.4.3 with fixes to handling platforms and timestamps for named image contexts. [changelog](https://togithub.com/moby/buildkit/releases/tag/dockerfile%2F1.4.3)
- Fix cancellation error not being detected and erroneously cached [#2926](https://togithub.com/moby/buildkit/issues/2926)
- Fix interactive containers not releasing resources when client doesn't gracefully disconnect them [https://github.com/moby/buildkit/pull/3025](https://togithub.com/moby/buildkit/pull/3025)
- Fix possible panic on handling nil results [https://github.com/moby/buildkit/pull/3043](https://togithub.com/moby/buildkit/pull/3043)
- Add logging to healthcheck monitoring and mitigate possibility of healthcheck failing under load2998
- Add fallback when rootless buildkitd cannot access containerd socket [#2968](https://togithub.com/moby/buildkit/issues/2968)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v0.10.3->v0.11.4GitHub Vulnerability Alerts
CVE-2023-26054
When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation.
Git URL can be passed in two ways:
1) Invoking build directly from a URL with credentials.
Equivalent in
docker buildxwould be2) If the client sends additional VCS info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from
.git/configfile.Thanks to Oscar Alberto Tovar for discovering the issue.
Impact
When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation.
Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable.
In v0.10, when building directly from Git URL, the same URL could be visible in
BuildInfostructure that is a predecessor of Provenance attestations. Previous versions are not vulnerable.Note: Docker Build-push Github action builds from Git URLs by default but is not affected by this issue even when working with private repositories because the credentials are passed with build secrets and not with URLs.
Patches
Bug is fixed in v0.11.4 .
Workarounds
It is recommended to pass credentials with build secrets when building directly from Git URL as a more secure alternative than modifying the URL.
In Docker Buildx, VCS info hint can be disabled by setting
BUILDX_GIT_INFO=0.buildctldoes not set VCS hints based on.gitdirectory, and values would need to be passed manually with--opt.References
Release Notes
moby/buildkit (github.com/moby/buildkit)
### [`v0.11.4`](https://togithub.com/moby/buildkit/releases/tag/v0.11.4) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.3...v0.11.4) https://hub.docker.com/r/moby/buildkit ##### Notable changes: ##### This release contains two security fixes. - Fix the issue where credentials inlined to Git URLs could end up in provenance attestation https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc - Containerd has been updated to 1.6.18 , fixing issue with supplementary groups not being set up properly https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p [#3651](https://togithub.com/moby/buildkit/issues/3651) ##### Other updates - Fix possible panic with writing annotations [#3670](https://togithub.com/moby/buildkit/issues/3670) - Fix possible panic with passing nil frontend input [#3659](https://togithub.com/moby/buildkit/issues/3659) - Fix file capabilities in merged snapshots by changing chown order [#3671](https://togithub.com/moby/buildkit/issues/3671) ### [`v0.11.3`](https://togithub.com/moby/buildkit/releases/tag/v0.11.3) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.2...v0.11.3) Welcome to the 0.11.3 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable Changes - Builtin Dockerfile frontend updated to v1.5.2 - Fix not mounting optional secrets missing from build requests [#3561](https://togithub.com/moby/buildkit/issues/3561) - Fix an issue with Github cache backend that could cause invalid range requests [#3618](https://togithub.com/moby/buildkit/issues/3618) - Fix possible cache loading error when loading local cache created by BuildKit releases older than v0.10 [#3605](https://togithub.com/moby/buildkit/issues/3605) - Fix issues with missing layer metadata in SBOMs in latest releases [#3594](https://togithub.com/moby/buildkit/issues/3594) - Fix possible "digest not found" error on exporting build results [#3566](https://togithub.com/moby/buildkit/issues/3566) - Make sure timezones are dropped on handling `SOURCE_DATE_EPOCH` [#3559](https://togithub.com/moby/buildkit/issues/3559) ##### Dependency Changes - **github.com/containerd/containerd** [`1709cfe`](https://togithub.com/moby/buildkit/commit/1709cfe273d9) -> v1.6.16 Previous release can be found at [v0.11.2](https://togithub.com/moby/buildkit/releases/tag/v0.11.2) ### [`v0.11.2`](https://togithub.com/moby/buildkit/releases/tag/v0.11.2) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.1...v0.11.2) Welcome to the 0.11.2 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable changes - Update containerd patches to fix regression in handling push errors [#3531](https://togithub.com/moby/buildkit/issues/3531) - Multiple fixes for History API [#3530](https://togithub.com/moby/buildkit/issues/3530) - Fix issue with parallel build requests using local cache imports [#3493](https://togithub.com/moby/buildkit/issues/3493) ##### Dependency Changes - **github.com/containerd/containerd** v1.6.14 -> [`1709cfe`](https://togithub.com/moby/buildkit/commit/1709cfe273d9) - **github.com/pelletier/go-toml** v1.9.4 -> v1.9.5 Previous release can be found at [v0.11.1](https://togithub.com/moby/buildkit/releases/tag/v0.11.1) ### [`v0.11.1`](https://togithub.com/moby/buildkit/releases/tag/v0.11.1) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.0...v0.11.1) Welcome to the 0.11.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable changes - Builtin Dockerfile frontend has been updated to [1.5.1](https://togithub.com/moby/buildkit/releases/tag/dockerfile%2F1.5.1), fixing possible panic in certain warning condition [#3505](https://togithub.com/moby/buildkit/issues/3505) - Fix possible hang when closing down the SSH forwarding socket in v0.11.0 [#3506](https://togithub.com/moby/buildkit/issues/3506) - Fix typo in an environment variable used to configure OpenTelemetry endpoints [#3508](https://togithub.com/moby/buildkit/issues/3508) ### [`v0.11.0`](https://togithub.com/moby/buildkit/releases/tag/v0.11.0) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.6...v0.11.0) Welcome to the 0.11.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.5.0 https://github.com/moby/buildkit/releases/tag/dockerfile%2F1.5.0 - BuildKit and compatible frontends can now produce SBOM (Software Bill of Materials) attestations for the build results to show the dependencies of the build. These attestations can be added to images and locally exported files. Using Dockerfiles, SBOM information can be configured to be produced also based on files in intermediate build stages or build context, or run processes that manually define the SBOM dependencies. When exporting an image, layer mapping is also produced that allows tracing a SBOM package to a specific build step. [#3258](https://togithub.com/moby/buildkit/issues/3258) [#3290](https://togithub.com/moby/buildkit/issues/3290) [#3249](https://togithub.com/moby/buildkit/issues/3249) [#2983](https://togithub.com/moby/buildkit/issues/2983) [#3358](https://togithub.com/moby/buildkit/issues/3358) [#3312](https://togithub.com/moby/buildkit/issues/3312) [#3407](https://togithub.com/moby/buildkit/issues/3407) [#3408](https://togithub.com/moby/buildkit/issues/3408) [#3410](https://togithub.com/moby/buildkit/issues/3410) [#3414](https://togithub.com/moby/buildkit/issues/3414) [#3422](https://togithub.com/moby/buildkit/issues/3422) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/attestations/sbom.md) - BuildKit can now produce a Provenance attestation for the build result in [SLSA](https://slsa.dev/provenance/v0.2) format. Provenance attestations describe how a build was produced, and what sources/parameters were used. In addition to fields part of the SLSA specification, Buildkit's provenance also exports BuildKit-specific metadata like LLB steps with their source- and layer mapping. Provenance attestation will capture all the build sources visible to BuildKit, for example, not only the Git repository where the project's source is coming from but also the digests of all the container images used during the build. [#3240](https://togithub.com/moby/buildkit/issues/3240) [#3428](https://togithub.com/moby/buildkit/issues/3428) [#3428](https://togithub.com/moby/buildkit/issues/3428) [#3462](https://togithub.com/moby/buildkit/issues/3462) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/attestations/slsa-definitions.md) - BuildKit now supports reproducible builds by setting `SOURCE_DATE_EPOCH` build argument or `source-date-epoch` exporter attribute. This deterministic date will be used in image metadata instead of the current time. [#2918](https://togithub.com/moby/buildkit/issues/2918) [#3262](https://togithub.com/moby/buildkit/issues/3262) [#3152](https://togithub.com/moby/buildkit/issues/3152) [Read documentation](https://togithub.com/moby/buildkit/blob/918b19a77f985676ffa2390e14dc0c001fd70f0c/docs/build-repro.md#source_date_epoch) - OCI annotations can now be set to build results exported as images or OCI layouts. Annotations can be set on both image manifests and indexes, as well as descriptors to them. [#3283](https://togithub.com/moby/buildkit/issues/3283) [#3061](https://togithub.com/moby/buildkit/issues/3061) [#2975](https://togithub.com/moby/buildkit/issues/2975) [#2879](https://togithub.com/moby/buildkit/issues/2879) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/annotations.md) - New Build History API allows listening to events about builds starting and completing, and streaming progress of active builds. New commands `buildctl debug monitor`, `buildctl debug logs` and `buildctl debug get` have been added to use this API. Build records also keep OpenTelemetry traces, provenance attestations, and image manifests if they were created by the build. [#3294](https://togithub.com/moby/buildkit/issues/3294) [#3339](https://togithub.com/moby/buildkit/issues/3339) [#3440](https://togithub.com/moby/buildkit/issues/3440) - Build results exported with image, local or tar exporters now support attestations. In addition to builtin SBOM and Provenance attestations, frontends can produce custom attestations in in-toto format [#3197](https://togithub.com/moby/buildkit/issues/3197) [#3070](https://togithub.com/moby/buildkit/issues/3070) [#3129](https://togithub.com/moby/buildkit/issues/3129) [#3073](https://togithub.com/moby/buildkit/issues/3073) [#3063](https://togithub.com/moby/buildkit/issues/3063) [#2935](https://togithub.com/moby/buildkit/issues/2935) [#3289](https://togithub.com/moby/buildkit/issues/3289) [#3389](https://togithub.com/moby/buildkit/issues/3389) [#3321](https://togithub.com/moby/buildkit/issues/3321) [#3342](https://togithub.com/moby/buildkit/issues/3342) [#3461](https://togithub.com/moby/buildkit/issues/3461) [Read documentation](https://togithub.com/moby/buildkit/blob/v0.11.0/docs/attestations/attestation-storage.md) - New Source type `oci-layout://` allows builds to import images from OCI directory structure on the client side. This allows using local versions of the image. [#3112](https://togithub.com/moby/buildkit/issues/3112) [#3300](https://togithub.com/moby/buildkit/issues/3300) [#3122](https://togithub.com/moby/buildkit/issues/3122) [#3034](https://togithub.com/moby/buildkit/issues/3034) [#2971](https://togithub.com/moby/buildkit/issues/2971) [#2827](https://togithub.com/moby/buildkit/issues/2827) [#3397](https://togithub.com/moby/buildkit/issues/3397) - Build requests now support sending a Source policy definition. A policy can be used to deny access to specific sources (e.g. images or URLs) or only allow access to specific image namespaces. Policies can also be used to modify sources when they are requested by the build, for example, pin a tag requested by the build to a specific digest even if it has already changed in the registry. [#3332](https://togithub.com/moby/buildkit/issues/3332) - New remote cache backend: Azure Blob Storage [#3010](https://togithub.com/moby/buildkit/issues/3010) - New remote cache backend: S3 [#2824](https://togithub.com/moby/buildkit/issues/2824) [#3065](https://togithub.com/moby/buildkit/issues/3065) - BuildKit now supports Nydus compression type [#2581](https://togithub.com/moby/buildkit/issues/2581) - OCI exporter now supports attribute `tar=false` to export OCI layout into a directory instead of downloading a tarball. [#3162](https://togithub.com/moby/buildkit/issues/3162) - Setting multiple cache exporters for a single build is now supported [#3024](https://togithub.com/moby/buildkit/issues/3024) [#3271](https://togithub.com/moby/buildkit/issues/3271) - Cache exporters can now be configured to ignore exporting errors [#3430](https://togithub.com/moby/buildkit/issues/3430) - Remote cache import/export to client-side local files now supports tag parameter for scoping cache [#3111](https://togithub.com/moby/buildkit/issues/3111) - CNI network namespaces are now provisioned from a pool for increased performance [#3107](https://togithub.com/moby/buildkit/issues/3107) - New Info service has been added to control API for asking BuildKit daemon's version [#2725](https://togithub.com/moby/buildkit/issues/2725) - Gateway API now has a new `Evaluate` method to control the lazy solve behavior [#3137](https://togithub.com/moby/buildkit/issues/3137) - Allow mounting secrets with empty contents [#3081](https://togithub.com/moby/buildkit/issues/3081) - New RemoveMountStubsRecursive option has been added to LLB ExecOp to control the cleanup behavior of mounts. By default, empty mount stubs are now cleaned up recursively in new frontends. [#3314](https://togithub.com/moby/buildkit/issues/3314) - LLB Image source now allows pulling partial layer chains from image [#2795](https://togithub.com/moby/buildkit/issues/2795) - Allow hostname to be set by network provider (K8S_POD_NAME) [#3044](https://togithub.com/moby/buildkit/issues/3044) - Improve handling and logging of API health checks [#2998](https://togithub.com/moby/buildkit/issues/2998) - RegistryToken auth from Docker config is now allowed as authentication input [#2868](https://togithub.com/moby/buildkit/issues/2868) - Image exporter with containerd worker now allows skipping adding image to containerd image store with `store=false`. If not set then images stored images are now guaranteed to be unlazied and unpacked. [#2800](https://togithub.com/moby/buildkit/issues/2800) - `buildctl` now loads Github runtime environment when using GHA remote cache [#2707](https://togithub.com/moby/buildkit/issues/2707) - Support for `conflist` when configuring CNI networking [#3029](https://togithub.com/moby/buildkit/issues/3029) - Platform info has been added to the build result descriptor metadata [#2993](https://togithub.com/moby/buildkit/issues/2993) - Allow sourcemaps to link single LLB vertex to multiple source locations [#2859](https://togithub.com/moby/buildkit/issues/2859) - Support for SSH connection helper [#2843](https://togithub.com/moby/buildkit/issues/2843) - Empty stub paths created by mount points when build container runs are now cleaned up and do not remain in the final image. [#3307](https://togithub.com/moby/buildkit/issues/3307) [#3149](https://togithub.com/moby/buildkit/issues/3149) - Improve performance on BoltDB commits [#3261](https://togithub.com/moby/buildkit/issues/3261) - Indentation of some of the image manifests has been fixed to use double spaces [#3259](https://togithub.com/moby/buildkit/issues/3259) - Fix caching checksum error on copying files with custom UID/GID [#3295](https://togithub.com/moby/buildkit/issues/3295) - Fix cases where copy operation left behind nondeterministic timestamps for better support for reproducible builds [#3298](https://togithub.com/moby/buildkit/issues/3298) - Fix SSH forwarding incompatibility with OpenSSH >= 8.9 [#3274](https://togithub.com/moby/buildkit/issues/3274) - Stargz has been updated to v0.13.0 [#3280](https://togithub.com/moby/buildkit/issues/3280) - Embedded QEMU emulators have been updated to v7.1.0 with new patches for path handling. [#3386](https://togithub.com/moby/buildkit/issues/3386) - Fix unpacking images with no layers [#3251](https://togithub.com/moby/buildkit/issues/3251) - Fix possible nil pointer exception in LLB bridge [#3233](https://togithub.com/moby/buildkit/issues/3233) [#3169](https://togithub.com/moby/buildkit/issues/3169) [#3066](https://togithub.com/moby/buildkit/issues/3066) - Fix cleanup of containerd tasks if a start fails [#3253](https://togithub.com/moby/buildkit/issues/3253) - Fix handling Windows paths in content checksums [#3227](https://togithub.com/moby/buildkit/issues/3227) - Fix possible missing newline in progress output [#3072](https://togithub.com/moby/buildkit/issues/3072) - Fix possible early EOF on SSH forwarding [#3431](https://togithub.com/moby/buildkit/issues/3431) - Fix possible panic in concurrent OpenTelemetry access [#3058](https://togithub.com/moby/buildkit/issues/3058) - Previously deprecated old cache options have been removed [#2982](https://togithub.com/moby/buildkit/issues/2982) - Daemonless script has been updated to handle already stopped process [#3005](https://togithub.com/moby/buildkit/issues/3005) - Fix closing session if shared by multiple clients [#2995](https://togithub.com/moby/buildkit/issues/2995) - `buildctl du` command now supports JSON formatting [#2992](https://togithub.com/moby/buildkit/issues/2992) - Registry push errors now show additional context [#2981](https://togithub.com/moby/buildkit/issues/2981) - Improve default description of FileOp vertexes [#2932](https://togithub.com/moby/buildkit/issues/2932) - Make sure progress from exporting is properly keyed on parallel requests [#2953](https://togithub.com/moby/buildkit/issues/2953) - Terminal colors are now configurable [#2954](https://togithub.com/moby/buildkit/issues/2954) - Build errors now always print stacktraces to daemon logs in debug mode [#2903](https://togithub.com/moby/buildkit/issues/2903) ##### Contributors - Tõnis Tiigi - Justin Chadwell - CrazyMax - Akihiro Suda - Erik Sipsma - Sebastiaan van Stijn - Yan Song - Kohei Tokunaga - Alex Suraci - Jonny Stoten - Aaron Lehmann - Avi Deitcher - Bertrand Paquet - Brian Goff - Corey Larson - Cory Bennett - Cory Snider - David Gageot - Eng Zer Jun - Fiona Klute - Gabriel Adrian Samfira - Petr Fedchenkov - Pierre Fenoll - Pranav Pandit - Sascha Schwarze - Sean P. Kane - Steve Lohr - Tianon Gravi - Alex Couture-Beil - Ce Gao - Daniel Duvall - Fred Cox - Frank Yang - Gahl Saraf - Guilhem C - Jacob Gillespie - Jitender Kumar - Jordan Goasdoue - Julian Goede - Luca Visentin - Manu Gupta - Marcus Comstedt - Morlay - Nick Santos - Omer Duchovne - Tom C - a-palchikov ##### Dependency Changes - **github.com/Azure/azure-sdk-for-go/sdk/azcore** v1.1.0 ***new*** - **github.com/Azure/azure-sdk-for-go/sdk/azidentity** v1.1.0 ***new*** - **github.com/Azure/azure-sdk-for-go/sdk/internal** v1.0.0 ***new*** - **github.com/Azure/azure-sdk-for-go/sdk/storage/azblob** v0.4.1 ***new*** - **github.com/AzureAD/microsoft-authentication-library-for-go** v0.6.0 ***new*** - **github.com/Microsoft/go-winio** v0.5.1 -> v0.5.2 - **github.com/Microsoft/hcsshim** v0.9.2 -> v0.9.6 - **github.com/aws/aws-sdk-go-v2** v1.16.3 ***new*** - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.4.1 ***new*** - **github.com/aws/aws-sdk-go-v2/config** v1.15.5 ***new*** - **github.com/aws/aws-sdk-go-v2/credentials** v1.12.0 ***new*** - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.12.4 ***new*** - **github.com/aws/aws-sdk-go-v2/feature/s3/manager** v1.11.10 ***new*** - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.1.10 ***new*** - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.4.4 ***new*** - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.3.11 ***new*** - **github.com/aws/aws-sdk-go-v2/internal/v4a** v1.0.1 ***new*** - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.9.1 ***new*** - **github.com/aws/aws-sdk-go-v2/service/internal/checksum** v1.1.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.9.4 ***new*** - **github.com/aws/aws-sdk-go-v2/service/internal/s3shared** v1.13.4 ***new*** - **github.com/aws/aws-sdk-go-v2/service/s3** v1.26.9 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.11.4 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sts** v1.16.4 ***new*** - **github.com/aws/smithy-go** v1.11.2 ***new*** - **github.com/containerd/cgroups** v1.0.3 -> v1.0.4 - **github.com/containerd/containerd** [`5ff8fce`](https://togithub.com/moby/buildkit/commit/5ff8fce1fcc6) -> v1.6.14 - **github.com/containerd/continuity** [`d132b28`](https://togithub.com/moby/buildkit/commit/d132b287edc8) -> v0.3.0 - **github.com/containerd/go-cni** v1.1.4 -> v1.1.6 - **github.com/containerd/nydus-snapshotter** v0.3.1 ***new*** - **github.com/containerd/stargz-snapshotter** v0.11.3 -> v0.13.0 - **github.com/containernetworking/cni** v1.0.1 -> v1.1.1 - **github.com/docker/cli** v20.10.13 -> v23.0.0-rc.1 - **github.com/docker/docker** [`61404de`](https://togithub.com/moby/buildkit/commit/61404de7df1a) -> v23.0.0-rc.1 - **github.com/docker/docker-credential-helpers** v0.6.4 -> v0.7.0 - **github.com/docker/go-units** v0.4.0 -> v0.5.0 - **github.com/go-logr/logr** v1.2.2 -> v1.2.3 - **github.com/gofrs/flock** v0.7.3 -> v0.8.1 - **github.com/google/go-cmp** v0.5.7 -> v0.5.9 - **github.com/hashicorp/go-retryablehttp** v0.7.0 -> v0.7.1 - **github.com/hashicorp/golang-lru** v0.5.3 -> v0.5.4 - **github.com/in-toto/in-toto-golang** v0.5.0 ***new*** - **github.com/jmespath/go-jmespath** v0.4.0 ***new*** - **github.com/klauspost/compress** v1.15.1 -> v1.15.12 - **github.com/kylelemons/godebug** v1.1.0 ***new*** - **github.com/moby/patternmatcher** v0.5.0 ***new*** - **github.com/moby/sys/sequential** v0.5.0 ***new*** - **github.com/opencontainers/image-spec** [`c5a74bc`](https://togithub.com/moby/buildkit/commit/c5a74bcca799) -> [`02efb9a`](https://togithub.com/moby/buildkit/commit/02efb9a75ee1) - **github.com/opencontainers/runc** v1.1.1 -> v1.1.3 - **github.com/opencontainers/selinux** v1.10.0 -> v1.10.2 - **github.com/package-url/packageurl-go** [`8907843`](https://togithub.com/moby/buildkit/commit/89078438f170) ***new*** - **github.com/pkg/browser** [`ce105d0`](https://togithub.com/moby/buildkit/commit/ce105d075bb4) ***new*** - **github.com/prometheus/client_golang** v1.12.1 -> v1.14.0 - **github.com/prometheus/client_model** v0.2.0 -> v0.3.0 - **github.com/prometheus/common** v0.32.1 -> v0.37.0 - **github.com/prometheus/procfs** v0.7.3 -> v0.8.0 - **github.com/secure-systems-lab/go-securesystemslib** v0.4.0 ***new*** - **github.com/shibumi/go-pathspec** v1.3.0 ***new*** - **github.com/sirupsen/logrus** v1.8.1 -> v1.9.0 - **github.com/spdx/tools-golang** [`d6f5855`](https://togithub.com/moby/buildkit/commit/d6f58551be3f) ***new*** - **github.com/stretchr/testify** v1.7.0 -> v1.8.0 - **github.com/tonistiigi/fsutil** [`9ed6126`](https://togithub.com/moby/buildkit/commit/9ed612626da3) -> [`fb43384`](https://togithub.com/moby/buildkit/commit/fb433841cbfa) - **golang.org/x/crypto** [`5770296`](https://togithub.com/moby/buildkit/commit/5770296d904e) -> v0.2.0 - **golang.org/x/net** [`fe4d628`](https://togithub.com/moby/buildkit/commit/fe4d6282115f) -> v0.4.0 - **golang.org/x/sync** [`036812b`](https://togithub.com/moby/buildkit/commit/036812b2e83c) -> v0.1.0 - **golang.org/x/sys** [`da31bd3`](https://togithub.com/moby/buildkit/commit/da31bd327af9) -> v0.3.0 - **golang.org/x/time** [`1f47c86`](https://togithub.com/moby/buildkit/commit/1f47c861a9ac) -> v0.1.0 - **google.golang.org/genproto** [`3a66f56`](https://togithub.com/moby/buildkit/commit/3a66f561d7aa) -> [`7780775`](https://togithub.com/moby/buildkit/commit/7780775163c4) - **google.golang.org/grpc** v1.45.0 -> v1.50.1 - **gopkg.in/yaml.v3** v3.0.0 -> v3.0.1 Previous release can be found at [v0.10.6](https://togithub.com/moby/buildkit/releases/tag/v0.10.6) ### [`v0.10.6`](https://togithub.com/moby/buildkit/releases/tag/v0.10.6) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.5...v0.10.6) https://hub.docker.com/r/moby/buildkit ##### Notable changes: - Fix possible panic on scanning files from local filesystem [https://github.com/tonistiigi/fsutil/pull/122](https://togithub.com/tonistiigi/fsutil/pull/122) - Make SELinux opt-in for OCI worker so it can be disabled on certain hosts [https://github.com/moby/buildkit/pull/3255](https://togithub.com/moby/buildkit/pull/3255) ### [`v0.10.5`](https://togithub.com/moby/buildkit/releases/tag/v0.10.5) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.4...v0.10.5) https://hub.docker.com/r/moby/buildkit ##### Notable changes: ##### This release contains two security fixes. - Provide mitigation for Git vulnerability [CVE-2022-39253](https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253). In systems with Git version lower than 2.38.1 invoking a build of a maliciously crafted Git repository with `BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` build-arg could lead to copying arbitrary file system paths into resulting containers/images. - Add additional validation when loading content for `image@digest` references from the local build cache. The new validation makes sure that the same repository name populated the local data and invalid name and digest combinations are detected. ### [`v0.10.4`](https://togithub.com/moby/buildkit/releases/tag/v0.10.4) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.10.3...v0.10.4) https://hub.docker.com/r/moby/buildkit ##### Notable changes: - Default Dockerfile frontend has been updated to v1.4.3 with fixes to handling platforms and timestamps for named image contexts. [changelog](https://togithub.com/moby/buildkit/releases/tag/dockerfile%2F1.4.3) - Fix cancellation error not being detected and erroneously cached [#2926](https://togithub.com/moby/buildkit/issues/2926) - Fix interactive containers not releasing resources when client doesn't gracefully disconnect them [https://github.com/moby/buildkit/pull/3025](https://togithub.com/moby/buildkit/pull/3025) - Fix possible panic on handling nil results [https://github.com/moby/buildkit/pull/3043](https://togithub.com/moby/buildkit/pull/3043) - Add logging to healthcheck monitoring and mitigate possibility of healthcheck failing under load2998 - Add fallback when rootless buildkitd cannot access containerd socket [#2968](https://togithub.com/moby/buildkit/issues/2968)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.