Skip to content

Drop docker/docker by bumping toolhive v0.29.0#809

Merged
rdimitrov merged 4 commits into
mainfrom
rdimitrov/bump-toolhive-drop-docker
Jun 3, 2026
Merged

Drop docker/docker by bumping toolhive v0.29.0#809
rdimitrov merged 4 commits into
mainfrom
rdimitrov/bump-toolhive-drop-docker

Conversation

@rdimitrov
Copy link
Copy Markdown
Member

@rdimitrov rdimitrov commented Jun 3, 2026

Summary

Bumps github.com/stacklok/toolhive v0.28.3 → v0.29.0, which removes github.com/docker/docker from this project's build.

v0.29.0 migrates toolhive's container runtime off the deprecated, frozen docker/docker module onto the maintained github.com/moby/moby/{client,api} modules (stacklok/toolhive#5420). With that, nothing in registry-server's import graph pulls docker/docker anymore, so it drops out of the production build and go.mod entirely (it remains only as an indirect go.sum checksum via the module graph).

This completes the remediation that #805 set up: #805 removed the GO-2026-4883 / GO-2026-4887 (CVE-2026-33997 / CVE-2026-34040) docker daemon-advisory suppressions ahead of this bump (with a note that the scans were expected to fail until it landed). This is that bump.

Verification (local)

  • go build ./... ✓, go vet ./... ✓ — no breaking changes from the minor bump
  • docker/docker in production build: 0 packages; go mod why → "main module does not need package"; gone from go.mod
  • Grype (--only-fixed --fail-on high, matching CI): no docker/docker / high+fixed findings → exit 0 — the Grype Repository Scan will pass
  • govulncheck: no docker/docker findings (the advisories are off the build)
  • Refreshed the now-satisfied "until the bump lands" notes in security-scan.yml and .grype.yaml

Note on the Go Vulnerability Check job

It will likely stay red on the pre-existing stdlib batch GO-2026-5037/5038/5039 (crypto/x509, mime, net/textproto; fixed in Go 1.26.4), reached via this project's own code. That's unrelated to this bump — it's red on main for the same reason, pending CI's Go toolchain reaching 1.26.4 (the Actions go-versions manifest still tops out at 1.26.3). This PR only removes the docker advisories from the reported set.

🤖 Generated with Claude Code

rdimitrov and others added 2 commits June 3, 2026 14:45
@rdimitrov @claude
Drop docker/docker by bumping toolhive v0.29.0
0761a4b 
`toolhive` v0.29.0 migrates its container runtime off the deprecated,
frozen `github.com/docker/docker` module onto the maintained
`github.com/moby/moby/{client,api}` modules (stacklok/toolhive#5420).

Bumping to it removes `github.com/docker/docker` from this project's
build entirely: it is no longer a production import and drops out of
`go.mod` (it lingers only as an indirect `go.sum` checksum via the
module graph). That resolves the `GO-2026-4883` / `GO-2026-4887`
(`CVE-2026-33997` / `CVE-2026-34040`) Docker daemon advisories whose
suppressions were already removed ahead of this bump, so both the
govulncheck and Grype scans stop reporting them.

Refresh the now-satisfied "until the bump lands" notes in
`.github/workflows/security-scan.yml` and `.grype.yaml`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rdimitrov @claude
Temporarily ignore stdlib vulns pending Go 1.26.4
bc36a13 
govulncheck reports `GO-2026-5037`, `GO-2026-5038` and `GO-2026-5039`
— Go standard library advisories in `crypto/x509`, `mime` and
`net/textproto`, fixed in Go 1.26.4. CI installs Go via `stable`,
which currently resolves 1.26.3 because the actions/go-versions
manifest has not published 1.26.4 yet, so these fire on every run.

Ignore the three temporarily so the security scan reflects only
actionable findings. Remove the entries once `stable` picks up 1.26.4
and we have confirmed govulncheck is clean against it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jun 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@2ecc724). Learn more about missing BASE report.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #809   +/-   ##
=======================================
  Coverage        ?   61.77%           
=======================================
  Files           ?      109           
  Lines           ?    10555           
  Branches        ?        0           
=======================================
  Hits            ?     6520           
  Misses          ?     3454           
  Partials        ?      581

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

JAORMX
JAORMX previously approved these changes Jun 3, 2026
View reviewed changes
@rdimitrov @claude
Pin Grype to skip docker/docker go.sum match
22640fe 
`anchore/scan-action` v7.4.0 bundles grype 0.110.0, whose syft
catalogs Go modules from `go.sum`. After the toolhive v0.29.0 bump
removed `github.com/docker/docker` from `go.mod` and the build, it
remains only as a `go.sum` checksum (module graph via indirect
deps), and 0.110.0 still flags it for `CVE-2026-34040`
(`GHSA-x744-4wpc-v9h2`, high).

Pin `grype-version: v0.112.0`, whose syft catalogs from `go.mod`
only, so the Grype Repository Scan reflects the actual build —
verified locally to return zero matches. govulncheck already confirms
the advisory is not reachable. Drop the pin once scan-action ships a
release bundling grype >= 0.112.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rdimitrov @claude
Ignore go.sum-only docker/docker in Grype scan
631bbc6 
The earlier `grype-version` pin did not help: CI's Grype repository
scan catalogs Go modules from `go.sum`, so it flags
`github.com/docker/docker` (`GHSA-x744-4wpc-v9h2` / `CVE-2026-34040`,
high) regardless of the grype version — confirmed by the code-scanning
alert. The toolhive v0.29.0 bump removed the module from `go.mod` and
the build (govulncheck is clean), but it persists as a `go.sum`
checksum via `golang-migrate` and `ory/x`.

Revert the ineffective pin and add a temporary, scoped `.grype.yaml`
ignore for the advisory, documented as a go.sum-only false positive to
be removed once `docker/docker` leaves `go.sum`. govulncheck needs no
matching entry — it is build/reachability based.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rdimitrov rdimitrov requested a review from JAORMX June 3, 2026 12:27
@rdimitrov rdimitrov enabled auto-merge (squash) June 3, 2026 12:38
@rdimitrov rdimitrov merged commit 3af6bb2 into main Jun 3, 2026
14 checks passed
@rdimitrov rdimitrov deleted the rdimitrov/bump-toolhive-drop-docker branch June 3, 2026 12:39
@claude claude Bot mentioned this pull request Jun 3, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JAORMX JAORMX JAORMX approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rdimitrov @codecov-commenter @JAORMX