From 9c9ae8aeda28f591fbe5ee693deac0be3ad795bb Mon Sep 17 00:00:00 2001 From: Louis Lotter Date: Mon, 22 Jun 2026 08:56:37 +0200 Subject: [PATCH] STAC-25094-vex sts-toolbox docker cli finding --- index.json | 92 +++++++++++++- pkg/oci/sts-toolbox/scan.openvex.json | 169 ++++++++++++++++++++++++++ 2 files changed, 260 insertions(+), 1 deletion(-) create mode 100644 pkg/oci/sts-toolbox/scan.openvex.json diff --git a/index.json b/index.json index 422ba74..7d0ea2f 100644 --- a/index.json +++ b/index.json @@ -1,11 +1,26 @@ { - "updated_at": "2026-06-18T14:55:20Z", + "updated_at": "2026-06-22T06:55:28Z", "packages": [ { "id": "pkg:maven/org.eclipse.jetty/jetty-http", "location": "pkg/maven/org.eclipse.jetty/jetty-http/scan.openvex.json", "format": "openvex" }, + { + "id": "pkg:oci/container-tools", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/container-tools?repository_url=quay.io%2Fstackstate%2Fcontainer-tools", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/container-tools?repository_url=registry.rancher.com%2Fsuse-observability%2Fcontainer-tools", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, { "id": "pkg:oci/opentelemetry-target-allocator", "location": "pkg/oci/opentelemetry-target-allocator/scan.openvex.json", @@ -21,6 +36,21 @@ "location": "pkg/oci/opentelemetry-target-allocator/scan.openvex.json", "format": "openvex" }, + { + "id": "pkg:oci/stackstate-correlate", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-correlate?repository_url=quay.io%2Fstackstate%2Fstackstate-correlate", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-correlate?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-correlate", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, { "id": "pkg:oci/stackstate-k8s-agent", "location": "pkg/oci/stackstate-k8s-agent/scan.openvex.json", @@ -35,6 +65,66 @@ "id": "pkg:oci/stackstate-k8s-agent?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-k8s-agent", "location": "pkg/oci/stackstate-k8s-agent/scan.openvex.json", "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-kafka-to-es", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-kafka-to-es?repository_url=quay.io%2Fstackstate%2Fstackstate-kafka-to-es", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-kafka-to-es?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-kafka-to-es", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-receiver", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-receiver?repository_url=quay.io%2Fstackstate%2Fstackstate-receiver", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-receiver?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-receiver", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-server", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-server?repository_url=quay.io%2Fstackstate%2Fstackstate-server", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/stackstate-server?repository_url=registry.rancher.com%2Fsuse-observability%2Fstackstate-server", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/vmbackup", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/vmbackup?repository_url=quay.io%2Fstackstate%2Fvmbackup", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" + }, + { + "id": "pkg:oci/vmbackup?repository_url=registry.rancher.com%2Fsuse-observability%2Fvmbackup", + "location": "pkg/oci/sts-toolbox/scan.openvex.json", + "format": "openvex" } ] } diff --git a/pkg/oci/sts-toolbox/scan.openvex.json b/pkg/oci/sts-toolbox/scan.openvex.json new file mode 100644 index 0000000..8b4e0bc --- /dev/null +++ b/pkg/oci/sts-toolbox/scan.openvex.json @@ -0,0 +1,169 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://github.com/StackVista/vexhub/pkg/oci/sts-toolbox/GO-2026-4610", + "author": "SUSE Observability Security Team", + "version": 1, + "statements": [ + { + "vulnerability": { + "name": "GO-2026-4610", + "aliases": [ + "CVE-2025-15558", + "GHSA-p436-gjf2-799p" + ] + }, + "products": [ + { + "@id": "pkg:oci/container-tools?repository_url=quay.io/stackstate/container-tools", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/container-tools?repository_url=registry.rancher.com/suse-observability/container-tools", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/container-tools", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-correlate?repository_url=quay.io/stackstate/stackstate-correlate", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-correlate?repository_url=registry.rancher.com/suse-observability/stackstate-correlate", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-correlate", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-kafka-to-es?repository_url=quay.io/stackstate/stackstate-kafka-to-es", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-kafka-to-es?repository_url=registry.rancher.com/suse-observability/stackstate-kafka-to-es", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-kafka-to-es", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-receiver?repository_url=quay.io/stackstate/stackstate-receiver", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-receiver?repository_url=registry.rancher.com/suse-observability/stackstate-receiver", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-receiver", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-server?repository_url=quay.io/stackstate/stackstate-server", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-server?repository_url=registry.rancher.com/suse-observability/stackstate-server", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/stackstate-server", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/vmbackup?repository_url=quay.io/stackstate/vmbackup", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/vmbackup?repository_url=registry.rancher.com/suse-observability/vmbackup", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + }, + { + "@id": "pkg:oci/vmbackup", + "subcomponents": [ + { + "@id": "pkg:golang/github.com/docker/cli@v29.4.1+incompatible" + } + ] + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present", + "status_notes": "Reviewed sts-toolbox at StackVista/sts-toolbox acff6743d669 on 2026-06-22. The latest master build embeds github.com/docker/cli v29.4.1+incompatible through kops/go-containerregistry Docker config handling. GO-2026-4610 is fixed upstream starting with github.com/docker/cli v29.2.0 and only affects Windows binaries acting as a Docker CLI plugin manager.", + "impact_statement": "The vulnerable Docker CLI plugin-manager code is not present in the sts-toolbox binaries bundled into these images. Source and module review showed the dependency path is github.com/StackVista/sts-toolbox/internal/kops -> k8s.io/kops/upup/pkg/fi/cloudup -> k8s.io/kops/pkg/assets -> github.com/google/go-containerregistry/pkg/authn -> github.com/docker/cli/cli/config. A package-level dependency listing for the built sts-toolbox binary includes only github.com/docker/cli/cli/config, cli/config/configfile, cli/config/credentials, cli/config/memorystore, and cli/config/types; it does not include github.com/docker/cli/cli-plugins/manager or other cli-plugins packages. The sts-toolbox GoReleaser configuration builds darwin_amd64, darwin_arm64, linux_amd64, and linux_arm64 binaries, with windows_amd64 explicitly commented out, and the container images consume the linux binaries. The upstream advisory for CVE-2025-15558 / GHSA-p436-gjf2-799p states that non-Windows binaries and projects not using the Docker CLI plugin-manager code are not impacted. Grype 0.112.0 continues to report GO-2026-4610 for v29.4.1, v29.6.0, and even the exact patched v29.2.0 version because its govulndb match details use the incorrect disjunctive constraint '<29.2.0+incompatible||>=19.03.0+incompatible'; this VEX documents the product-specific non-affected state for the sts-toolbox copies in SUSE Observability images.", + "timestamp": "2026-06-22T06:54:50Z" + } + ], + "timestamp": "2026-06-22T06:54:50Z" +}