Skip to content

fix: [CI-23216]: bump docker:dind to 29.6.0 and buildx to v0.35.0#110

Draft
vinayakharness2026 wants to merge 1 commit into
drone-plugins:masterfrom
vinayakharness2026:fix/vuln-remediation-CI-23216-1782275634
Draft

fix: [CI-23216]: bump docker:dind to 29.6.0 and buildx to v0.35.0#110
vinayakharness2026 wants to merge 1 commit into
drone-plugins:masterfrom
vinayakharness2026:fix/vuln-remediation-CI-23216-1782275634

Conversation

@vinayakharness2026

@vinayakharness2026 vinayakharness2026 commented Jun 24, 2026

Copy link
Copy Markdown

Vulnerability Remediation: harnesssecure/buildx-ecr

Team: ci (Harness CI Platform)
Tickets: CI-23216 — Security Vulnerability Fixes - harnesssecure/buildx-ecr (P2, parent EPIC CI-23213)
Test image: vinayakharness/buildx-ecr-test:buildx-ecr-1.6--debug

Why is this PR in drone-buildx instead of drone-buildx-ecr?
harnesssecure/buildx-ecr:1.5 is a RapidFort-hardened mirror of plugins/buildx-ecr:1.5. The
drone-buildx-ecr image is a thin wrapper (FROM plugins/buildx:linux-amd64 + a 4 MB Go binary).
100% of the reported CVEs come from the parent plugins/buildx image — Alpine OS packages and
Go binaries (containerd, dockerd, runc, ctr, docker, docker-compose, docker-buildx) bundled by
the docker:N.N.N-dind base. Edits in drone-buildx-ecr would have zero effect on the scan.
Fixing drone-buildx here cascades to every buildx-* plugin (ecr, gcr, gar, acr) in one shot.

OnDemand scanner runs (Harness https://harness0.harness.io/):


Summary

The reported image (harnesssecure/buildx-ecr:1.5) inherits its CVEs almost entirely from
docker:28.5.2-dind (Alpine 3.22.2) plus a stale buildx v0.23.0 binary. Bumping the docker:dind
base to 29.6.0-dind and buildx to v0.35.0 cuts Trivy-reported CVEs from 626 → 176
(-72%)
, and CRITICAL findings from 17 → 3 (-82%). The OnDemand (Prisma Cloud / Snyk) scanners
report the same direction: deduplicated issue counts drop by 64% (Prisma 53→19) and 31%
(Snyk 55→38).

The remaining residual HIGH/CRITICAL findings are upstream-pending in
docker:29.6.0-dind's vendored Go modules (google.golang.org/grpc, containerd/v2, golang.org/x/net)
— the next moby/dockerd point release will roll these forward.

Recommendation: REVIEW (draft). Significant net reduction with one major version bump
(28.x→29.x docker:dind, REQUIRED — no fixes backported into the 28.x line by upstream).


CVE Delta — Trivy (local scan)

Severity Before After Change
Critical 17 3 -14
High 306 118 -188
Medium 232 51 -181
Low 71 4 -67
Total 626 176 -450

CVE Delta — Harness OnDemand

Severity-by-severity counts were not retrievable: the STO REST API was returning 5xx during
this run when paginating issues. The per-scan deduplicated totals are below (more reliable than
totals across the v2/issues endpoint, which returned identical 24 371 across all severity filters
in this account, suggesting filter handling is broken upstream).

Scanner Before (1.5) After (1.6--debug) Change
PrismaCloud (Twistlock), deduplicated 53 19 -34 (-64%)
Snyk Container, deduplicated 55 38 -17 (-31%)
PrismaCloud, normalized 137 36 -101 (-74%)
Snyk, normalized 135 67 -68 (-50%)

Per-Ticket CVE Status

CI-23216 reports aggregate counts only (Crit:2 High:28 Med:31 Low:3 Unique:64), not specific CVE
IDs, so the table below summarises the most-impactful CVE classes that Trivy actually identifies
in harnesssecure/buildx-ecr:1.5 and how this change moves them.

CI-23216 — P2: Security Vulnerability Fixes - harnesssecure/buildx-ecr

CVE class Vulnerable component (baseline) Fixed in Required Status Reason
CVE-2026-31789 (Critical x3) openssl 3.5.4-r0 / libcrypto3 / libssl3 Alpine 3.22.5 (docker:29.6.0-dind) >= 3.5.6-r0 ✅ OK Fixed by base image bump
CVE-2025-68121 (Critical, Go stdlib) dockerd, containerd, runc, ctr, docker, docker-buildx, docker-compose all on go1.24.7–1.24.9 docker:29.6.0-dind ships toolchain go1.26 >= 1.24.13 / 1.25.7 ✅ OK Fixed by docker:dind 29.6 toolchain bump
CVE-2026-33186 (Critical, grpc) dockerd, buildx, compose on grpc v1.69.4–v1.74.2 grpc v1.79.3 >= 1.79.3 ⚠️ PARTIAL docker:29.6.0-dind ships grpc v1.78.0; upstream moby/dockerd not yet on 1.79.3
CVE-2024-25621 et al. (High, containerd) containerd v2.0.4 docker:29.6.0-dind ships containerd v2.2.4 >= 2.0.10 / 2.1.9 / 2.2.5 ⚠️ PARTIAL 2.2.4 in base; 2.2.5 not yet vendored upstream
CVE-2026-33747/33748 (High, buildkit) buildx-bundled buildkit 0.21.0 buildx v0.35.0 ships buildkit v0.31.0 >= 0.28.1 ✅ OK Fixed by buildx bump
CVE-2026-24051 / CVE-2026-39883 (High, otel/sdk) otel/sdk v1.31.0 buildx v0.35.0 / docker:29.6.0-dind on otel/sdk v1.38.0–v1.44.0 >= 1.40.0 ✅ OK in buildx; ⚠️ PARTIAL in dockerd (v1.38 still vendored)
CVE-2025-15558 (High, docker/cli) docker/cli v28.0.4 docker:29.6.0-dind on docker/cli v29 >= 29.2.0 ✅ OK Fixed by docker:dind bump
CVE-2026-34040 / 41567 / 42306 (High, docker/docker) github.com/docker/docker v28.0.4 docker:29.6.0-dind on docker/docker v29 >= 29.3.1 ✅ OK Fixed by docker:dind bump
CVE-2025-15467 / 26-28387/28388/28389/28390/45447 / 25-69421 (High, libcrypto3/libssl3/openssl) 3.5.4-r0 Alpine 3.22.5 in docker:29.6.0-dind >= 3.5.5-r0 ✅ OK Fixed
CVE-2026-25210 / 45186 (High, libexpat) 2.7.3-r0 docker:29.6.0-dind >= 2.7.4-r0 ✅ OK Fixed
CVE-2026-40200 (High, musl) 1.2.5-r10 docker:29.6.0-dind >= 1.2.5-r12 ✅ OK Fixed
CVE-2026-22184 (High, zlib) 1.3.1-r2 docker:29.6.0-dind >= 1.3.2-r0 ✅ OK Fixed
Many CVE-2025-61726/61729/26-25679/27145/32280/… (High, Go stdlib) binaries on go1.23.8–1.24.9 docker:29.6.0-dind toolchain go1.26 >= 1.24.11 / 1.25.5 ✅ OK Fixed
CVE-2025-22868 (High, golang.org/x/oauth2 v0.23.0) dockerd docker:29.6.0-dind base updated >= 0.27.0 ✅ OK Fixed
CVE-2026-25680/25681/27136/33814/39821/42502/42506 (High, golang.org/x/net v0.39.0) many bundled binaries docker:29.6.0-dind on x/net v0.47/v0.51 >= 0.53.0 ⚠️ PARTIAL Several still on v0.45–v0.51 in dockerd; full fix at >= 0.55.0
CVE-2025-47913 / 26-39827–39835/42508/46595/46597 (High, golang.org/x/crypto v0.37.0) many bundled binaries docker:29.6.0-dind on x/crypto v0.45–v0.50 >= 0.43.0 ⚠️ PARTIAL Mostly fixed; some still below v0.52.0
CVE-2025-52881 (High, opencontainers/selinux 1.12.0) runc docker:29.6.0-dind on selinux 1.13+ >= 1.13.0 ✅ OK Fixed
CVE-2026-35469 (High, moby/spdystream 0.4.0) dockerd docker:29.6.0-dind on spdystream 0.5+ >= 0.5.1 ✅ OK Fixed
CVE-2026-27135 (High, nghttp2-libs 1.65.0-r0) Alpine pkg docker:29.6.0-dind >= 1.68.1 ✅ OK Fixed

Changes Made

File Change
docker/docker/Dockerfile.linux.amd64 FROM docker:28.5.2-dindFROM docker:29.6.0-dind
docker/docker/Dockerfile.linux.amd64 BUILDX_URL v0.23.0 → v0.35.0 (linux-amd64)
docker/docker/Dockerfile.linux.arm64 FROM arm64v8/docker:28.5.2-dindFROM arm64v8/docker:29.6.0-dind
docker/docker/Dockerfile.linux.arm64 BUILDX_URL v0.23.0 → v0.35.0 (linux-arm64)

Version selection rationale:

  • docker:dind: chose 29.6.0-dind because the docker/docker Go module fix is >= 29.3.1
    and no 28.x backport is published. Among 29.x tags, the latest stable (29.6.0-dind) ships the
    most recent vendored containerd, runc, openssl, musl, libexpat, zlib, otel and Go toolchain —
    taking it gets the maximum CVE drop in one bump. Minimum-safe is 29.3.1; we picked 29.6.0 for
    the broader cleanup.
  • buildx: chose v0.35.0 because the moby/buildkit fix is >= 0.28.1, otel/sdk fix is
    >= 1.40.0, grpc fix is >= 1.79.3, and golang.org/x/net fix is >= 0.53.0 — only v0.34.0+
    satisfies all four. v0.35.0 also ships x/net v0.55.0 and x/crypto v0.52.0, fully resolving
    several HIGH groups that v0.34.x leaves on the residual list.

Breaking-Change Warnings

The following components crossed a major version boundary:

  • docker:dind: 28.5.2 → 29.6.0 (MAJOR)
  • docker/buildx: 0.23.0 → 0.35.0 (12 minor versions; no major-bump but a wide gap)

Before merging, please:

  1. Deploy to QA / staging
  2. Run the full pipeline sanity suite for the buildx, buildx-ecr, buildx-gcr,
    buildx-gar, buildx-acr plugins against representative pipelines.
  3. Verify dind boot, build cache reuse, and authentication flows are unchanged
    (Docker 29 changed default builders, build daemon flags, and a few CLI behaviours).
  4. Check moby/moby and docker/buildx changelogs for breaking notes since 28.5.2 / v0.23.0.

Newly Introduced CVEs

CVE Package Severity Source
CVE-2025-22870 golang.org/x/net@v0.35.0 MEDIUM docker:29.6.0-dind / usr/local/bin/runc
CVE-2025-22872 golang.org/x/net@v0.35.0 MEDIUM docker:29.6.0-dind / usr/local/bin/runc
CVE-2026-27137 stdlib@v1.26rc3 HIGH test-image only — /bin/buildx-ecr compiled with golang:1.26-rc to satisfy go.mod's go 1.26 requirement
CVE-2026-33810 stdlib@v1.26rc3 HIGH test-image only — same as above
CVE-2026-27138 stdlib@v1.26rc3 LOW test-image only — same as above

The two MEDIUM x/net@v0.35.0 findings are upstream in runc shipped with docker:29.6.0-dind
and will be resolved when moby publishes a runc rebuild. The three stdlib@v1.26rc3 findings
are an artefact of the test image onlydrone-buildx-ecr/go.mod declares go 1.26, so the
test build had to use golang:1.26-rc (the only available 1.26 image at this time). The
production CI uses golang:1.24.11, so the released image will not carry the rc3 stdlib CVEs.


Test Plan

  • CI tests pass on this branch
  • Build and tag-push the linux-amd64 + linux-arm64 multi-arch manifest
  • Pull the published plugins/buildx:linux-amd64 and run a sample build
  • Verify pipelines using plugins/buildx-ecr, plugins/buildx-gcr, plugins/buildx-gar,
    plugins/buildx-acr continue to authenticate and push
  • Re-run Harness OnDemand scanner on the published image to confirm CVE counts match
    the test-image after-scan
  • Close JIRA CI-23216 once SCS dashboard reflects the new counts

🤖 Auto-generated by Harness vuln-remediation skill (run via Claude Code agent).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant