Skip to content

syft v1.42.x bump blocked: transitive moby/moby vs moby/moby/client ambiguity #45

Description

@entlein

Summary

Bumping syft from v1.32.0 to v1.42.4 (the lowest version with the CVE-2026-33481 fix per CodeRabbit upstream PR kubescape#810 finding) is blocked by an irreconcilable Go modules ambiguity between two transitive dependency paths.

What happens

Bumping syft pulls forward stereoscope v0.1.9 → v0.1.22. stereoscope v0.1.22 imports github.com/moby/moby/client (the new separately-versioned submodule, v0.4.1). Meanwhile inspektor-gadget (transitive via pkg/container-collection) imports github.com/moby/moby/pkg/stringid from the umbrella github.com/moby/moby v28.5.2+incompatible module — which ALSO contains a client subpackage at the OLD API.

Result:

go: github.com/moby/moby/client: ambiguous import: found package github.com/moby/moby/client in multiple modules:
    github.com/moby/moby v28.5.2+incompatible (/.../moby/moby@v28.5.2+incompatible/client)
    github.com/moby/moby/client v0.4.1         (/.../moby/moby/client@v0.4.1)

Standard fixes don't work:

  • require github.com/moby/moby/client v0.4.1 explicit — Go picks umbrella anyway
  • replace github.com/moby/moby/client => github.com/moby/moby/client v0.4.1 — same
  • exclude github.com/moby/moby v28.5.2+incompatible — all moby/moby tags ≤ v28.5.2 still ship /client subpackage; nothing newer exists
  • Forking stereoscope to revert to docker/docker/client — invasive

Real fix paths

  1. Upstream inspektor-gadget migrates off moby/moby umbrella to only depend on the split submodules (e.g. moby/moby/pkg/stringid if such a submodule is published, or vendoring the 100-LOC stringid). Tracking issue in inspektor-gadget would be the right next step.

  2. Anchore reverts stereoscope to docker/docker/client — unlikely; the moby/moby/client split is upstream Docker's direction.

  3. kubescape/syft fork backports CVE-2026-33481 to the v1.32.0 branch — keeps storage and node-agent on the same syft major, but requires a fork maintainer to mint a new tag.

Workarounds in the meantime

  • Storage bumps cleanly (it doesn't transitively pull inspektor-gadget). Done on release/sbob-rc1 (PR release/sbob-rc1: TDD fixes for upstream PR #326 rabbit findings storage#33, commit bf7ce36c).
  • Node-agent stays on syft v1.32.0 via the existing replace github.com/anchore/syft => github.com/kubescape/syft v1.32.0-ks.2.
  • Exposure assessment: node-agent imports syft ONLY for ApplicationProfile schema types (syft/license, syft/pkg, syft/sbom, syft/source, syft/file). It never invokes the vulnerable temporary-storage cleanup path. Practical CVE risk is essentially zero, but the dependency declaration is still wrong-version and would surface in any SBOM scan of the node-agent binary.

Recommendation

Open an issue against inspektor-gadget/inspektor-gadget requesting migration off moby/moby umbrella for pkg/container-collection. Once that lands and a new IG tag is published, this bump becomes a single go get.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions