kaniko/1.23.2-r1: cve remediation

[octo-sts]

kaniko/1.23.2-r1: fix GHSA-v23v-6jw2-98fq

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kaniko.advisories.yaml

[octo-sts]

Open AI suggestions to solve the build error:

The error message is: "ERROR: failed to build package. the build environment has been preserved:
INFO   workspace dir: /temp/melange-workspace-2684831625
INFO   guest dir: /temp/melange-guest-1526121953
ERRO failed to build package: unable to run package kaniko pipeline: unable to run pipeline: unable to run pipeline: exit status 1
make[1]: *** [Makefile:111: packages/aarch64/kaniko-1.23.2-r2.apk] Error 1
make: *** [Makefile:101: package/kaniko] Error 2
make[1]: Leaving directory '/github/home'
##[error]Process completed with exit code 2."

1. Verify Kaniko version and dependencies in Makefile.
2. Check build logs in `/temp/melange-workspace-2684831625` and `/temp/melange-guest-1526121953`.
3. Ensure Docker is running and accessible.
4. Validate Kaniko configuration and pipeline scripts.
5. Re-run build with increased verbosity.
6. Check for recent changes in the repository.

[octo-sts]

Open AI suggestions to solve the build error:

The error message is: "ERROR: failed to build package. the build environment has been preserved:
INFO   workspace dir: /temp/melange-workspace-1143949804
INFO   guest dir: /temp/melange-guest-2498349089
ERRO failed to build package: unable to run package kaniko pipeline: unable to run pipeline: unable to run pipeline: exit status 1
make[1]: *** [Makefile:111: packages/aarch64/kaniko-1.23.2-r2.apk] Error 1
make[1]: Leaving directory '/github/home'
make: *** [Makefile:101: package/kaniko] Error 2
##[error]Process completed with exit code 2."

Steps to fix:
1. Ensure all dependencies are correctly specified in the `go.mod` file.
2. Run `go get github.com/containerd/platforms` to add the missing module.
3. Re-run the build process.

[octo-sts]

Open AI suggestions to solve the build error:

The error message is: "fatal: detected dubious ownership in repository at '/github/home'
To add an exception for this directory, call:

git config --global --add safe.directory /github/home
WARN # github.com/docker/docker/builder/dockerfile
WARN vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go:227:47: undefined: shell.EnvsFromSlice
WARN vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go:511:103: undefined: shell.EnvGetter
WARN vendor/github.com/docker/docker/builder/dockerfile/builder.go:231:16: undefined: shell.EnvsFromSlice
WARN vendor/github.com/docker/docker/builder/dockerfile/evaluator.go:46:16: undefined: shell.EnvsFromSlice
WARN make: *** [Makefile:51: out/executor] Error 1
ERRO ERROR: failed to build package. the build environment has been preserved:
INFO   workspace dir: /temp/melange-workspace-416820034
INFO   guest dir: /temp/melange-guest-2585891872
ERRO failed to build package: unable to run package kaniko pipeline: unable to run pipeline: exit status 2
make[1]: *** [Makefile:111: packages/aarch64/kaniko-1.23.2-r2.apk] Error 1
make[1]: Leaving directory '/github/home'
make: *** [Makefile:101: package/kaniko] Error 2
##[error]Process completed with exit code 2."

1. Run `git config --global --add safe.directory /github/home`.
2. Ensure the `shell` package is correctly imported in the files with undefined references.
3. Verify the `shell` package version compatibility.
4. Rebuild the project using `make package/kaniko`.

[octo-sts]

Open AI suggestions to solve the build error:

The error message is: "fatal: detected dubious ownership in repository at '/github/home'
To add an exception for this directory, call:

git config --global --add safe.directory /github/home
WARN # github.com/docker/docker/builder/dockerfile
WARN vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go:227:47: undefined: shell.EnvsFromSlice
WARN vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go:511:103: undefined: shell.EnvGetter
WARN vendor/github.com/docker/docker/builder/dockerfile/builder.go:231:16: undefined: shell.EnvsFromSlice
WARN vendor/github.com/docker/docker/builder/dockerfile/evaluator.go:46:16: undefined: shell.EnvsFromSlice
WARN make: *** [Makefile:51: out/executor] Error 1
ERRO ERROR: failed to build package. the build environment has been preserved:
INFO   workspace dir: /temp/melange-workspace-3648040223
INFO   guest dir: /temp/melange-guest-3068896032
ERRO failed to build package: unable to run package kaniko pipeline: unable to run pipeline: exit status 2
make[1]: *** [Makefile:111: packages/aarch64/kaniko-1.23.2-r2.apk] Error 1
make[1]: Leaving directory '/github/home'
make: *** [Makefile:101: package/kaniko] Error 2
##[error]Process completed with exit code 2."

To fix this error:
1. Run `git config --global --add safe.directory /github/home` to resolve the ownership issue.
2. Ensure the `shell` package is correctly imported in the Dockerfile-related Go files.
3. Verify the `shell` package provides `EnvsFromSlice` and `EnvGetter` functions.
4. Rebuild the project.

[octo-sts]

Open AI suggestions to solve the build error:

The error message is: "fatal: detected dubious ownership in repository at '/github/home'
To add an exception for this directory, call:

git config --global --add safe.directory /github/home
make[1]: *** [Makefile:111: packages/aarch64/kaniko-1.23.2-r2.apk] Error 1
make[1]: Leaving directory '/github/home'
make: *** [Makefile:101: package/kaniko] Error 2
##[error]Process completed with exit code 2."

To fix this error:
1. Run: `git config --global --add safe.directory /github/home`
2. Retry: `make package/kaniko`

[philroche]

There has been two attempts at remediating this CVE upstream wit attempted docker upgrades @ GoogleContainerTools/kaniko#3278 and GoogleContainerTools/kaniko#3270. Both attempts failed with failing tests. As such I will create pending-upstream-fix advisory for this CVE.

[philroche]

Advisory PR created @ wolfi-dev/advisories#7202

This remediation PR can be close once wolfi-dev/advisories#7202 is merged

[philroche]

wolfi-dev/advisories#7202 has now been approved and merged. Closing this PR