You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bumping syft from v1.32.0 to v1.42.4 (the lowest version with the CVE-2026-33481 fix per CodeRabbit upstream PR kubescape#810 finding) is blocked by an irreconcilable Go modules ambiguity between two transitive dependency paths.
What happens
Bumping syft pulls forward stereoscope v0.1.9 → v0.1.22. stereoscope v0.1.22 imports github.com/moby/moby/client (the new separately-versioned submodule, v0.4.1). Meanwhile inspektor-gadget (transitive via pkg/container-collection) imports github.com/moby/moby/pkg/stringid from the umbrella github.com/moby/moby v28.5.2+incompatible module — which ALSO contains a client subpackage at the OLD API.
Result:
go: github.com/moby/moby/client: ambiguous import: found package github.com/moby/moby/client in multiple modules:
github.com/moby/moby v28.5.2+incompatible (/.../moby/moby@v28.5.2+incompatible/client)
github.com/moby/moby/client v0.4.1 (/.../moby/moby/client@v0.4.1)
Standard fixes don't work:
require github.com/moby/moby/client v0.4.1 explicit — Go picks umbrella anyway
replace github.com/moby/moby/client => github.com/moby/moby/client v0.4.1 — same
exclude github.com/moby/moby v28.5.2+incompatible — all moby/moby tags ≤ v28.5.2 still ship /client subpackage; nothing newer exists
Forking stereoscope to revert to docker/docker/client — invasive
Real fix paths
Upstream inspektor-gadget migrates off moby/moby umbrella to only depend on the split submodules (e.g. moby/moby/pkg/stringid if such a submodule is published, or vendoring the 100-LOC stringid). Tracking issue in inspektor-gadget would be the right next step.
Anchore reverts stereoscope to docker/docker/client — unlikely; the moby/moby/client split is upstream Docker's direction.
kubescape/syft fork backports CVE-2026-33481 to the v1.32.0 branch — keeps storage and node-agent on the same syft major, but requires a fork maintainer to mint a new tag.
Node-agent stays on syft v1.32.0 via the existing replace github.com/anchore/syft => github.com/kubescape/syft v1.32.0-ks.2.
Exposure assessment: node-agent imports syft ONLY for ApplicationProfile schema types (syft/license, syft/pkg, syft/sbom, syft/source, syft/file). It never invokes the vulnerable temporary-storage cleanup path. Practical CVE risk is essentially zero, but the dependency declaration is still wrong-version and would surface in any SBOM scan of the node-agent binary.
Recommendation
Open an issue against inspektor-gadget/inspektor-gadget requesting migration off moby/moby umbrella for pkg/container-collection. Once that lands and a new IG tag is published, this bump becomes a single go get.
Summary
Bumping syft from v1.32.0 to v1.42.4 (the lowest version with the CVE-2026-33481 fix per CodeRabbit upstream PR kubescape#810 finding) is blocked by an irreconcilable Go modules ambiguity between two transitive dependency paths.
What happens
Bumping syft pulls forward stereoscope v0.1.9 → v0.1.22. stereoscope v0.1.22 imports
github.com/moby/moby/client(the new separately-versioned submodule, v0.4.1). Meanwhile inspektor-gadget (transitive viapkg/container-collection) importsgithub.com/moby/moby/pkg/stringidfrom the umbrellagithub.com/moby/moby v28.5.2+incompatiblemodule — which ALSO contains aclientsubpackage at the OLD API.Result:
Standard fixes don't work:
require github.com/moby/moby/client v0.4.1explicit — Go picks umbrella anywayreplace github.com/moby/moby/client => github.com/moby/moby/client v0.4.1— sameexclude github.com/moby/moby v28.5.2+incompatible— all moby/moby tags ≤ v28.5.2 still ship /client subpackage; nothing newer existsReal fix paths
Upstream inspektor-gadget migrates off moby/moby umbrella to only depend on the split submodules (e.g.
moby/moby/pkg/stringidif such a submodule is published, or vendoring the 100-LOC stringid). Tracking issue in inspektor-gadget would be the right next step.Anchore reverts stereoscope to docker/docker/client — unlikely; the moby/moby/client split is upstream Docker's direction.
kubescape/syft fork backports CVE-2026-33481 to the v1.32.0 branch — keeps storage and node-agent on the same syft major, but requires a fork maintainer to mint a new tag.
Workarounds in the meantime
release/sbob-rc1(PR release/sbob-rc1: TDD fixes for upstream PR #326 rabbit findings storage#33, commitbf7ce36c).replace github.com/anchore/syft => github.com/kubescape/syft v1.32.0-ks.2.syft/license,syft/pkg,syft/sbom,syft/source,syft/file). It never invokes the vulnerable temporary-storage cleanup path. Practical CVE risk is essentially zero, but the dependency declaration is still wrong-version and would surface in any SBOM scan of the node-agent binary.Recommendation
Open an issue against
inspektor-gadget/inspektor-gadgetrequesting migration offmoby/mobyumbrella forpkg/container-collection. Once that lands and a new IG tag is published, this bump becomes a singlego get.