Dockerfile: update base image to alpine3.21 and enable trivy scan (#7863)

## Describe the pull request Link to the issue: fixes https://github.com/gogs/gogs/issues/6674
2024-12-20 22:33:46 -05:00 · 2024-12-20 22:33:46 -05:00 · 7adac94f1e
parent c5dff8cdad
commit 7adac94f1e
7 changed files with 42 additions and 16 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -66,6 +66,11 @@ jobs:
            gogs/gogs:latest
            ghcr.io/gogs/gogs:latest
            registry.digitalocean.com/gogs/gogs:latest
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: gogs/gogs:latest
+          exit-code: '1'
      - name: Send email on failure
        uses: dawidd6/action-send-mail@v3
        if: ${{ failure() }}
@ -116,6 +121,11 @@ jobs:
          push: true
          tags: |
            ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d
+          exit-code: '1'

  # Updates to the following section needs to be synced to all release branches within their lifecycles.
  buildx-release:
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-FROM golang:alpine3.17 AS binarybuilder
+FROM golang:alpine3.21 AS binarybuilder
 RUN apk --no-cache --no-progress add --virtual \
  build-deps \
  build-base \
@ -11,7 +11,7 @@ COPY . .
 RUN ./docker/build/install-task.sh
 RUN TAGS="cert pam" task build

-FROM alpine:3.17
+FROM alpine:3.21
 RUN apk --no-cache --no-progress add \
  bash \
  ca-certificates \
--- a/docker/build/finalize.sh
+++ b/docker/build/finalize.sh
@ -5,16 +5,16 @@ set -xe
 # Install gosu
 if [ "$(uname -m)" = "aarch64" ]; then
  export arch='arm64'
-  export checksum='73244a858f5514a927a0f2510d533b4b57169b64d2aa3f9d98d92a7a7df80cea'
+  export checksum='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b'
 elif [ "$(uname -m)" = "armv7l" ]; then
  export arch='armhf'
-  export checksum='abb1489357358b443789571d52b5410258ddaca525ee7ac3ba0dd91d34484589'
+  export checksum='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b'
 else
  export arch='amd64'
-  export checksum='bd8be776e97ec2b911190a82d9ab3fa6c013ae6d3121eea3d0bfd5c82a0eaf8c'
+  export checksum='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3'
 fi

-wget --quiet https://github.com/tianon/gosu/releases/download/1.14/gosu-${arch} -O /usr/sbin/gosu
+wget --quiet https://github.com/tianon/gosu/releases/download/1.17/gosu-${arch} -O /usr/sbin/gosu
 echo "${checksum}  /usr/sbin/gosu" | sha256sum -cs
 chmod +x /usr/sbin/gosu

--- a/docker/build/install-task.sh
+++ b/docker/build/install-task.sh
@ -4,16 +4,16 @@ set -xe

 if [ "$(uname -m)" = "aarch64" ]; then
  export arch='arm64'
-  export checksum='44fad3d61ad39d0abff33f90fdbb99a666524dbeab08dc9d138d5d3a532ff68a'
+  export checksum='17f325293d08f6f964e0530842e9ef1410dd5f83ee6475b493087391032b0cfd'
 elif [ "$(uname -m)" = "armv7l" ]; then
  export arch='arm'
-  export checksum='b10ae7d85749025740097b0c349b946fbabd417c7ee4d2df8ccc5604750accd9'
+  export checksum='e5b0261e9f6563ce3ace9e038520eb59d2c77c8d85f2b47ab41e1fe7cf321528'
 else
  export arch='amd64'
-  export checksum='b9c5986f33a53094751b5e22ccc33e050b4a0a485658442121331cbb724e631e'
+  export checksum='a35462ec71410cccfc428072de830e4478bc57a919d0131ef7897759270dff8f'
 fi

-wget --quiet https://github.com/go-task/task/releases/download/v3.12.1/task_linux_${arch}.tar.gz -O task_linux_${arch}.tar.gz
+wget --quiet https://github.com/go-task/task/releases/download/v3.40.1/task_linux_${arch}.tar.gz -O task_linux_${arch}.tar.gz
 echo "${checksum}  task_linux_${arch}.tar.gz" | sha256sum -cs

 tar -xzf task_linux_${arch}.tar.gz
--- a/go.mod
+++ b/go.mod
@ -44,7 +44,7 @@ require (
 	github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e
 	github.com/urfave/cli v1.22.16
 	golang.org/x/crypto v0.31.0
-	golang.org/x/net v0.31.0
+	golang.org/x/net v0.33.0
 	golang.org/x/text v0.21.0
 	gopkg.in/DATA-DOG/go-sqlmock.v2 v2.0.0-20180914054222-c19298f520d0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
@ -103,7 +103,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 // indirect
 	github.com/microsoft/go-mssqldb v0.17.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
--- a/go.sum
+++ b/go.sum
@ -289,8 +289,8 @@ github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
-github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
-github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mcuadros/go-version v0.0.0-20190308113854-92cdf37c5b75/go.mod h1:76rfSfYPWj01Z85hUf/ituArm797mNKcvINh1OlsZKo=
 github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 h1:YocNLcTBdEdvY3iDK6jfWXvEaM5OCKkjxPKoJRdB3Gg=
@ -499,8 +499,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
--- a/trivy.yaml
+++ b/trivy.yaml
@ -0,0 +1,16 @@
+scan:
+  skip-files:
+    # CVE patching of the following things is far behind and out of our control.
+    - "usr/sbin/gosu"
+
+severity:
+  - CRITICAL
+  - HIGH
+
+vulnerability:
+  ignore-unfixed: true
+  type:
+    - os
+    - library
+
+format: "table"