From 7adac94f1e93cc5c3545ea31688662dcef9cd737 Mon Sep 17 00:00:00 2001 From: Joe Chen Date: Fri, 20 Dec 2024 22:33:46 -0500 Subject: [PATCH] Dockerfile: update base image to alpine3.21 and enable trivy scan (#7863) ## Describe the pull request Link to the issue: fixes https://github.com/gogs/gogs/issues/6674 --- .github/workflows/docker.yml | 10 ++++++++++ Dockerfile | 4 ++-- docker/build/finalize.sh | 8 ++++---- docker/build/install-task.sh | 8 ++++---- go.mod | 4 ++-- go.sum | 8 ++++---- trivy.yaml | 16 ++++++++++++++++ 7 files changed, 42 insertions(+), 16 deletions(-) create mode 100644 trivy.yaml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index d7c2a45db..2a61779dd 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -66,6 +66,11 @@ jobs: gogs/gogs:latest ghcr.io/gogs/gogs:latest registry.digitalocean.com/gogs/gogs:latest + - name: Scan for container vulnerabilities + uses: aquasecurity/trivy-action@master + with: + image-ref: gogs/gogs:latest + exit-code: '1' - name: Send email on failure uses: dawidd6/action-send-mail@v3 if: ${{ failure() }} @@ -116,6 +121,11 @@ jobs: push: true tags: | ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d + - name: Scan for container vulnerabilities + uses: aquasecurity/trivy-action@master + with: + image-ref: ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:1d + exit-code: '1' # Updates to the following section needs to be synced to all release branches within their lifecycles. buildx-release: diff --git a/Dockerfile b/Dockerfile index cb883d769..1f034c51a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:alpine3.17 AS binarybuilder +FROM golang:alpine3.21 AS binarybuilder RUN apk --no-cache --no-progress add --virtual \ build-deps \ build-base \ @@ -11,7 +11,7 @@ COPY . . RUN ./docker/build/install-task.sh RUN TAGS="cert pam" task build -FROM alpine:3.17 +FROM alpine:3.21 RUN apk --no-cache --no-progress add \ bash \ ca-certificates \ diff --git a/docker/build/finalize.sh b/docker/build/finalize.sh index 41eb28011..cd9d9a9ee 100755 --- a/docker/build/finalize.sh +++ b/docker/build/finalize.sh @@ -5,16 +5,16 @@ set -xe # Install gosu if [ "$(uname -m)" = "aarch64" ]; then export arch='arm64' - export checksum='73244a858f5514a927a0f2510d533b4b57169b64d2aa3f9d98d92a7a7df80cea' + export checksum='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' elif [ "$(uname -m)" = "armv7l" ]; then export arch='armhf' - export checksum='abb1489357358b443789571d52b5410258ddaca525ee7ac3ba0dd91d34484589' + export checksum='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' else export arch='amd64' - export checksum='bd8be776e97ec2b911190a82d9ab3fa6c013ae6d3121eea3d0bfd5c82a0eaf8c' + export checksum='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' fi -wget --quiet https://github.com/tianon/gosu/releases/download/1.14/gosu-${arch} -O /usr/sbin/gosu +wget --quiet https://github.com/tianon/gosu/releases/download/1.17/gosu-${arch} -O /usr/sbin/gosu echo "${checksum} /usr/sbin/gosu" | sha256sum -cs chmod +x /usr/sbin/gosu diff --git a/docker/build/install-task.sh b/docker/build/install-task.sh index 677b6c413..d4a9bf96a 100755 --- a/docker/build/install-task.sh +++ b/docker/build/install-task.sh @@ -4,16 +4,16 @@ set -xe if [ "$(uname -m)" = "aarch64" ]; then export arch='arm64' - export checksum='44fad3d61ad39d0abff33f90fdbb99a666524dbeab08dc9d138d5d3a532ff68a' + export checksum='17f325293d08f6f964e0530842e9ef1410dd5f83ee6475b493087391032b0cfd' elif [ "$(uname -m)" = "armv7l" ]; then export arch='arm' - export checksum='b10ae7d85749025740097b0c349b946fbabd417c7ee4d2df8ccc5604750accd9' + export checksum='e5b0261e9f6563ce3ace9e038520eb59d2c77c8d85f2b47ab41e1fe7cf321528' else export arch='amd64' - export checksum='b9c5986f33a53094751b5e22ccc33e050b4a0a485658442121331cbb724e631e' + export checksum='a35462ec71410cccfc428072de830e4478bc57a919d0131ef7897759270dff8f' fi -wget --quiet https://github.com/go-task/task/releases/download/v3.12.1/task_linux_${arch}.tar.gz -O task_linux_${arch}.tar.gz +wget --quiet https://github.com/go-task/task/releases/download/v3.40.1/task_linux_${arch}.tar.gz -O task_linux_${arch}.tar.gz echo "${checksum} task_linux_${arch}.tar.gz" | sha256sum -cs tar -xzf task_linux_${arch}.tar.gz diff --git a/go.mod b/go.mod index 8dbd88495..0c1b8ad3c 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e github.com/urfave/cli v1.22.16 golang.org/x/crypto v0.31.0 - golang.org/x/net v0.31.0 + golang.org/x/net v0.33.0 golang.org/x/text v0.21.0 gopkg.in/DATA-DOG/go-sqlmock.v2 v2.0.0-20180914054222-c19298f520d0 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df @@ -103,7 +103,7 @@ require ( github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.14 // indirect - github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect + github.com/mattn/go-sqlite3 v1.14.24 // indirect github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 // indirect github.com/microsoft/go-mssqldb v0.17.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect diff --git a/go.sum b/go.sum index 336f4bdc9..a44dd8fb2 100644 --- a/go.sum +++ b/go.sum @@ -289,8 +289,8 @@ github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= -github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U= -github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM= +github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mcuadros/go-version v0.0.0-20190308113854-92cdf37c5b75/go.mod h1:76rfSfYPWj01Z85hUf/ituArm797mNKcvINh1OlsZKo= github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 h1:YocNLcTBdEdvY3iDK6jfWXvEaM5OCKkjxPKoJRdB3Gg= @@ -499,8 +499,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 000000000..c4ed20ff0 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,16 @@ +scan: + skip-files: + # CVE patching of the following things is far behind and out of our control. + - "usr/sbin/gosu" + +severity: + - CRITICAL + - HIGH + +vulnerability: + ignore-unfixed: true + type: + - os + - library + +format: "table"