status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

security: update alpine base image to 3.20 (#21729) 

* security: update alpine base image to 3.20

* security: update scan config to remove old triage exceptions
This commit is contained in:
Michael Zalimeni 2024-09-13 15:02:11 -04:00 committed by GitHub
parent de281cbfb7
commit c40eecf8f9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.changelog/21729.txt Normal file
View File

@ -0,0 +1,4 @@
```release-notes:security
Bump Dockerfile base image to `alpine:3.20`.
This resolves CVE-2024-7264 and CVE-2024-8096 (curl).
```

5
.release/security-scan.hcl
View File

@ -38,11 +38,6 @@ container {
suppress { suppress {
# N.b. `vulnerabilites` is the correct spelling for this tool. # N.b. `vulnerabilites` is the correct spelling for this tool.
vulnerabilites = [ vulnerabilites = [
"CVE-2023-46218", # curl@8.4.0-r0
"CVE-2023-46219", # curl@8.4.0-r0
"CVE-2023-5678", # openssl@3.1.4-r0
"CVE-2024-7264", # curl@8.9.0
"CVE-2024-8096", # curl@8.9.1-r0
] ]
paths = [ paths = [
"internal/tools/proto-gen-rpc-glue/e2e/consul/*", "internal/tools/proto-gen-rpc-glue/e2e/consul/*",

4
Dockerfile
View File

@ -16,7 +16,7 @@
# Official docker image that includes binaries from releases.hashicorp.com. This # Official docker image that includes binaries from releases.hashicorp.com. This
# downloads the release from releases.hashicorp.com and therefore requires that # downloads the release from releases.hashicorp.com and therefore requires that
# the release is published before building the Docker image. # the release is published before building the Docker image.
FROM docker.mirror.hashicorp.services/alpine:3.19 as official FROM docker.mirror.hashicorp.services/alpine:3.20 as official
# This is the release of Consul to pull in. # This is the release of Consul to pull in.
ARG VERSION ARG VERSION
@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
# Production docker image that uses CI built binaries. # Production docker image that uses CI built binaries.
# Remember, this image cannot be built locally. # Remember, this image cannot be built locally.
FROM docker.mirror.hashicorp.services/alpine:3.19 as default FROM docker.mirror.hashicorp.services/alpine:3.20 as default
ARG PRODUCT_VERSION ARG PRODUCT_VERSION
ARG BIN_NAME ARG BIN_NAME

2
test/integration/connect/envoy/Dockerfile-tcpdump
View File

@ -1,4 +1,4 @@
FROM alpine:3.17 FROM alpine:3.20
RUN apk add --no-cache tcpdump RUN apk add --no-cache tcpdump
VOLUME [ "/data" ] VOLUME [ "/data" ]

2
test/integration/connect/envoy/helpers.bash
View File

@ -652,7 +652,7 @@ function docker_consul_for_proxy_bootstrap {
function docker_wget { function docker_wget {
local DC=$1 local DC=$1
shift 1 shift 1
docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.17 wget "$@" docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.20 wget "$@"
} }
function docker_curl { function docker_curl {