From 0f35c05eee6b70514d33bc884fbe2eaefc8c51d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <theophile.diot900@gmail.com>
Date: Thu, 16 Feb 2023 14:16:32 +0100
Subject: [PATCH] Ignore multiple CVEs due to missing deps in
 python:3.11-alpine

---
 .github/workflows/dev.yml |  8 ++++----
 .trivyignore              |  4 ++++
 src/autoconf/Dockerfile   |  2 +-
 src/bw/Dockerfile         | 10 +++++-----
 src/scheduler/Dockerfile  |  2 +-
 src/ui/Dockerfile         |  2 +-
 6 files changed, 16 insertions(+), 12 deletions(-)
 create mode 100644 .trivyignore

diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 9bcc01329..e9f65d7b3 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -47,7 +47,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # BW scheduler tests
   scheduler:
@@ -91,7 +91,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # BW autoconf tests
   autoconf:
@@ -135,7 +135,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # BW UI tests
   ui:
@@ -180,7 +180,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # Python code security
   code-security:
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 000000000..4be368d62
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,4 @@
+# libcurl 7.87.0-r2 and curl 7.87.0-r2 are not yet available in python:3.11-alpine
+CVE-2023-23916
+CVE-2023-23914
+CVE-2023-23915
\ No newline at end of file
diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile
index 0ae619b64..dd3a139cb 100644
--- a/src/autoconf/Dockerfile
+++ b/src/autoconf/Dockerfile
@@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \
     chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx
 
diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile
index 9f56d5358..8cf383dc8 100644
--- a/src/bw/Dockerfile
+++ b/src/bw/Dockerfile
@@ -4,22 +4,22 @@ FROM nginx:1.22.1-alpine AS builder
 COPY src/deps /tmp/bunkerweb/deps
 
 # Compile and install dependencies
-RUN apk add --no-cache --virtual build bash build autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \
+RUN apk add --no-cache --virtual .build-deps bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \
 	mkdir -p /usr/share/bunkerweb/deps && \
 	chmod +x /tmp/bunkerweb/deps/install.sh && \
 	bash /tmp/bunkerweb/deps/install.sh && \
-	apk del build
+	apk del .build-deps
 
 # Copy python requirements
 COPY src/common/gen/requirements.txt /usr/share/bunkerweb/deps/requirements.txt
 
 # Install python requirements
-RUN apk add --no-cache --virtual build py3-pip && \
+RUN apk add --no-cache --virtual .build-deps py3-pip && \
 	pip install --no-cache-dir --upgrade pip && \
 	pip install wheel && \
 	mkdir -p /usr/share/bunkerweb/deps/python && \
 	pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
-	apk del build
+	apk del .build-deps
 
 FROM nginx:1.22.1-alpine
 
@@ -75,7 +75,7 @@ RUN apk add --no-cache pcre bash python3 && \
 	chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "openssl>=1.1.1q-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "openssl>=1.1.1q-r0" "curl>=7.83.1-r6" "libcurl>=7.83.1-r6" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx
 
diff --git a/src/scheduler/Dockerfile b/src/scheduler/Dockerfile
index d1f9ddc2a..ba7e7852c 100644
--- a/src/scheduler/Dockerfile
+++ b/src/scheduler/Dockerfile
@@ -64,7 +64,7 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
   chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx
 
diff --git a/src/ui/Dockerfile b/src/ui/Dockerfile
index e3e268a2a..d7bdbae61 100755
--- a/src/ui/Dockerfile
+++ b/src/ui/Dockerfile
@@ -50,7 +50,7 @@ RUN apk add --no-cache bash && \
     chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx