From 7a8a75901f7b0a86b165af4f92386ce03ec03cd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Wed, 22 Feb 2023 10:13:34 +0100 Subject: [PATCH] Fix multiple CVEs (see comment) (finally) --- .github/workflows/dev.yml | 8 ++++---- .trivyignore | 4 ---- src/autoconf/Dockerfile | 2 +- src/scheduler/Dockerfile | 2 +- src/ui/Dockerfile | 2 +- 5 files changed, 7 insertions(+), 11 deletions(-) delete mode 100644 .trivyignore diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index e9f65d7b3..73aa2f302 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -47,7 +47,7 @@ jobs: exit-code: 1 ignore-unfixed: false severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - trivyignores: .trivyignore + # trivyignores: .trivyignore # BW scheduler tests scheduler: @@ -91,7 +91,7 @@ jobs: exit-code: 1 ignore-unfixed: false severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - trivyignores: .trivyignore + # trivyignores: .trivyignore # BW autoconf tests autoconf: @@ -135,7 +135,7 @@ jobs: exit-code: 1 ignore-unfixed: false severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - trivyignores: .trivyignore + # trivyignores: .trivyignore # BW UI tests ui: @@ -180,7 +180,7 @@ jobs: exit-code: 1 ignore-unfixed: false severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - trivyignores: .trivyignore + # trivyignores: .trivyignore # Python code security code-security: diff --git a/.trivyignore b/.trivyignore deleted file mode 100644 index 4be368d62..000000000 --- a/.trivyignore +++ /dev/null @@ -1,4 +0,0 @@ -# libcurl 7.87.0-r2 and curl 7.87.0-r2 are not yet available in python:3.11-alpine -CVE-2023-23916 -CVE-2023-23914 -CVE-2023-23915 \ No newline at end of file diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile index dd3a139cb..1d0db2727 100644 --- a/src/autoconf/Dockerfile +++ b/src/autoconf/Dockerfile @@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \ chmod 770 /var/log/letsencrypt /var/lib/letsencrypt # Fix CVEs -RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" +RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" VOLUME /data /etc/nginx diff --git a/src/scheduler/Dockerfile b/src/scheduler/Dockerfile index ba7e7852c..d8b375bab 100644 --- a/src/scheduler/Dockerfile +++ b/src/scheduler/Dockerfile @@ -64,7 +64,7 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \ chmod 660 /usr/share/bunkerweb/INTEGRATION # Fix CVEs -RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" +RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" VOLUME /data /etc/nginx diff --git a/src/ui/Dockerfile b/src/ui/Dockerfile index d7bdbae61..66d995109 100755 --- a/src/ui/Dockerfile +++ b/src/ui/Dockerfile @@ -50,7 +50,7 @@ RUN apk add --no-cache bash && \ chmod 660 /usr/share/bunkerweb/INTEGRATION # Fix CVEs -RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" +RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" VOLUME /data /etc/nginx