Update fleetdm/fleetctl, fleetdm/wix and fleetdm/bomutils docker images (#21063)

#20571

## Summary of changes

We have a few moving parts in fleetctl land (`fleetdm/wix` is used to
build `msi`s and `fleetdm/bomutils` is used to build `pkg`s, and
`fleetdm/fleetctl` can be used to build packages using docker, no need
for fleetctl executable):
```mermaid
graph LR

fleetctl_exec[fleetctl<br>executable];
wix_image[fleetdm/wix<br>docker image];
bomutils_image[fleetdm/bomutils<br>docker image];
fleetctl_image[fleetdm/fleetctl<br>docker image];

fleetctl_exec -- uses --> wix_image;

fleetctl_image -- COPY dependencies<br>FROM --> wix_image;

fleetctl_exec -- uses --> bomutils_image;

fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image;
```
So, we'll need to update the three images: `fleetdm/bomutils`,
`fleetdm/wix` & `fleetdm/fleetctl`.

- `tools/bomutils-docker/Dockerfile`, `tools/wix-docker/Dockerfile` and
`tools/fleetctl-docker/Dockerfile`: Updating the base image to fix the
CRITICAL vulnerabilities.
- Modified existing+unused
`.github/workflows/build-and-check-fleetctl-docker-and-deps.yml` to run
every day to check for CRITICAL vulnerabilities in `fleetdm/wix`,
`fleetdm/bomutils` and `fleetdm/fleetctl`.
- `.github/workflows/goreleaser-fleetctl-docker-deps.yaml`:
`fleetdm/bomutils` and `fleetdm/wix` were pushed manually a few years
ago (most likely by Zach), so I've added a new action to release them
when we have changes to release (like now). It will basically release
`fleetctl/bomutils` and `fleetdm/wix` when pushing a tag of the form
`fleetctl-docker-deps-*` (we'll need to protect such tag prefix).
- Changes in `.github/workflows/test-native-tooling-packaging.yml` to
build `fleetdm/bomutils` and `fleetdm/wix` for `fleetdm/fleetctl` to use
them instead of the ones in docker hub.

--

Build before upgrading `debian:stable-slim`:

https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837
![Screenshot 2024-08-05 at 5 24
25 PM](https://github.com/user-attachments/assets/8a7d3576-3eb6-474f-989a-079873fca4fa)

Build after upgrading `debian:stable-slim`:
https://github.com/fleetdm/fleet/actions/runs/10255550034

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality

.github/workflows/build-and-check-fleetctl-docker-and-deps.yml

@@ -1,13 +1,14 @@
-name: Build and push fleetdm/fleetctl Docker image
+name: Build fleetctl docker dependencies and check vulnerabilities
 
-# Manually trigger this workflow for now
 on:
   workflow_dispatch:
     inputs:
       image_tag:
-        description: 'Docker image tag'
+        description: "Docker image tag"
         required: true
         type: string
+  schedule:
+    - cron: "0 6 * * *"
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
@@ -23,7 +24,7 @@ permissions:
   contents: read
 
 jobs:
-  docker-push:
+  build-and-check:
     runs-on: ubuntu-latest
     environment: Docker Hub
     permissions:
@@ -51,20 +52,41 @@ jobs:
       - name: Install Go Dependencies
         run: make deps-go
 
+      - name: Build fleetdm/wix
+        run: make wix-docker
+
+      - name: Build fleetdm/bomutils
+        run: make bomutils-docker
+
       - name: Build fleetdm/fleetctl
         run: make fleetctl-docker
 
-      - name: Push to Docker
-        run: |
-          docker tag fleetdm/fleetctl fleetdm/fleetctl:${{ inputs.image_tag }}
-          docker push fleetdm/fleetctl:${{ inputs.image_tag }}
-
-      - name: Push To quay.io
-        id: push-to-quay
-        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
+      - name: Run Trivy vulnerability scanner on fleetdm/wix
+        uses: aquasecurity/trivy-action@0.20.0
         with:
-          image: fleetdm/fleetctl
-          tags: ${{ inputs.image_tag }}
-          registry: quay.io/
-          username: fleetdm+fleetreleaser
-          password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
+          image-ref: "fleetdm/wix"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL"
+
+      - name: Run Trivy vulnerability scanner on fleetdm/bomutils
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: "fleetdm/bomutils"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL"
+
+      - name: Run Trivy vulnerability scanner on fleetdm/fleetctl
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: "fleetdm/fleetctl"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL"

.github/workflows/release-fleetctl-docker-deps.yaml

@@ -0,0 +1,84 @@
+# Builds and releases to production the fleetdm/bomutils:latest and fleetdm/wix:latest
+# docker images, which are the docker image dependencies of the fleetctl command.
+#
+# This is separate from Fleet releases because we only release
+# fleetdm/bomutils and fleetdm/wix only if we add new dependencies
+# or for security updates.
+name: Release fleetctl docker dependencies
+
+on:
+  push:
+    tags:
+      - "fleetctl-docker-deps-*"
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  push_latest:
+    runs-on: ubuntu-latest
+    environment: Docker Hub
+    permissions:
+      contents: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ vars.GO_VERSION }}
+
+      - name: Checkout Code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
+
+      - name: Build fleetdm/wix
+        run: make wix-docker
+
+      - name: Build fleetdm/bomutils
+        run: make bomutils-docker
+
+      #
+      # After fleetdm/wix and fleetdm/bomutils are built,
+      # let's smoke test pkg/msi generation before pushing.
+      #
+
+      - name: Install Go Dependencies
+        run: make deps-go
+
+      - name: Build fleetctl
+        run: make fleetctl
+
+      - name: Build MSI
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build PKG
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      #
+      # Now push to production
+      #
+
+      - name: Push fleetdm/bomutils to docker hub
+        run: docker push fleetdm/bomutils:latest
+
+      - name: Push fleetdm/wix to docker hub
+        run: docker push fleetdm/wix:latest

.github/workflows/test-native-tooling-packaging.yml

@@ -1,4 +1,4 @@
-# This workflow tests packaging of Fleet-osquery with the
+# This workflow tests generation of fleetd packages with the
 # `fleetdm/fleetctl` Docker image.
 name: Test native tooling packaging
 
@@ -61,6 +61,12 @@ jobs:
     - name: Install Go Dependencies
       run: make deps-go
 
+    - name: Build fleetdm/wix
+      run: make wix-docker
+
+    - name: Build fleetdm/bomutils
+      run: make bomutils-docker
+
     - name: Build fleetdm/fleetctl
       run: make fleetctl-docker
 

.github/workflows/test-packaging.yml

@@ -61,9 +61,13 @@ jobs:
       # Run in background while other steps complete to speed up the workflow
       run: docker pull fleetdm/wix:latest &
 
+    - name: Pull fleetdm/bomutils
+      # Run in background while other steps complete to speed up the workflow
+      run: docker pull fleetdm/bomutils:latest &
+
     - name: Run Colima
       if: startsWith(matrix.os, 'macos')
-      timeout-minutes: 10
+      timeout-minutes: 15
       # notes:
       # - docker to install the docker CLI and interact with the Colima
       #   container runtime

Makefile

@@ -221,6 +221,12 @@ docker-push-release: docker-build-release
 fleetctl-docker: xp-fleetctl
 	docker build -t fleetdm/fleetctl --platform=linux/amd64 -f tools/fleetctl-docker/Dockerfile .
 
+bomutils-docker:
+	cd tools/bomutils-docker && docker build -t fleetdm/bomutils --platform=linux/amd64 -f Dockerfile .
+
+wix-docker:
+	cd tools/wix-docker && docker build -t fleetdm/wix --platform=linux/amd64 -f Dockerfile .
+
 .pre-binary-bundle:
 	rm -rf build/binary-bundle
 	mkdir -p build/binary-bundle/linux

changes/20571-update-fleetctl-docker-debian-slim

@@ -0,0 +1 @@
+* Update base images of `fleetdm/fleetctl`, `fleetdm/bomutils` and `fleetdm/wix` to fix CRITICAL vulnerabilities found by trivy.

tools/bomutils-docker/Dockerfile

@@ -1,13 +1,14 @@
-FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8 AS builder
+FROM debian:stable-slim@sha256:90128f59a7c6f6fdcb6493f587ea352d5c7507f52a6ddfba66fc56cd3d99dc2b AS builder
 
 RUN apt-get update
-RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl
+RUN apt-get install -y build-essential autoconf libxml2-dev libssl-dev zlib1g-dev curl git
 
-# Install bomutils
-RUN curl -L https://github.com/hogliux/bomutils/archive/0.2.tar.gz > bomutils.tar.gz && \
-    echo "fb1f4ae37045eaa034ddd921ef6e16fb961e95f0364e5d76c9867bc8b92eb8a4  bomutils.tar.gz" | sha256sum --check && \
-    tar -xzf bomutils.tar.gz
-RUN cd bomutils-0.2 && make && make install
+# Build bomutils
+RUN git clone -b master \
+    --depth=1 --no-tags --progress \
+    --no-recurse-submodules https://github.com/hogliux/bomutils.git && \
+    cd bomutils && git reset --hard c41ad8b67d82a0071245ce8a5069023d39a885b8 && \
+    make && make install
 
 # Install xar
 RUN curl -L https://github.com/mackyle/xar/archive/refs/tags/xar-1.6.1.tar.gz > xar.tar.gz && \
@@ -19,9 +20,9 @@ COPY patch.txt .
 RUN cd xar-xar-1.6.1/xar && patch < ../../patch.txt && autoconf && ./configure && make && make install
 
 
-FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
+FROM debian:stable-slim@sha256:90128f59a7c6f6fdcb6493f587ea352d5c7507f52a6ddfba66fc56cd3d99dc2b
 
-RUN apt-get update && apt-get install -y --no-install-recommends libxml2  && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends libxml2 && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /usr/bin /usr/bin/
 COPY --from=builder /usr/local/bin /usr/local/bin/
 COPY --from=builder /usr/local/lib /usr/local/lib/

tools/fleetctl-docker/Dockerfile

@@ -6,7 +6,7 @@ RUN cargo install --version 0.16.0 apple-codesign \
   && curl -sSf $transporter_url -o transporter_install.sh \
   && sh transporter_install.sh --target transporter --accept --noexec
 
-FROM debian:stable-slim@sha256:0f116858482fd8222b4f7e9b4cdc9a054051e67fbb8a57bc22651f0d56b45ad8
+FROM debian:stable-slim@sha256:e5365b94db65754594422a8a101c873728711c6a4df029677f4a7f7200d6e1c3
 
 ARG binpath=build/binary-bundle/linux/fleetctl
 

tools/wix-docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim@sha256:cc4cc29b4ba8182fca324920f64ff68a3b24acefd4c7ba8a2e5bd4e81ac3bacf
+FROM debian:stable-slim@sha256:90128f59a7c6f6fdcb6493f587ea352d5c7507f52a6ddfba66fc56cd3d99dc2b
 
 RUN true \
     && dpkg --add-architecture i386 \