Merge pull request #87 from andyzhangx/fix-CVE-2021-3997

k8s-ci-robot · web-flow · commit 8594fb87b1f4 · 2022-01-13T18:58:27.000-08:00
fix: CVE-2021-3997 in image build
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -21,8 +21,7 @@ jobs:
           export REGISTRY=test
           export IMAGE_VERSION=latest
           export DOCKER_CLI_EXPERIMENTAL=enabled
-          make
-          make container-build
+          make container
       
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM ubuntu
+FROM k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0
+
+RUN apt update && apt-mark unhold libcap2
+RUN clean-install ca-certificates mount
+# install updated packages to fix CVE issues
+RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10
 
 # Copy iscsiplugin.sh
 COPY iscsiplugin.sh /iscsiplugin.sh
diff --git a/Makefile b/Makefile
@@ -29,8 +29,9 @@ OUTPUT_TYPE ?= docker
 ARCH ?= amd64
 IMAGE_TAG = $(REGISTRY)/$(IMAGENAME):$(IMAGE_VERSION)
 
-.PHONY: container-build
-container-build:
+.PHONY: container
+container:
+	make
 	docker buildx build --pull --output=type=$(OUTPUT_TYPE) --platform="linux/$(ARCH)" \
 		-t $(IMAGE_TAG) --build-arg ARCH=$(ARCH) .
 
