Skip to content

Commit 7b34621

Browse files
fix: update dependencies to resolve vulns
1 parent e68e524 commit 7b34621

File tree

8 files changed

+840
-782
lines changed

8 files changed

+840
-782
lines changed

.circleci/config.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -486,7 +486,9 @@ workflows:
486486
MERGE_TO_STAGING:
487487
jobs:
488488
- build_image:
489-
context: analysis_test-enrichment
489+
context:
490+
- analysis_test-enrichment
491+
- go-private-modules
490492
filters:
491493
branches:
492494
only:
@@ -543,7 +545,9 @@ workflows:
543545
- staging
544546
- master
545547
- build_image:
546-
context: analysis_test-enrichment
548+
context:
549+
- analysis_test-enrichment
550+
- go-private-modules
547551
requires:
548552
- Scan repository for secrets
549553
- Security Scans

.snyk

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,20 +4,26 @@ version: v1.25.0
44
ignore:
55
SNYK-JS-BRACES-6838727:
66
- '*':
7-
reason: >-
8-
Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
9-
expires: 2024-12-19T12:00:00.000Z
10-
created: 2024-05-16T12:00:00.000Z
11-
SNYK-JS-MICROMATCH-6838728:
7+
reason: devDependency
8+
expires: 2025-12-01T12:00:00.000Z
9+
created: 2024-10-23T12:00:00.000Z
10+
SNYK-JS-INFLIGHT-6095116:
11+
- '*':
12+
reason: Waiting for upstream fix
13+
expires: 2025-01-10T12:00:00.000Z
14+
created: 2024-10-23T12:00:00.000Z
15+
SNYK-JS-REQUEST-3361831:
1216
- '*':
1317
reason: >-
14-
Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
15-
expires: 2024-12-19T12:00:00.000Z
16-
created: 2024-05-16T12:00:00.000Z
17-
SNYK-JS-JSONPATHPLUS-7945884:
18+
Waiting for @kubernetes/client-node fetch migration
19+
https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md
20+
expires: 2025-01-10T12:00:00.000Z
21+
created: 2024-10-23T12:00:00.000Z
22+
SNYK-JS-TOUGHCOOKIE-5672873:
1823
- '*':
1924
reason: >-
20-
Waiting for transient dependency to update
21-
expires: 2024-12-19T12:00:00.000Z
25+
Waiting for @kubernetes/client-node fetch migration
26+
https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md
27+
expires: 2025-01-10T12:00:00.000Z
2228
created: 2024-10-23T12:00:00.000Z
2329
patch: {}

Dockerfile

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,19 @@
11
#---------------------------------------------------------------------
22
# STAGE 1: Build credential helpers inside a temporary container
33
#---------------------------------------------------------------------
4-
FROM golang:alpine AS cred-helpers-build
5-
6-
RUN apk update
7-
RUN apk upgrade
8-
RUN apk --no-cache add git
4+
FROM --platform=linux/amd64 golang:1.23 AS cred-helpers-build
95

106
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@bef5bd9384b752e5c645659165746d5af23a098a
11-
RUN go install github.com/chrismellard/docker-credential-acr-env@82a0ddb2758901b711d9d1614755b77e401598a1
7+
RUN --mount=type=secret,id=gh_token,required=true \
8+
git config --global url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf "https://github.com/snyk" && \
9+
go env -w GOPRIVATE=github.com/snyk && \
10+
go install github.com/snyk/docker-credential-acr-env@8fa416c5b20b174e9032df1899843b4ebe2adda8 && \
11+
git config --global --unset url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf
1212

1313
#---------------------------------------------------------------------
14-
# STAGE 2: Build the kubernetes-monitor
14+
# STAGE 2: Build kubernetes-monitor application
1515
#---------------------------------------------------------------------
16-
FROM node:18-alpine3.20
16+
FROM --platform=linux/amd64 node:18-alpine3.20
1717

1818
LABEL name="Snyk Controller" \
1919
maintainer="[email protected]" \
@@ -23,7 +23,7 @@ LABEL name="Snyk Controller" \
2323

2424
COPY LICENSE /licenses/LICENSE
2525

26-
ENV NODE_ENV production
26+
ENV NODE_ENV=production
2727

2828
RUN apk update
2929
RUN apk upgrade
@@ -34,7 +34,8 @@ RUN adduser -S -G snyk -h /srv/app -u 10001 snyk
3434

3535
# Install gcloud
3636
RUN curl -sL https://sdk.cloud.google.com > /install.sh
37-
RUN bash /install.sh --disable-prompts --install-dir=/ && rm -rf /google-cloud-sdk/platform
37+
RUN bash /install.sh --disable-prompts --install-dir=/ && \
38+
rm -rf /google-cloud-sdk/platform /google-cloud-sdk/bin/anthoscli /google-cloud-sdk/bin/gcloud-crc32c
3839
ENV PATH=/google-cloud-sdk/bin:$PATH
3940
RUN rm /install.sh
4041
RUN apk del curl bash

Dockerfile.ubi9

Lines changed: 17 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,19 @@
1-
# syntax=docker/dockerfile:1
21
#---------------------------------------------------------------------
3-
# PRE-BUILD STAGE: Build the acr credential helper binary
4-
# This is due to the fact that the acr credential helper is not being actively released
2+
# STAGE 1: Build credential helpers inside a temporary container
53
#---------------------------------------------------------------------
6-
FROM --platform=linux/amd64 golang:1.16 as cred-helpers-build
4+
FROM --platform=linux/amd64 golang:1.23 as cred-helpers-build
75

8-
RUN go install github.com/chrismellard/docker-credential-acr-env@82a0ddb2758901b711d9d1614755b77e401598a1
6+
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@bef5bd9384b752e5c645659165746d5af23a098a
7+
RUN --mount=type=secret,id=gh_token,required=true \
8+
git config --global url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf "https://github.com/snyk" && \
9+
go env -w GOPRIVATE=github.com/snyk && \
10+
go install github.com/snyk/docker-credential-acr-env@8fa416c5b20b174e9032df1899843b4ebe2adda8 && \
11+
git config --global --unset url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf
912

1013
#---------------------------------------------------------------------
11-
# STAGE 1: Build kubernetes-monitor application
14+
# STAGE 2: Build kubernetes-monitor application
1215
#---------------------------------------------------------------------
13-
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/nodejs-18:1-84 AS build
16+
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/nodejs-18:1-123 AS build
1417

1518
ENV NODE_ENV production
1619

@@ -26,14 +29,14 @@ COPY --chown=1001:1001 . ./
2629
RUN npm run build
2730

2831
#---------------------------------------------------------------------
29-
# STAGE 2: Install containers-common to obtain configuration files
32+
# STAGE 3: Install containers-common to obtain configuration files
3033
#---------------------------------------------------------------------
3134
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi:9.4 AS containers-common
3235

3336
RUN dnf install -y containers-common
3437

3538
#---------------------------------------------------------------------
36-
# STAGE 3: Build the kubernetes-monitor final image
39+
# STAGE 4: Build the kubernetes-monitor final image
3740
#---------------------------------------------------------------------
3841
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi:9.4
3942

@@ -43,14 +46,8 @@ ARG NODE_18_LATEST_VERSION_TAR_GZ_FILE_SHASUM256
4346
ARG DUMB_INIT_VERSION=1.2.5
4447
ARG DUMB_INIT_BINARY_FILE_SHASUM256=e874b55f3279ca41415d290c512a7ba9d08f98041b28ae7c2acb19a545f1c4df
4548
# https://github.com/lework/skopeo-binary/releases
46-
ARG SKOPEO_VERSION=1.13.2
47-
ARG SKOPEO_BINARY_FILE_SHASUM256=2f00be6ee1c4cbfa7f2452be90a1a2ce88fd92a6d0f6a2e9d901bd2087bd9092
48-
# https://github.com/awslabs/amazon-ecr-credential-helper/releases
49-
# for sha: download SHA256 for the linux-amd64/docker-credential-ecr-login, then `cat docker-credential-ecr-login.sha256`
50-
ARG ECR_CREDENTIAL_HELPER_VERSION=0.9.0
51-
ARG ECR_CREDENTIAL_HELPER_BINARY_FILE_SHASUM256=dd6bd933e439ddb33b9f005ad5575705a243d4e1e3d286b6c82928bcb70e949a
52-
# since this is built from a commit, you will need to build it locally to get the sha
53-
ARG ACR_CREDENTIAL_HELPER_BINARY_SHASUM256=598bbd4ad2741ae2e68ac55e938a4542e71952e418e6278a74baf6213ef8ce76
49+
ARG SKOPEO_VERSION=1.16.1
50+
ARG SKOPEO_BINARY_FILE_SHASUM256=8813fb7fcd7a723196ac287683dd929d280f6fe7f0782eace452fe1e3ff2b7eb
5451

5552
LABEL name="Snyk Controller" \
5653
maintainer="[email protected]" \
@@ -60,7 +57,7 @@ LABEL name="Snyk Controller" \
6057

6158
COPY LICENSE /licenses/LICENSE
6259

63-
ENV NODE_ENV production
60+
ENV NODE_ENV=production
6461

6562
RUN yum upgrade -y
6663

@@ -83,17 +80,12 @@ COPY --chown=snyk:snyk --from=containers-common /etc/containers/registries.d/def
8380
COPY --chown=snyk:snyk --from=containers-common /etc/containers/policy.json /etc/containers/policy.json
8481

8582
# Install credential helpers
86-
RUN curl -sSfLo /usr/local/bin/docker-credential-ecr-login "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login" && \
87-
chmod 755 /usr/local/bin/docker-credential-ecr-login && \
88-
echo "${ECR_CREDENTIAL_HELPER_BINARY_FILE_SHASUM256} /usr/local/bin/docker-credential-ecr-login" | sha256sum --check --status
83+
COPY --chown=snyk:snyk --from=cred-helpers-build /go/bin/docker-credential-ecr-login /usr/bin/docker-credential-ecr-login
8984
COPY --chown=snyk:snyk --from=cred-helpers-build /go/bin/docker-credential-acr-env /usr/local/bin/docker-credential-acr-env
90-
RUN echo "${ACR_CREDENTIAL_HELPER_BINARY_SHASUM256} /usr/local/bin/docker-credential-acr-env" | sha256sum --check --status
91-
9285

9386
# Install gcloud
9487
RUN curl -sSfL https://sdk.cloud.google.com | bash -s -- --disable-prompts --install-dir=/ && \
95-
rm -f /google-cloud-sdk/bin/anthoscli && \
96-
rm -rf /google-cloud-sdk/platform
88+
rm -rf /google-cloud-sdk/platform /google-cloud-sdk/bin/anthoscli /google-cloud-sdk/bin/gcloud-crc32c
9789
ENV PATH=/google-cloud-sdk/bin:$PATH
9890

9991
# Install node

0 commit comments

Comments
 (0)