fix Dockerfile & CVE issues (#31)

* enable pipeline * enable on branch * wrong version * fix all hadolint & bump golang version to resolve CVEs * add trivyignore * remove bloat * add changelog
babylonlabs-io · Nov 21, 2024 · e008751 · e008751
1 parent 1717509
commit e008751
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 8 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -22,9 +22,15 @@ jobs:
 
   docker_pipeline:
     needs: ["lint_test"]
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2
     secrets: inherit
     with:
       publish: true
       dockerfile: ./Dockerfile
       repoName: covenant-emulator
+      docker_scan: true
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,5 @@
+# LND < 0.17.0 issue, not fixing
+CVE-2024-27304
+GHSA-7jwh-3vrq-q3m8
+CVE-2024-27289
+CVE-2024-38359
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -39,6 +39,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 * [#33](https://github.com/babylonlabs-io/covenant-emulator/pull/33) Add remote
 signer sub module
+* [#31](https://github.com/babylonlabs-io/covenant-emulator/pull/31/) Bump docker workflow
+version, fix some Dockerfile issue
 
 ## v0.8.0
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,7 @@
-FROM golang:1.23.1 AS builder
+FROM golang:1.23 AS builder
 
-RUN apt-get update && apt-get install -y make git bash gcc curl jq
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates make git bash gcc curl jq && rm -rf /var/lib/apt/lists/*
 
 # Build
 WORKDIR /go/src/github.com/babylonlabs-io/covenant-emulator
@@ -19,15 +20,17 @@ FROM debian:bookworm-slim AS run
 
 RUN addgroup --gid 1138 --system covenant-emulator && adduser --uid 1138 --system --home /home/covenant-emulator covenant-emulator
 
-RUN apt-get update && apt-get install -y bash curl jq wget
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates bash curl jq wget && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /go/src/github.com/babylonlabs-io/covenant-emulator/go.mod /tmp
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm.$(uname -m).so \
-        -O /lib/libwasmvm.$(uname -m).so && \
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm."$(uname -m)".so \
+        -O /lib/libwasmvm."$(uname -m)".so && \
     # verify checksum
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
-    sha256sum /lib/libwasmvm.$(uname -m).so | grep $(cat /tmp/checksums.txt | grep libwasmvm.$(uname -m) | cut -d ' ' -f 1)
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
+    sha256sum /lib/libwasmvm."$(uname -m)".so | grep $(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1)
 RUN rm -f /tmp/go.mod
 
 COPY --from=builder /go/src/github.com/babylonlabs-io/covenant-emulator/build/covd /bin/covd