From e008751f786ed97dd70b9cd3fc80e91a92e81390 Mon Sep 17 00:00:00 2001 From: huynaism <77400732+huynaism@users.noreply.github.com> Date: Thu, 21 Nov 2024 15:32:28 +0700 Subject: [PATCH] fix Dockerfile & CVE issues (#31) * enable pipeline * enable on branch * wrong version * fix all hadolint & bump golang version to resolve CVEs * add trivyignore * remove bloat * add changelog --- .github/workflows/publish.yml | 8 +++++++- .trivyignore | 5 +++++ CHANGELOG.md | 2 ++ Dockerfile | 17 ++++++++++------- 4 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 .trivyignore diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e3dc3ba..e72f5d2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -22,9 +22,15 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 secrets: inherit with: publish: true dockerfile: ./Dockerfile repoName: covenant-emulator + docker_scan: true + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read \ No newline at end of file diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..63355fc --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# LND < 0.17.0 issue, not fixing +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-38359 \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 522342e..7f4df32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) * [#33](https://github.com/babylonlabs-io/covenant-emulator/pull/33) Add remote signer sub module +* [#31](https://github.com/babylonlabs-io/covenant-emulator/pull/31/) Bump docker workflow +version, fix some Dockerfile issue ## v0.8.0 diff --git a/Dockerfile b/Dockerfile index 35c05c1..ac4fc06 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ -FROM golang:1.23.1 AS builder +FROM golang:1.23 AS builder -RUN apt-get update && apt-get install -y make git bash gcc curl jq +# hadolint ignore=DL3008 +RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates make git bash gcc curl jq && rm -rf /var/lib/apt/lists/* # Build WORKDIR /go/src/github.com/babylonlabs-io/covenant-emulator @@ -19,15 +20,17 @@ FROM debian:bookworm-slim AS run RUN addgroup --gid 1138 --system covenant-emulator && adduser --uid 1138 --system --home /home/covenant-emulator covenant-emulator -RUN apt-get update && apt-get install -y bash curl jq wget +# hadolint ignore=DL3008 +RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates bash curl jq wget && rm -rf /var/lib/apt/lists/* COPY --from=builder /go/src/github.com/babylonlabs-io/covenant-emulator/go.mod /tmp +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm.$(uname -m).so \ - -O /lib/libwasmvm.$(uname -m).so && \ + wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm."$(uname -m)".so \ + -O /lib/libwasmvm."$(uname -m)".so && \ # verify checksum - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ - sha256sum /lib/libwasmvm.$(uname -m).so | grep $(cat /tmp/checksums.txt | grep libwasmvm.$(uname -m) | cut -d ' ' -f 1) + wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ + sha256sum /lib/libwasmvm."$(uname -m)".so | grep $(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1) RUN rm -f /tmp/go.mod COPY --from=builder /go/src/github.com/babylonlabs-io/covenant-emulator/build/covd /bin/covd