github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

security: update alpine base image to 3.20 (#21729) 

* security: update alpine base image to 3.20

* security: update scan config to remove old triage exceptions
pull/21731/head
Michael Zalimeni 2 months ago committed by GitHub
parent
de281cbfb7
commit
c40eecf8f9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 8 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      .changelog/21729.txt
  2. 5
      .release/security-scan.hcl
  3. 4
      Dockerfile
  4. 2
      test/integration/connect/envoy/Dockerfile-tcpdump
  5. 2
      test/integration/connect/envoy/helpers.bash

4
.changelog/21729.txt
Unescape View File

@ -0,0 +1,4 @@
```release-notes:security
Bump Dockerfile base image to `alpine:3.20`.
This resolves CVE-2024-7264 and CVE-2024-8096 (curl).
```

5
.release/security-scan.hcl
Unescape View File

@ -38,11 +38,6 @@ container {
suppress {
# N.b. `vulnerabilites` is the correct spelling for this tool.
vulnerabilites = [
"CVE-2023-46218", # curl@8.4.0-r0
"CVE-2023-46219", # curl@8.4.0-r0
"CVE-2023-5678", # openssl@3.1.4-r0
"CVE-2024-7264", # curl@8.9.0
"CVE-2024-8096", # curl@8.9.1-r0
]
paths = [
"internal/tools/proto-gen-rpc-glue/e2e/consul/*",

4
Dockerfile
Unescape View File

@ -16,7 +16,7 @@
# Official docker image that includes binaries from releases.hashicorp.com. This
# downloads the release from releases.hashicorp.com and therefore requires that
# the release is published before building the Docker image.
FROM docker.mirror.hashicorp.services/alpine:3.19 as official
FROM docker.mirror.hashicorp.services/alpine:3.20 as official
# This is the release of Consul to pull in.
ARG VERSION
@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
# Production docker image that uses CI built binaries.
# Remember, this image cannot be built locally.
FROM docker.mirror.hashicorp.services/alpine:3.19 as default
FROM docker.mirror.hashicorp.services/alpine:3.20 as default
ARG PRODUCT_VERSION
ARG BIN_NAME

2
test/integration/connect/envoy/Dockerfile-tcpdump
Unescape View File

@ -1,4 +1,4 @@
FROM alpine:3.17
FROM alpine:3.20
RUN apk add --no-cache tcpdump
VOLUME [ "/data" ]

2
test/integration/connect/envoy/helpers.bash
Unescape View File

@ -652,7 +652,7 @@ function docker_consul_for_proxy_bootstrap {
function docker_wget {
local DC=$1
shift 1
docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.17 wget "$@"
docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.20 wget "$@"
}
function docker_curl {

Write Preview
Loading…
Cancel
Save