From c40eecf8f9c9f767aac23979f56c4ec158a3f31d Mon Sep 17 00:00:00 2001
From: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Date: Fri, 13 Sep 2024 15:02:11 -0400
Subject: [PATCH] security: update alpine base image to 3.20 (#21729)

* security: update alpine base image to 3.20

* security: update scan config to remove old triage exceptions
---
 .changelog/21729.txt                              | 4 ++++
 .release/security-scan.hcl                        | 5 -----
 Dockerfile                                        | 4 ++--
 test/integration/connect/envoy/Dockerfile-tcpdump | 2 +-
 test/integration/connect/envoy/helpers.bash       | 2 +-
 5 files changed, 8 insertions(+), 9 deletions(-)
 create mode 100644 .changelog/21729.txt

diff --git a/.changelog/21729.txt b/.changelog/21729.txt
new file mode 100644
index 0000000000..ce334fdfe9
--- /dev/null
+++ b/.changelog/21729.txt
@@ -0,0 +1,4 @@
+```release-notes:security
+Bump Dockerfile base image to `alpine:3.20`.
+This resolves CVE-2024-7264 and CVE-2024-8096 (curl).
+```
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index 33300a154c..54b96cdb94 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -38,11 +38,6 @@ container {
 		suppress {
 			# N.b. `vulnerabilites` is the correct spelling for this tool.
 			vulnerabilites = [
-				"CVE-2023-46218", # curl@8.4.0-r0
-				"CVE-2023-46219", # curl@8.4.0-r0
-				"CVE-2023-5678",  # openssl@3.1.4-r0
-				"CVE-2024-7264", # curl@8.9.0
-				"CVE-2024-8096", # curl@8.9.1-r0
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
diff --git a/Dockerfile b/Dockerfile
index 24c9583f91..55e5972bd9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,7 @@
 # Official docker image that includes binaries from releases.hashicorp.com. This
 # downloads the release from releases.hashicorp.com and therefore requires that
 # the release is published before building the Docker image.
-FROM docker.mirror.hashicorp.services/alpine:3.19 as official
+FROM docker.mirror.hashicorp.services/alpine:3.20 as official
 
 # This is the release of Consul to pull in.
 ARG VERSION
@@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Production docker image that uses CI built binaries.
 # Remember, this image cannot be built locally.
-FROM docker.mirror.hashicorp.services/alpine:3.19 as default
+FROM docker.mirror.hashicorp.services/alpine:3.20 as default
 
 ARG PRODUCT_VERSION
 ARG BIN_NAME
diff --git a/test/integration/connect/envoy/Dockerfile-tcpdump b/test/integration/connect/envoy/Dockerfile-tcpdump
index 658cd30a23..ea076961cf 100644
--- a/test/integration/connect/envoy/Dockerfile-tcpdump
+++ b/test/integration/connect/envoy/Dockerfile-tcpdump
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.20
 
 RUN apk add --no-cache tcpdump
 VOLUME  [ "/data" ]
diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash
index 3efcd38e82..1173101716 100755
--- a/test/integration/connect/envoy/helpers.bash
+++ b/test/integration/connect/envoy/helpers.bash
@@ -652,7 +652,7 @@ function docker_consul_for_proxy_bootstrap {
 function docker_wget {
   local DC=$1
   shift 1
-  docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.17 wget "$@"
+  docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.20 wget "$@"
 }
 
 function docker_curl {