From eb3c5b81e3fb1ba71183d5b4b98de1840677f52c Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 15 Nov 2024 15:20:16 +0700 Subject: [PATCH 1/4] bump pipeline version & enable scanning --- .github/workflows/publish.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5f899fa..d90c180 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -17,7 +17,11 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.6.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 secrets: inherit with: publish: true + docker_scan: true + permissions: + security-events: write + packages: read From 6e6dc3a66919efd6df45707bf63926eae9686924 Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 15 Nov 2024 15:22:25 +0700 Subject: [PATCH 2/4] resolve hadolint issue --- Dockerfile | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6c42171..336c3dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.22.3-alpine as builder +FROM golang:1.22.7-alpine as builder # Version to build. Default is the Git HEAD. ARG VERSION="HEAD" @@ -6,10 +6,11 @@ ARG VERSION="HEAD" # Use muslc for static libs ARG BUILD_TAGS="muslc" - +# hadolint ignore=DL3018 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \ pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \ - libzmq-static libsodium-static gcc + libzmq-static libsodium-static gcc \ + && rm -rf /var/cache/apk/* # Build WORKDIR /go/src/github.com/babylonlabs-io/cli-tools @@ -26,11 +27,11 @@ RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ make build # FINAL IMAGE -FROM alpine:3.16 AS run - -RUN addgroup --gid 1138 -S cli-tools && adduser --uid 1138 -S cli-tools -G cli-tools +FROM alpine:3.20 AS run -RUN apk add bash curl jq +# hadolint ignore=DL3018 +RUN addgroup --gid 1138 -S cli-tools && adduser --uid 1138 -S cli-tools -G cli-tools \ + && apk --no-cache add bash curl jq && rm -rf /var/cache/apk/* COPY --from=builder /go/src/github.com/babylonlabs-io/cli-tools/build/cli-tools /bin/cli-tools From 4b972e01bee21d73f6b6e293c216531fc6d127c0 Mon Sep 17 00:00:00 2001 From: Huy Nguyen Date: Fri, 22 Nov 2024 03:40:21 +0000 Subject: [PATCH 3/4] bump cors to v1.11.0 --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index c59271c..b1e710b 100644 --- a/go.mod +++ b/go.mod @@ -258,7 +258,7 @@ require ( github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect - github.com/rs/cors v1.8.3 // indirect + github.com/rs/cors v1.11.0 // indirect github.com/rs/zerolog v1.32.0 // indirect github.com/sasha-s/go-deadlock v0.3.1 // indirect github.com/sirupsen/logrus v1.9.0 // indirect diff --git a/go.sum b/go.sum index 610d58e..1d9948d 100644 --- a/go.sum +++ b/go.sum @@ -1186,6 +1186,8 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/cors v1.8.3 h1:O+qNyWn7Z+F9M0ILBHgMVPuB1xTOucVd5gtaYyXBpRo= github.com/rs/cors v1.8.3/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= +github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= From abe7d00715eaca630e8cda572686e59ac36a6d99 Mon Sep 17 00:00:00 2001 From: Huy Nguyen Date: Fri, 22 Nov 2024 03:42:41 +0000 Subject: [PATCH 4/4] add trivyignore for lnd issue --- .trivyignore | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..d926b19 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# LND < 0.17.0 issue, not fixing +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-38359