fix dockerfile & CVEs issues (#127)

Remaining CVEs that fires alarms: | Lib | CVE | Current version | Fixed version | Indirect | | -------- | ------------------------------------------------------------------------ | ---------------- | ------------- | -------- | | CometBFT | [GHSA-p7mv-53f2-4cwj](GHSA-p7mv-53f2-4cwj) | 0.38.9 | 0.38.15 | | | CometBFT | [GHSA-g5xx-c4hv-9ccc](GHSA-g5xx-c4hv-9ccc) | 0.38.9 | 0.38.12 | | | wasmd | [GHSA-g8w7-7vgg-x7xg](GHSA-g8w7-7vgg-x7xg) | 0.52.0 | 0.53.0 | | | wasmd | [GHSA-fpgj-cr28-fvpx](GHSA-fpgj-cr28-fvpx) | 0.52.0 | 0.53.0 | | | lnd | [CVE-2024-38359](https://avd.aquasec.com/nvd/cve-2024-38359) | v0.16.4-beta.rc1 | 0.17.0-beta | |
babylonlabs-io · Nov 21, 2024 · fd05973 · fd05973
1 parent 81531dc
commit fd05973
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 10 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -23,9 +23,15 @@ jobs:
 
   docker_pipeline:
     needs: ["lint_test"]
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2
     secrets: inherit
     with:
       publish: true
       dockerfile: ./Dockerfile
       repoName: finality-provider
+      docker_scan: true
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,5 @@
+# LND < 0.17.0 issue, not fixing
+CVE-2024-27304
+GHSA-7jwh-3vrq-q3m8
+CVE-2024-27289
+CVE-2024-38359
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,6 +43,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ### Improvements
 
+* [#127](https://github.com/babylonlabs-io/finality-provider/pull/127) Bump docker workflow version and fix some dockerfile issue
 * [#132](https://github.com/babylonlabs-io/finality-provider/pull/132) Replace fast sync with batch processing
 
 ### Documentation

diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,15 @@
-FROM golang:1.23.1-alpine as builder
+FROM golang:1.23-alpine as builder
 
 # Version to build. Default is the Git HEAD.
 ARG VERSION="HEAD"
 
 # Use muslc for static libs
 ARG BUILD_TAGS="muslc"
 
-
+# hadolint ignore=DL3018
 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \
                                 pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \
-                                libzmq-static libsodium-static gcc
+                                libzmq-static libsodium-static gcc && rm -rf /var/cache/apk/*
 
 
 # Build
@@ -21,12 +21,13 @@ RUN go mod download
 COPY ./ /go/src/github.com/babylonlabs-io/finality-provider/
 
 # Cosmwasm - Download correct libwasmvm version
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm go.mod | cut -d' ' -f2) && \
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \
-        -O /lib/libwasmvm_muslc.$(uname -m).a && \
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc."$(uname -m)".a \
+        -O /lib/libwasmvm_muslc."$(uname -m)".a && \
     # verify checksum
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
-    sha256sum /lib/libwasmvm_muslc.$(uname -m).a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc.$(uname -m) | cut -d ' ' -f 1)
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
+    sha256sum /lib/libwasmvm_muslc."$(uname -m)."a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc."$(uname -m)" | cut -d ' ' -f 1)
 
 RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
     CGO_ENABLED=1 \
@@ -35,11 +36,12 @@ RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
     make build
 
 # FINAL IMAGE
-FROM alpine:3.16 AS run
+FROM alpine:3.20 AS run
 
 RUN addgroup --gid 1138 -S finality-provider && adduser --uid 1138 -S finality-provider -G finality-provider
 
-RUN apk add bash curl jq
+# hadolint ignore=DL3018
+RUN apk add --no-cache bash curl jq && rm -rf /var/cache/apk/*
 
 COPY --from=builder /go/src/github.com/babylonlabs-io/finality-provider/build/fpd /bin/fpd
 COPY --from=builder /go/src/github.com/babylonlabs-io/finality-provider/build/eotsd /bin/eotsd