From fd05973a6926d833b51b9b9ef6625de562aeee41 Mon Sep 17 00:00:00 2001
From: huynaism <77400732+huynaism@users.noreply.github.com>
Date: Thu, 21 Nov 2024 15:23:37 +0700
Subject: [PATCH] fix dockerfile & CVEs issues (#127)

Remaining CVEs that fires alarms:
| Lib | CVE | Current version | Fixed version | Indirect |
| -------- |
------------------------------------------------------------------------
| ---------------- | ------------- | -------- |
| CometBFT |
[GHSA-p7mv-53f2-4cwj](https://github.com/advisories/GHSA-p7mv-53f2-4cwj)
| 0.38.9 | 0.38.15 | |
| CometBFT |
[GHSA-g5xx-c4hv-9ccc](https://github.com/advisories/GHSA-g5xx-c4hv-9ccc)
| 0.38.9 | 0.38.12 | |
| wasmd |
[GHSA-g8w7-7vgg-x7xg](https://github.com/advisories/GHSA-g8w7-7vgg-x7xg)
| 0.52.0 | 0.53.0 | |
| wasmd |
[GHSA-fpgj-cr28-fvpx](https://github.com/advisories/GHSA-fpgj-cr28-fvpx)
| 0.52.0 | 0.53.0 | |
| lnd | [CVE-2024-38359](https://avd.aquasec.com/nvd/cve-2024-38359) |
v0.16.4-beta.rc1 | 0.17.0-beta | |
---
 .github/workflows/publish.yml |  8 +++++++-
 .trivyignore                  |  5 +++++
 CHANGELOG.md                  |  1 +
 Dockerfile                    | 20 +++++++++++---------
 4 files changed, 24 insertions(+), 10 deletions(-)
 create mode 100644 .trivyignore

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7b014261..28cb228e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,9 +23,15 @@ jobs:
 
   docker_pipeline:
     needs: ["lint_test"]
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2
     secrets: inherit
     with:
       publish: true
       dockerfile: ./Dockerfile
       repoName: finality-provider
+      docker_scan: true
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 00000000..63355fc1
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,5 @@
+# LND < 0.17.0 issue, not fixing
+CVE-2024-27304
+GHSA-7jwh-3vrq-q3m8
+CVE-2024-27289
+CVE-2024-38359
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7554c0c2..8b00e603 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,6 +43,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ### Improvements
 
+* [#127](https://github.com/babylonlabs-io/finality-provider/pull/127) Bump docker workflow version and fix some dockerfile issue
 * [#132](https://github.com/babylonlabs-io/finality-provider/pull/132) Replace fast sync with batch processing
 
 ### Documentation
diff --git a/Dockerfile b/Dockerfile
index d37b922e..4b577eb9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.1-alpine as builder
+FROM golang:1.23-alpine as builder
 
 # Version to build. Default is the Git HEAD.
 ARG VERSION="HEAD"
@@ -6,10 +6,10 @@ ARG VERSION="HEAD"
 # Use muslc for static libs
 ARG BUILD_TAGS="muslc"
 
-
+# hadolint ignore=DL3018
 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \
                                 pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \
-                                libzmq-static libsodium-static gcc
+                                libzmq-static libsodium-static gcc && rm -rf /var/cache/apk/*
 
 
 # Build
@@ -21,12 +21,13 @@ RUN go mod download
 COPY ./ /go/src/github.com/babylonlabs-io/finality-provider/
 
 # Cosmwasm - Download correct libwasmvm version
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm go.mod | cut -d' ' -f2) && \
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \
-        -O /lib/libwasmvm_muslc.$(uname -m).a && \
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc."$(uname -m)".a \
+        -O /lib/libwasmvm_muslc."$(uname -m)".a && \
     # verify checksum
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
-    sha256sum /lib/libwasmvm_muslc.$(uname -m).a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc.$(uname -m) | cut -d ' ' -f 1)
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
+    sha256sum /lib/libwasmvm_muslc."$(uname -m)."a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc."$(uname -m)" | cut -d ' ' -f 1)
 
 RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
     CGO_ENABLED=1 \
@@ -35,11 +36,12 @@ RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
     make build
 
 # FINAL IMAGE
-FROM alpine:3.16 AS run
+FROM alpine:3.20 AS run
 
 RUN addgroup --gid 1138 -S finality-provider && adduser --uid 1138 -S finality-provider -G finality-provider
 
-RUN apk add bash curl jq
+# hadolint ignore=DL3018
+RUN apk add --no-cache bash curl jq && rm -rf /var/cache/apk/*
 
 COPY --from=builder /go/src/github.com/babylonlabs-io/finality-provider/build/fpd /bin/fpd
 COPY --from=builder /go/src/github.com/babylonlabs-io/finality-provider/build/eotsd /bin/eotsd