Ignore multiple CVEs due to missing deps in python:3.11-alpine

DitZii · Feb 16, 2023 · 0f35c05 · 0f35c05
1 parent 846e26e
commit 0f35c05
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 12 deletions.
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
@@ -47,7 +47,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # BW scheduler tests
   scheduler:
@@ -91,7 +91,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # BW autoconf tests
   autoconf:
@@ -135,7 +135,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # BW UI tests
   ui:
@@ -180,7 +180,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          #trivyignores: .trivyignore
+          trivyignores: .trivyignore
 
   # Python code security
   code-security:

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,4 @@
+# libcurl 7.87.0-r2 and curl 7.87.0-r2 are not yet available in python:3.11-alpine
+CVE-2023-23916
+CVE-2023-23914
+CVE-2023-23915
diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile
@@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \
     chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx
 

diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile
@@ -4,22 +4,22 @@ FROM nginx:1.22.1-alpine AS builder
 COPY src/deps /tmp/bunkerweb/deps
 
 # Compile and install dependencies
-RUN apk add --no-cache --virtual build bash build autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \
+RUN apk add --no-cache --virtual .build-deps bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \
 	mkdir -p /usr/share/bunkerweb/deps && \
 	chmod +x /tmp/bunkerweb/deps/install.sh && \
 	bash /tmp/bunkerweb/deps/install.sh && \
-	apk del build
+	apk del .build-deps
 
 # Copy python requirements
 COPY src/common/gen/requirements.txt /usr/share/bunkerweb/deps/requirements.txt
 
 # Install python requirements
-RUN apk add --no-cache --virtual build py3-pip && \
+RUN apk add --no-cache --virtual .build-deps py3-pip && \
 	pip install --no-cache-dir --upgrade pip && \
 	pip install wheel && \
 	mkdir -p /usr/share/bunkerweb/deps/python && \
 	pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
-	apk del build
+	apk del .build-deps
 
 FROM nginx:1.22.1-alpine
 
@@ -75,7 +75,7 @@ RUN apk add --no-cache pcre bash python3 && \
 	chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "openssl>=1.1.1q-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "openssl>=1.1.1q-r0" "curl>=7.83.1-r6" "libcurl>=7.83.1-r6" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx
 

diff --git a/src/scheduler/Dockerfile b/src/scheduler/Dockerfile
@@ -64,7 +64,7 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
   chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx
 

diff --git a/src/ui/Dockerfile b/src/ui/Dockerfile
@@ -50,7 +50,7 @@ RUN apk add --no-cache bash && \
     chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
 
 VOLUME /data /etc/nginx