Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump nginx image from 1.27.0 to 1.27.2 #10161

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

chore(deps): bump nginx image from 1.27.0 to 1.27.2 #10161

wants to merge 3 commits into from

Conversation

navalBhagat
Copy link

@navalBhagat navalBhagat commented Oct 4, 2024
edited
Loading

Description

  • This change upgrades the Dockerfile to use nginx:1.27.2-alpine.
  • RUN apk upgrade --no-cache was added to make sure all the patched packages used by alpine are pulled in.

Motivation and Context

This change upgrades the base nginx image since it uses the newer version of alpine with security vulnerability fixes.
This was reported in issue #10151.

How Has This Been Tested?

I updated the workflow action: Security Scan for docker image to build the image in the CI pipeline and run trivy on this locally-built image. The failing build (see old screenshot below) was fixed with no vulnerabilities.

I undid the workflow changes. But here is the workflow I used to verify that this upgrades fixes the security vulnerability.

name: Security scan for docker image

on:
  workflow_dispatch:
  schedule:
    - cron:  '30 4 * * *'

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code 
        uses: actions/checkout@v4
      - name: Build docker image 
        run: docker build -t swagger-ui:unstable .
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'swagger-ui:unstable'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

The new screenshot below shows the fixed version of the security scan using this new image. (Upgrade to alpine 3.20)

Screenshots (if appropriate):

Old:
image

New:
image

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@navalBhagat