Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump alpine base image to 3.19.1 #35

Merged
merged 1 commit into from
Feb 14, 2024
Merged

Bump alpine base image to 3.19.1 #35

merged 1 commit into from
Feb 14, 2024

Conversation

matheusfm
Copy link
Contributor

@matheusfm matheusfm commented Feb 14, 2024
edited
Loading

Description

Bump alpine base image to 3.19.1

Before:

trivy image ghcr.io/undistro/marvin:v0.2.1
2024-02-14T11:48:57.483-0300	INFO	Vulnerability scanning is enabled
2024-02-14T11:48:57.483-0300	INFO	Secret scanning is enabled
2024-02-14T11:48:57.483-0300	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-14T11:48:57.483-0300	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-14T11:48:58.664-0300	INFO	Detected OS: alpine
2024-02-14T11:48:58.664-0300	WARN	This OS version is not on the EOL list: alpine 3.19
2024-02-14T11:48:58.664-0300	INFO	Detecting Alpine vulnerabilities...
2024-02-14T11:48:58.669-0300	INFO	Number of language-specific files: 1
2024-02-14T11:48:58.669-0300	INFO	Detecting gobinary vulnerabilities...

ghcr.io/undistro/marvin:v0.2.1 (alpine 3.19.0)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-6129 │ MEDIUM   │ fixed  │ 3.1.4-r2          │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector      │
│            │               │          │        │                   │               │ registers on PowerPC                                      │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                 │
│            ├───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│            │ CVE-2023-6237 │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public │
│            │               │          │        │                   │               │ keys                                                      │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                 │
│            ├───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│            │ CVE-2024-0727 │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference           │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                 │
├────────────┼───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2023-6129 │          │        │                   │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector      │
│            │               │          │        │                   │               │ registers on PowerPC                                      │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                 │
│            ├───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│            │ CVE-2023-6237 │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public │
│            │               │          │        │                   │               │ keys                                                      │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                 │
│            ├───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│            │ CVE-2024-0727 │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference           │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                 │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Now:

trivy image ghcr.io/undistro/marvin:latest
2024-02-14T11:51:49.760-0300	INFO	Vulnerability scanning is enabled
2024-02-14T11:51:49.760-0300	INFO	Secret scanning is enabled
2024-02-14T11:51:49.760-0300	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-14T11:51:49.760-0300	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-14T11:51:50.583-0300	INFO	Detected OS: alpine
2024-02-14T11:51:50.583-0300	WARN	This OS version is not on the EOL list: alpine 3.19
2024-02-14T11:51:50.583-0300	INFO	Detecting Alpine vulnerabilities...
2024-02-14T11:51:50.594-0300	INFO	Number of language-specific files: 1
2024-02-14T11:51:50.595-0300	INFO	Detecting gobinary vulnerabilities...

ghcr.io/undistro/marvin:latest (alpine 3.19.1)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Checklist

  • I have labeled this PR with the relevant Type labels
  • I have documented my code (if applicable)
  • My changes are covered by tests

@matheusfm matheusfm added the enhancement New feature or request label Feb 14, 2024
@matheusfm matheusfm requested a review from knrc February 14, 2024 14:45
@matheusfm matheusfm self-assigned this Feb 14, 2024
@matheusfm matheusfm merged commit c5c8035 into main Feb 14, 2024
4 checks passed
@matheusfm matheusfm deleted the bump-alpine-base branch February 14, 2024 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knrc knrc knrc approved these changes

Assignees

@matheusfm matheusfm

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matheusfm @knrc