hound
hound copied to clipboard
Update alpine to 3.16, switch from bzr to breezy, resolve all vulnerabilities
What kind of change does this PR introduce? (check at least one)
- [ ] Bugfix
- [ ] Feature
- [ ] Code style update
- [ ] Refactor
- [x] Build-related changes
- [ ] Other, please describe:
The PR fulfills these requirements:
- [x] All tests are passing?
- [ ] New/updated tests are included?
- [ ] If any static assets have been updated, has ui/bindata.go been regenerated?
- [ ] Are there doc blocks for functions that I updated/created?
If adding a new feature, the PR's description includes:
- [ ] A convincing reason for adding this feature (to avoid wasting your time, it's best to open a suggestion issue first and wait for approval before working on it)
Vulnerabilities: The current image has lots of vulnerabilities:
docker scan before upgrade (20 vulnerabilities)
Testing hound...
✗ Low severity vulnerability found in openssl/libcrypto1.1
Description: Inadequate Encryption Strength
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1075739
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1j-r0
✗ Medium severity vulnerability found in openssl/libcrypto1.1
Description: NULL Pointer Dereference
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1075737
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1j-r0
✗ Medium severity vulnerability found in openssl/libcrypto1.1
Description: NULL Pointer Dereference
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1089241
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1k-r0
✗ Medium severity vulnerability found in busybox/busybox
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920721
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1075738
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1j-r0
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Improper Certificate Validation
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1089242
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1k-r0
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1569447
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1l-r0
✗ High severity vulnerability found in busybox/busybox
Description: Improper Handling of Exceptional Conditions
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1090152
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r10
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920714
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920716
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920723
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920724
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920740
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920741
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920749
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920753
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in busybox/busybox
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1920756
Introduced through: busybox/[email protected], alpine-baselayout/[email protected], ca-certificates/ca-certificates@20191127-r2, subversion/[email protected], busybox/[email protected]
From: busybox/[email protected]
From: alpine-baselayout/[email protected] > busybox/[email protected]
From: ca-certificates/ca-certificates@20191127-r2 > busybox/[email protected]
and 2 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.31.1-r11
✗ High severity vulnerability found in apk-tools/apk-tools
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE311-APKTOOLS-1246343
Introduced through: apk-tools/[email protected]
From: apk-tools/[email protected]
Image layer: Introduced by your base image (alpine:3.11.7)
Fixed in: 2.10.6-r0
✗ Critical severity vulnerability found in openssl/libcrypto1.1
Description: Buffer Overflow
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1569451
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], apr-util/[email protected], libtls-standalone/[email protected], python2/[email protected], ca-certificates/ca-certificates@20191127-r2, curl/[email protected], python3/[email protected], openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, openssh/[email protected]_p1-r1, serf/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 19 more...
Image layer: 'apk add go git subversion libc-dev mercurial bzr openssh tini'
Fixed in: 1.1.1l-r0
✗ Critical severity vulnerability found in apk-tools/apk-tools
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE311-APKTOOLS-1534687
Introduced through: apk-tools/[email protected]
From: apk-tools/[email protected]
Image layer: Introduced by your base image (alpine:3.11.7)
Fixed in: 2.10.7-r0
Package manager: apk
Project name: docker-image|hound
Docker image: hound
Platform: linux/amd64
Base image: alpine:3.11.7
Tested 52 dependencies for known vulnerabilities, found 20 vulnerabilities.
Base Image Vulnerabilities Severity
alpine:3.11.7 20 2 critical, 14 high, 3 medium, 1 low
Recommendations for base image upgrade:
Minor upgrades
Base Image Vulnerabilities Severity
alpine:3.12.12 0 0 critical, 0 high, 0 medium, 0 low
Alpine 3.11.7 is no longer supported by the Alpine maintainers. Vulnerability detection may be affected by a lack of security updates.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
-------------------------------------------------------
Testing hound...
Package manager: npm
Target file: /go/src/github.com/hound-search/hound/package.json
Project name: hound
Docker image: hound
✔ Tested hound for known vulnerabilities, no vulnerable paths found.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
Tested 2 projects, 1 contained vulnerable paths.
This upgrade handles all vulnerabilities found by Snyk in the container:
`docker scan` after upgrade (0 vulnerabilities)
Testing hound...
Package manager: apk
Project name: docker-image|hound
Docker image: hound
Platform: linux/amd64
Base image: alpine:3.16.0
✔ Tested 61 dependencies for known vulnerabilities, no vulnerable paths found.
According to our scan, you are currently using the most secure version of the selected base image
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
-------------------------------------------------------
Testing hound...
Package manager: npm
Target file: /go/src/github.com/hound-search/hound/package.json
Project name: hound
Docker image: hound
✔ Tested hound for known vulnerabilities, no vulnerable paths found.
For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp
Tested 2 projects, no vulnerable paths were found.
Overview: This updates the container to a supported version of Alpine. It also drops the patch version hardcoding from the alpine version so that non breaking security fixes will get built in automatically without risking breaking changes.
Switching from package bzr to breezy is a drop in and required by the upgrade. The command path and usage does not change between packages.
This has the added benefit that currently if you try to build the docker image on arm64 you get a gcc error. This PR also fixes that.