swagger-api
chore(deps): bump nginx image from 1.27.0 to 1.27.2
Description
- This change upgrades the Dockerfile to use
nginx:1.27.2-alpine. RUN apk upgrade --no-cachewas added to make sure all the patched packages used byalpineare pulled in.
Motivation and Context
This change upgrades the base nginx image since it uses the newer version of alpine with security vulnerability fixes.
This was reported in issue #10151.
How Has This Been Tested?
I updated the workflow action: Security Scan for docker image to build the image in the CI pipeline and run trivy on this locally-built image. The failing build (see old screenshot below) was fixed with no vulnerabilities.
I undid the workflow changes. But here is the workflow I used to verify that this upgrades fixes the security vulnerability.
name: Security scan for docker image
on:
workflow_dispatch:
schedule:
- cron: '30 4 * * *'
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build docker image
run: docker build -t swagger-ui:unstable .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'swagger-ui:unstable'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
The new screenshot below shows the fixed version of the security scan using this new image. (Upgrade to alpine 3.20)
Screenshots (if appropriate):
Old:
New:
Checklist
My PR contains...
- [x] No code changes (
src/is unmodified: changes to documentation, CI, metadata, etc.) - [ ] Dependency changes (any modification to dependencies in
package.json) - [ ] Bug fixes (non-breaking change which fixes an issue)
- [ ] Improvements (misc. changes to existing features)
- [ ] Features (non-breaking change which adds functionality)
My changes...
- [ ] are breaking changes to a public API (config options, System API, major UI change, etc).
- [ ] are breaking changes to a private API (Redux, component props, utility functions, etc.).
- [ ] are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
- [x] are not breaking changes.
Documentation
- [x] My changes do not require a change to the project documentation.
- [ ] My changes require a change to the project documentation.
- [ ] If yes to above: I have updated the documentation accordingly.
Automated tests
- [x] My changes can not or do not need to be tested.
- [ ] My changes can and should be tested by unit and/or integration tests.
- [ ] If yes to above: I have added tests to cover my changes.
- [ ] If yes to above: I have taken care to cover edge cases in my tests.
- [x] All new and existing tests passed.
Hey @navalBhagat, kind of confused because @swagger-bot merged this PR #10163, last week, but I couldn't find the newer image in the docker hub, is the newer image created and pushed to docker or the image is not pushed yet?
Hi @sahilpatil2997
Sorry for the delay.
I think it needs to be force upgraded, and I only think the issue will be fixed once the latest version of swagger's image is pushed to docker hub because the current check is done based on the image pulled from docker hub.
If you approve this, I'll merge it, but I'm not sure how the pushing of the image to Docker Hub works?
I'm unable to merge. I still see this:
I think one of the maintainer should approve this PR
Closing this in favor of https://github.com/swagger-api/swagger-ui/pull/10192.
The base image is already updated on master branch. Unfortunately we'll also not going to go for full apk upgrade --no-cache change. Adding apk upgrade is generally avoided for the sake of stability and reproducibility.
Thank you for your effort here!
Hey @char0n, I did pull the latest image from the docker hub but still the image is using an older version of NGINX image, can you please look into it?
@sahilpatil2997 https://hub.docker.com/layers/swaggerapi/swagger-ui/v5.18.1/images/sha256-ae37cdb99e6440c29c693a39770b6e87dffb6651c7766565f2922ef06b549e93?context=explore