Skip to content

fix: [CI-17792]: Updating dockerfiles and dependencies to fix vulnerabilities. #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Ompragash merged 1 commit into from
Jun 12, 2025
Merged

fix: [CI-17792]: Updating dockerfiles and dependencies to fix vulnerabilities. #256

Ompragash merged 1 commit into from
Jun 12, 2025

Conversation

@DevanshMathur19
Copy link
Contributor

@DevanshMathur19 DevanshMathur19 commented Jun 11, 2025
edited
Loading

🔒 Summary of Improvements

✅ Go Runtime Security

🧱 Dependency Updates

  • All vulnerable Go module dependencies upgraded to secure versions:
    • golang.org/x/net → v0.38.0
    • google.golang.org/grpc → v1.59.0
    • google.golang.org/protobuf → v1.33.0
    • containerd → v1.6.38

🐳 Container Security Enhancements

  • Base Image Upgrade: Alpine 3.12 → 3.19
  • Security Best Practice: Introduced non-root user
  • Critical Package Updates:
    • zlib → 1.3.1+
    • openssl → 3.x / 1.1.1x+
    • busybox → 1.35+

🔍 Security Scan Results

✅ Resolved Vulnerabilities

🧠 Go Runtime Vulnerabilities

  • Critical: [GO-2024-2887 (CVE-2024-24790)]

    • Fixed in Go 1.22.4+
    • Affected net/netip standard library
    • Issue with IPv4-mapped IPv6 addresses misclassification

  • Medium: CVE-2023-45288

    • Fixed in Go 1.22.2+
    • DoS vulnerability in HTTP/2 implementation
    • Unbounded header parsing issue

  • Medium: CVE-2023-44487 ("HTTP/2 Rapid Reset")

    • Fixed in Go 1.22.0+
    • DoS vulnerability allowing attackers to overwhelm HTTP/2 servers
    • Exploitable by rapidly canceling streams

  • Medium: CVE-2024-40635

    • Fixed in Go 1.22.2+
    • Containers launched with specific configurations had security issues

  • Medium: CVE-2024-45336

    • Fixed in Go 1.23.5+
    • Issue in standard library's HTTP client
    • Handling of sensitive headers after cross-domain redirects

  • Unassigned: CVE-2025-22871

    • Fixed in Go 1.23.8+
    • Vulnerability in net/http/internal package
    • Improperly accepts bare LF as line terminator

  • Unassigned: CVE-2025-22866

    • Fixed in Go 1.22.12+
    • Issue in crypto/internal/nistec
    • Variable time instruction in assembly implementation

  • Unassigned: CVE-2024-45341

    • Fixed in Go 1.22.11+
    • Vulnerability in crypto/x509
    • Certificate with IPv6 address URI issue

📦 Dependency Vulnerabilities

  • High: CVE-2023-39325

    • Fixed in golang.org/x/net v0.36.0+
    • Resolved by updating to v0.38.0

  • High: GHSA-m425-mq94-257g

    • Fixed in google.golang.org/grpc v1.56.3+
    • Resolved by updating to v1.59.0

  • Medium: CVE-2024-24786

    • Fixed in google.golang.org/protobuf v1.31.0+
    • Resolved by updating to v1.33.0

  • Medium: CVE-2024-40635

    • Fixed in containerd v1.6.38+
    • Resolved by updating from v1.6.18 → v1.6.38

  • Medium: CVE-2025-22872

    • Fixed in golang.org/x/net v0.38.0
    • Resolved by updating from v0.36.0 → v0.38.0

🐳 Container Base Image Vulnerabilities

  • Critical: CVE-2023-45853

    • Fixed in zlib 1.3.1+
    • Integer overflow and heap-based buffer overflow in MiniZip

  • Critical: CVE-2022-48174

    • Fixed in busybox 1.35+
    • Stack overflow vulnerability in ash.c

  • Critical: CVE-2022-37434

    • Fixed in zlib 1.2.12-r2+
    • Heap-based buffer over-read or buffer overflow

  • Critical: CVE-2022-2068

    • Fixed in openssl 3.0.4, 1.1.1p, 1.0.2zf+
    • Shell command injection vulnerability

  • High: CVE-2023-4807

    • Fixed in openssl 3.1.3, 3.0.11, 1.1.1w+
    • POLY1305 MAC implementation bug

  • High: CVE-2023-0464

    • Fixed in openssl 3.1.1, 3.0.9, 1.1.1u+
    • X.509 certificate chain verification vulnerability

  • High: CVE-2023-0215

    • Fixed in openssl 3.0.8, 1.1.1t, 1.0.2zg+
    • Vulnerability in BIO_new_NDEF function

  • High: CVE-2022-4450

    • Fixed in openssl 3.0.8, 1.1.1t+
    • Vulnerability in PEM_read_bio_ex() function

  • High: CVE-2023-0286

    • Fixed in openssl 3.0.8, 1.1.1t, 1.0.2zg+
    • Type confusion vulnerability in X.400 address processing

  • Multiple Medium/Low vulnerabilities

    • Affected openssl, zlib, busybox
    • Resolved by upgrading Alpine from 3.12 → 3.19

🧾 Compliance Issues

  • High: CIS Docker Benchmark 4.1
    • "Image should be created with a non-root user"
    • Resolved by:
      • Adding non-root user via USER directive
      • Ensuring proper file ownership and permissions

@Ompragash
Copy link
Contributor

Ompragash commented Jun 12, 2025

Testing details from local with the updated changes:

Building the binary from PR branch `./.drone.sh` 
+ export CGO_ENABLED=0
+ CGO_ENABLED=0
+ GOOS=linux
+ GOARCH=amd64
+ go build -ldflags '-X main.version=' -o release/linux/amd64/drone ./drone
+ GOOS=linux
+ GOARCH=arm64
+ go build -ldflags '-X main.version=' -o release/linux/arm64/drone ./drone
+ GOOS=linux
+ GOARCH=ppc64le
+ go build -ldflags '-X main.version=' -o release/linux/ppc64le/drone ./drone
+ GOOS=linux
+ GOARCH=arm
+ go build -ldflags '-X main.version=' -o release/linux/arm/drone ./drone
+ GOOS=windows
+ GOARCH=amd64
+ go build -ldflags '-X main.version=' -o release/windows/amd64/drone.exe ./drone
go: downloading github.com/Microsoft/go-winio v0.6.1
+ GOOS=darwin
+ GOARCH=amd64
+ go build -ldflags '-X main.version=' -o release/darwin/amd64/drone ./drone
+ GOOS=darwin
+ GOARCH=arm64
+ go build -ldflags '-X main.version=' -o release/darwin/arm64/drone ./drone
+ tar -cvzf release/drone_linux_amd64.tar.gz -C release/linux/amd64 drone
a drone
+ tar -cvzf release/drone_linux_arm64.tar.gz -C release/linux/arm64 drone
a drone
+ tar -cvzf release/drone_linux_ppc64le.tar.gz -C release/linux/ppc64le drone
a drone
+ tar -cvzf release/drone_linux_arm.tar.gz -C release/linux/arm drone
a drone
+ tar -cvzf release/drone_windows_amd64.tar.gz -C release/windows/amd64 drone.exe
a drone.exe
+ tar -cvzf release/drone_darwin_amd64.tar.gz -C release/darwin/amd64 drone
a drone
+ tar -cvzf release/drone_darwin_arm64.tar.gz -C release/darwin/arm64 drone
a drone
+ sha256sum release/drone_darwin_amd64.tar.gz release/drone_darwin_arm64.tar.gz release/drone_linux_amd64.tar.gz release/drone_linux_arm.tar.gz release/drone_linux_arm64.tar.gz release/drone_linux_ppc64le.tar.gz release/drone_windows_amd64.tar.gz
Output of `drone info` 
./release/darwin/arm64/drone info

User: Ompragash
Email: [email protected]
Cli command to view build logs 
./release/darwin/arm64/drone log view drone-plugins/drone-stackrox 10 1 2

1.18: Pulling from library/golang
Digest: sha256:50c889275d26f816b5314fc99f55425fa76b18fcaf16af255f5d57f09e1f48da
Status: Downloaded newer image for golang:1.18
+ go version
go version go1.18.10 linux/amd64
+ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/tmp/aws/home/drone/.cache/go-build"
GOENV="/tmp/aws/home/drone/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/go"

@Ompragash Ompragash merged commit 938549b into master Jun 12, 2025
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Ompragash Ompragash Ompragash approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DevanshMathur19 @Ompragash