From ea9e9e65aa0ee8241cc003f4d895b150cc46bd8a Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Thu, 23 Sep 2021 07:30:20 +0000 Subject: [PATCH 1/2] fix: vulnerability issue in docker image fix failure fxi arch fix image name fix failure test: update trivy test fix test install go 1.16 go fix failure fix failure --- .github/workflows/trivy.yaml | 40 ++++++++++++++++++++++++++++++++++++ Dockerfile | 3 ++- Makefile | 2 +- 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 00000000..c72c2bc9 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,40 @@ +name: Trivy vulnerability scanner +on: + push: + branches: + - master + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-18.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install go + uses: actions/setup-go@v2 + with: + go-version: ^1.16 + + - name: Build an image from Dockerfile + run: | + export PUBLISH=true + export REGISTRY=test + export IMAGE_VERSION=latest + export DOCKER_CLI_EXPERIMENTAL=enabled + export ARCH=amd64 + go version + make nfs + make container-build + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/nfsplugin:latest-linux-amd64' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + diff --git a/Dockerfile b/Dockerfile index 120f2537..6af2485a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,8 +20,9 @@ ARG ARCH # Copy nfsplugin from build _output directory COPY bin/${ARCH}/nfsplugin /nfsplugin +RUN apt update && apt-mark unhold libcap2 # this is a workaround to install nfs-common & nfs-kernel-server and don't quit with error # https://github.com/kubernetes-sigs/blob-csi-driver/issues/214#issuecomment-781602430 -RUN apt update && apt install ca-certificates mount nfs-common nfs-kernel-server -y || true +RUN apt install ca-certificates mount libssl1.1 nfs-common nfs-kernel-server -y || true ENTRYPOINT ["/nfsplugin"] diff --git a/Makefile b/Makefile index 6653aa8c..18300ab7 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,7 @@ include release-tools/build.make GIT_COMMIT = $(shell git rev-parse HEAD) BUILD_DATE = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") -IMAGE_VERSION = v3.0.0 +IMAGE_VERSION ?= v3.0.0 LDFLAGS = -X ${PKG}/pkg/nfs.driverVersion=${IMAGE_VERSION} -X ${PKG}/pkg/nfs.gitCommit=${GIT_COMMIT} -X ${PKG}/pkg/nfs.buildDate=${BUILD_DATE} EXT_LDFLAGS = -s -w -extldflags "-static" # Use a custom version for E2E tests if we are testing in CI From 38ff2970b13f2c81d098abf0cd500369f9f02a57 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sat, 27 Nov 2021 14:14:07 +0000 Subject: [PATCH 2/2] fix: install updated packages to fix CVE issues --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6af2485a..80601e6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM k8s.gcr.io/build-image/debian-base:buster-v1.6.0 +FROM k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0 # Architecture for bin folder ARG ARCH @@ -21,8 +21,8 @@ ARG ARCH COPY bin/${ARCH}/nfsplugin /nfsplugin RUN apt update && apt-mark unhold libcap2 -# this is a workaround to install nfs-common & nfs-kernel-server and don't quit with error -# https://github.com/kubernetes-sigs/blob-csi-driver/issues/214#issuecomment-781602430 -RUN apt install ca-certificates mount libssl1.1 nfs-common nfs-kernel-server -y || true +RUN clean-install ca-certificates mount nfs-common +# install updated packages to fix CVE issues +RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 ENTRYPOINT ["/nfsplugin"]