kubernetes-csi/csi-driver-nfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #230 from andyzhangx/vulnerability-fix

Browse Source 
fix: vulnerability issue in docker image
This commit is contained in:
Andy Zhang 2021-11-28 16:14:44 +08:00 committed by GitHub
commit 9134dcca07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.github/workflows/trivy.yaml vendored Normal file
View File

@ -0,0 +1,40 @@
name: Trivy vulnerability scanner
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Install go
uses: actions/setup-go@v2
with:
go-version: ^1.16
- name: Build an image from Dockerfile
run: |
export PUBLISH=true
export REGISTRY=test
export IMAGE_VERSION=latest
export DOCKER_CLI_EXPERIMENTAL=enabled
export ARCH=amd64
go version
make nfs
make container-build
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'test/nfsplugin:latest-linux-amd64'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'

9
Dockerfile
View File

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
FROM k8s.gcr.io/build-image/debian-base:buster-v1.6.0 FROM k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0
# Architecture for bin folder # Architecture for bin folder
ARG ARCH ARG ARCH
@ -20,8 +20,9 @@ ARG ARCH
# Copy nfsplugin from build _output directory # Copy nfsplugin from build _output directory
COPY bin/${ARCH}/nfsplugin /nfsplugin COPY bin/${ARCH}/nfsplugin /nfsplugin
# this is a workaround to install nfs-common & nfs-kernel-server and don't quit with error RUN apt update && apt-mark unhold libcap2
# https://github.com/kubernetes-sigs/blob-csi-driver/issues/214#issuecomment-781602430 RUN clean-install ca-certificates mount nfs-common
RUN apt update && apt install ca-certificates mount nfs-common nfs-kernel-server -y || true # install updated packages to fix CVE issues
RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0
ENTRYPOINT ["/nfsplugin"] ENTRYPOINT ["/nfsplugin"]

2
Makefile
View File

@ -27,7 +27,7 @@ include release-tools/build.make
GIT_COMMIT = $(shell git rev-parse HEAD) GIT_COMMIT = $(shell git rev-parse HEAD)
BUILD_DATE = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") BUILD_DATE = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
IMAGE_VERSION = v3.0.0 IMAGE_VERSION ?= v3.0.0
LDFLAGS = -X ${PKG}/pkg/nfs.driverVersion=${IMAGE_VERSION} -X ${PKG}/pkg/nfs.gitCommit=${GIT_COMMIT} -X ${PKG}/pkg/nfs.buildDate=${BUILD_DATE} LDFLAGS = -X ${PKG}/pkg/nfs.driverVersion=${IMAGE_VERSION} -X ${PKG}/pkg/nfs.gitCommit=${GIT_COMMIT} -X ${PKG}/pkg/nfs.buildDate=${BUILD_DATE}
EXT_LDFLAGS = -s -w -extldflags "-static" EXT_LDFLAGS = -s -w -extldflags "-static"
# Use a custom version for E2E tests if we are testing in CI # Use a custom version for E2E tests if we are testing in CI