Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: upgrade base Docker image to prevent security vulnerability #410

Merged
merged 1 commit into from Jun 16, 2022
Merged

build: upgrade base Docker image to prevent security vulnerability #410

merged 1 commit into from Jun 16, 2022

Conversation

diogokiss
Copy link
Contributor

According to Snyk.io, the currently used base Docker image has 19 security
vulnerabilities (13 high).
https://snyk.io/test/docker/node%3A16.5.0-alpine3.14

On the other hand, the image node:16.14.2-alpine3.14 has no known security
vulnerabilies.

https://snyk.io/test/docker/node%3A16.14.2-alpine3.14

This commit upgrades the image to fix the above mentioned issues.

@diogokiss
Copy link
Contributor Author

diogokiss commented May 3, 2022
edited

Hi, @wagoid! 🇧🇷 👋
I'm not really sure what the error with the failing job is about.
I mean, it is complaining about some permissions, but I'm not sure how to debug it.

fatal: unsafe repository ('/github/workspace' is owned by someone else)

If there is anything I can help with, please, let me know.

In the meanwhile, I'll check the other errors.

I was wondering whether I should upgrade all the used Node versions to 16. What do you say?

❯ fgrep -r node-version .github/workflows
.github/workflows/commitlint.yml:          node-version: '14'
.github/workflows/commitlint.yml:          node-version: '14'
.github/workflows/ci.yml:          node-version: '12.x'
.github/workflows/ci.yml:          node-version: '12.x'

@diogokiss diogokiss force-pushed the security-vuln-docker-image branch from 44ba5b4 to aaa3b2a Compare May 3, 2022 11:00
@diogokiss
Copy link
Contributor Author

@wagoid, I think I fixed the Node version-related error. However, the error with regard to the unsafe repository seems to be related to this issue.
actions/checkout#760

Apparently, there are 2 options to work around the problem:

@jdbruijn
Copy link
Collaborator

jdbruijn commented May 5, 2022

Yeah good one. Feel free to add the seconds solution, so git config --global --add safe.directory /github/workspace to the commitment workflow. As this is running in the action I'm guessing the git version to be latest, or at least near latest and that is also what the error log is suggesting 😄

@wagoid
Copy link
Owner

wagoid commented May 7, 2022

Hi @diogokiss! 🇧🇷 👋 🎉
Thank you for the contribution! Agreed, as @jdbruijn said second option shouold probably be the right one 🚀

@wagoid
Copy link
Owner

wagoid commented May 7, 2022

Just noticed this issue was already present before your PR, so I created another one that fixes it: #411. Turns out actions/checkout was already applying the safe.directory in latest version but we needed to do something different for this action. The PR description explains everything.

@diogokiss once you sync with origin the issue should be gone 🚀

@diogokiss
build: upgrade base Docker image to prevent security vulnerability
e4c3e78 
According to Snyk.io, the currently used base Docker image has 19 security
vulnerabilities (13 high).
https://snyk.io/test/docker/node%3A16.5.0-alpine3.14

On the other hand, the image `node:16.14.2-alpine3.14` has no known security
vulnerabilies.

https://snyk.io/test/docker/node%3A16.14.2-alpine3.14

This commit upgrades the image to fix the above mentioned issues.
@diogokiss diogokiss force-pushed the security-vuln-docker-image branch from aaa3b2a to e4c3e78 Compare May 9, 2022 06:20
Fdawgs
Fdawgs suggested changes May 10, 2022
View reviewed changes
Copy link
Contributor

@Fdawgs Fdawgs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe change it to the latest LTS, 16.15.0?

@wagoid wagoid merged commit 7445d4e into wagoid:master Jun 16, 2022
@wagoid
Copy link
Owner

wagoid commented Jun 16, 2022

@Fdawgs thanks for the suggestion! I'll update the dependabot config to also include Dockerfile so that we can more easily keep things up to date

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fdawgs Fdawgs Fdawgs requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@diogokiss @jdbruijn @wagoid @Fdawgs