From 7e0cfebb3ee8f965f8806caafe66acfddcff94cc Mon Sep 17 00:00:00 2001 From: jack-baines Date: Tue, 10 Oct 2023 15:23:16 +0100 Subject: [PATCH 1/2] Update base image to fix vulnerabilities Signed-off-by: jack-baines --- CHANGELOG.md | 13 +++++++++---- Dockerfile | 6 +++--- Makefile | 10 +++++----- helm/portieris/Chart.yaml | 2 +- helm/portieris/values.yaml | 2 +- 5 files changed, 19 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e28a9c75..7fb367f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,11 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## v-next +## v0.13.8 + +Released 2023-10-10 + +* Remediates CVE-2023-4527 CVE-2023-4806 CVE-2023-4813 CVE-2023-4911 in glibc ## v0.13.7 Released 2023-09-11 @@ -34,7 +39,7 @@ Released 2023-04-11 * Remove vulnerable dependency dgrijalva/jwt-go -## v0.13.4 +## v0.13.4 Released 2023-03-29 @@ -42,15 +47,15 @@ Released 2023-03-29 * Resolves CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286 with openssl * Resolves CVE-2023-27561 with runc v1.1.15 -## v0.13.3 +## v0.13.3 Released 2023-02-02 * Contributed helm value options: skipCreate certificate issuer (aid seamless upgrade) and optional annotations. * Update to go-toolset:1.18.9-8 -* Fixes problem with portieris version in logs showing the golang version +* Fixes problem with portieris version in logs showing the golang version -## v0.13.2 +## v0.13.2 Released 2023-01-25 diff --git a/Dockerfile b/Dockerfile index 5e2b02a3..ac2a229a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -# This first stage of the build uses go-toolset to build the portieris binary creates -# a simplified operating system image that satisfies vulnerability scanning requirements -FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.19.10-16 as builder +# This first stage of the build uses go-toolset to build the portieris binary creates +# a simplified operating system image that satisfies vulnerability scanning requirements +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.19.10-16.696540524 as builder ARG PORTIERIS_VERSION=undefined # switch to root user as we need to run yum and rpm to ensure packages are up to date diff --git a/Makefile b/Makefile index 6beb7643..a56b312a 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ GOFILES=$(shell find . -type f -name '*.go' -not -path "./code-generator/*" -not -path "./pkg/apis/*") GOPACKAGES=$(shell go list ./... | grep -v test/ | grep -v pkg/apis/) -VERSION=v0.13.7 +VERSION=v0.13.8 TAG=$(VERSION) GOTAGS='containers_image_openpgp' @@ -17,7 +17,7 @@ deps.jsonl: portieris nancy: deps.jsonl cat deps.jsonl | nancy --skip-update-check --loud sleuth - + detect-secrets: detect-secrets audit .secrets.baseline @@ -26,10 +26,10 @@ image: image.amd64 image.oci-archive: docker buildx build -o type=oci,dest=./portieris.tar --platform linux/amd64,linux/s390x --build-arg PORTIERIS_VERSION=$(VERSION) -t portieris:$(TAG) . -image.amd64: +image.amd64: docker buildx build --load --platform linux/amd64 --build-arg PORTIERIS_VERSION=$(VERSION) -t portieris-amd64-linux:$(TAG) . -image.s390x: +image.s390x: docker buildx build --load --platform linux/s390x --build-arg PORTIERIS_VERSION=$(VERSION) -t portieris-s390x-linux:$(TAG) . test-deps: @@ -62,7 +62,7 @@ helm.package: helm.install.local: helm.package -kubectl create ns portieris - -kubectl get secret $(PULLSECRET) -o yaml | sed 's/namespace: default/namespace: portieris/' | kubectl create -f - + -kubectl get secret $(PULLSECRET) -o yaml | sed 's/namespace: default/namespace: portieris/' | kubectl create -f - helm install -n portieris portieris $$(pwd)/portieris-$(VERSION).tgz --set image.host=$(HUB) --set image.tag=$(TAG) --set image.pullSecret=$(PULLSECRET) helm.install: helm.package diff --git a/helm/portieris/Chart.yaml b/helm/portieris/Chart.yaml index 89002eaa..18c16074 100644 --- a/helm/portieris/Chart.yaml +++ b/helm/portieris/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: portieris -version: v0.13.7 +version: v0.13.8 description: Admission Controller webhook for enforcing image trust in your cluster maintainers: - name: Stuart Hayton diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml index 9e5ba83c..3e6ee620 100644 --- a/helm/portieris/values.yaml +++ b/helm/portieris/values.yaml @@ -15,7 +15,7 @@ image: host: icr.io/portieris pullSecret: image: portieris - tag: v0.13.7 + tag: v0.13.8 pullPolicy: Always service: From 8b7193e32e2b8a900d7bb459876bdbdd76e1765d Mon Sep 17 00:00:00 2001 From: jack-baines Date: Tue, 10 Oct 2023 15:26:15 +0100 Subject: [PATCH 2/2] Correct tag on new base image Signed-off-by: jack-baines --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ac2a229a..a5aa37c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This first stage of the build uses go-toolset to build the portieris binary creates # a simplified operating system image that satisfies vulnerability scanning requirements -FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.19.10-16.696540524 as builder +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.19.10-16.1696540524 as builder ARG PORTIERIS_VERSION=undefined # switch to root user as we need to run yum and rpm to ensure packages are up to date