Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of security: update alpine base image to 3.20 into release/1.20.x #10

Open
2 of 4 tasks
dhiaayachi opened this issue Sep 24, 2024 · 3 comments
Open
2 of 4 tasks

Backport of security: update alpine base image to 3.20 into release/1.20.x #10

dhiaayachi opened this issue Sep 24, 2024 · 3 comments

Comments

@dhiaayachi
Copy link
Owner

Backport

This PR is auto-generated from hashicorp#21729 to be assessed for backporting due to the inclusion of the label backport/1.20.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

Description

Fixes several CVEs by upgrading dependencies via base image upgrade.

Also drops all current triage exceptions for Docker containers, since this update knocks out the only active ones, and several more are already resolved.

Testing & Reproduction steps

Tested locally from one-off Docker CI build:

❯ scan container ./consul_default_linux_arm64_1.19.3-dev_c5ca319b156ce0bbb67d79eaa1bbc80113ae3557.docker.tar
✓ Scanned file:{path:"/Users/michael.zalimeni/workspace/security-scanner/consul_default_linux_arm64_1.19.3-dev_c5ca319b156ce0bbb67d79eaa1bbc80113ae3557.docker.tar"} in 59.8s - no results found

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Overview of commits
@dhiaayachi
Copy link
Owner Author

Thanks for reporting this issue. The backport/1.20 label has been added, so it's being considered for backporting. It looks like a merge conflict occurred during the automatic cherry-pick. The person who merged the original PR will need to manually cherry-pick the commits and create a new backport PR.

The original PR's description mentions the following:

  • It upgrades dependencies via the base image upgrade, addressing several CVEs.
  • It drops all triage exceptions for Docker containers.
  • Tests were conducted locally using a one-off Docker CI build.

Please let us know if you have any further questions.

@dhiaayachi
Copy link
Owner Author

Thanks for reporting this. We've had reports of this issue. Please see this documentation for workarounds and a possible solution.

@dhiaayachi
Copy link
Owner Author

found 10 issues that are related to this issue:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dhiaayachi