Comments (7)
bethesque
commented on July 1, 2024
1
Just a couple. Looks like I've added trivy to the pact-foundation one but not the dius one yet.
from pact_broker-docker.
bethesque
commented on July 1, 2024
1
That seems to have done the trick https://github.com/DiUS/pact_broker-docker/runs/1899455773?check_suite_focus=true#step:3:851
from pact_broker-docker.
mefellows
commented on July 1, 2024
I was going to raise an issue for that - but if you're happy I'll just add it straight in.
from pact_broker-docker.
bethesque
commented on July 1, 2024
So, I'm not sure how to get rid of the vulnerabilities. They're all OS level vulnerabilities, not Ruby gem ones. We're on the latest version of passenger phusion for Ruby 2.7, and we're already doing:
# Update OS as per https://github.com/phusion/passenger-docker#upgrading-the-operating-system-inside-the-container
RUN apt-get update && \
apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
apt-get -qy autoremove && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
See: https://github.com/DiUS/pact_broker-docker/runs/1883720574?check_suite_focus=true#step:4:159
What else can we do to force an upgrade of EVERYTHING? Any thoughts @k-ong?
from pact_broker-docker.
mefellows
commented on July 1, 2024
You managed to at least remove all of the HIGH vulnerabilities and over 100 MEDIUM - so we're on track, but Phusion does at least agree there are problems with the base image:
(via: http://phusion.github.io/baseimage-docker/)
Jokes aside, according to the trivy scan at least, there are no fixes for the remaining vulnerabilities. So, not sure how to move forward.
we could update the trivy scan to not fail the build unless there are high vulnerabilities and make a note to keep an eye on the remaining MEDIUMs? It's also possible that some of those dependencies aren't needed, but that could involve a lot of trial/error to find out.
from pact_broker-docker.
bethesque
commented on July 1, 2024
I've updated it to trivy filesystem --severity HIGH,CRITICAL --ignore-unfixed for now so we can actually get a release out.
from pact_broker-docker.
mefellows
commented on July 1, 2024
nice one, thanks Beth. Let's leave this open so if somebody comes along they can see it. It will no doubt fail when there is a fix for them, so we can close it off then.
from pact_broker-docker.
Related Issues (20)
- Pact Broker fails to connect to Aurora PostgreSQL database HOT 5
- docker image does not create/seed sqlite database out of the box HOT 3
- Chore: migrate away from TravisCI
- version 2.88.0.0 doesn't use value of PACT_BROKER_DATABASE_PORT HOT 4
- What volumes should I mount on my docker-compose to persist data HOT 12
- Document how to configure the pact broker HOT 3
- schema migration table missing in pact-broker:2.23.0-1 HOT 4
- Pact Broker SSL Certificates for Webhooks HOT 8
- Webhook Execution Status not visible HOT 1
- ERROR: for pact_broker_app_1 Cannot start service broker_app: driver failed programming external connectivity on endpoint pact_broker_app_1 HOT 2
- Example `docker-compose up` does not start successfully due to passenger/RVM. HOT 3
- Run application as app user instead of root user? HOT 13
- runit daemon is shut down after passenger starts & connects to db HOT 1
- [question] How to define PostgreSQL slave / failover? HOT 2
- Webhook not triggered with multiple providers after deleting one webhook HOT 2
- Large pacts over 1mb are rejected by nginx config HOT 6
- Cloud Foundry Push dockerized image HOT 4
- Expose postgres sslmode via environment variable
- Upgrade to latest version of Ruby Passenger docker image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pact_broker-docker.