Upgrade upload action. (#22)

* Upgrade upload action. * debug test failure * debug test failure * Upgrade upload sarif action to v3 and more debug. * debug test failure * More debug. * More debug. * More debug. * More debug. * Fix kubectl download location, remove debug. * Updated grype ignore list and bumped alpine version.
pegasystems · Oct 15, 2024 · dde2741 · dde2741
1 parent 0525b58
commit dde2741
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 17 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -60,7 +60,7 @@ jobs:
 
       - name: Publish Scan Results as Artifact
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: docker-scan-results
           path: ${{ steps.scan.outputs.sarif }}
@@ -71,7 +71,7 @@ jobs:
           cat ${{ steps.scan.outputs.sarif }}
 
       - name: Upload Anchore Scan SARIF Report
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
 

diff --git a/.grype.yaml b/.grype.yaml
@@ -1,20 +1,16 @@
 ignore:
   # For grype configuration, see https://github.com/anchore/grype#specifying-matches-to-ignore
 
-
-  # The kubectl leverages a single function the github.com/docker/distribution v2.8.1 go
-  # package.  It uses this function to validate that it was passed a syntactically
-  # correct image name.  There is no way to exploit this vulnerability from kubectl.
-  # For more information, see: 
-  #   https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw
-  - vulnerability: GHSA-hqxw-f8mx-cpmw
-    fix-state: "fixed"
+  # https://nvd.nist.gov/vuln/detail/CVE-2024-34156
+  # Expecting upstream fix in next patch build of kubectl executable
+  - vulnerability: CVE-2024-34156
     package:
       location: /usr/local/bin/kubectl
 
-  # https://nvd.nist.gov/vuln/detail/CVE-2023-4807
-  # There is not currently a fix available -- have implemented the suggested
-  # workaround.
-  - vulnerability: CVE-2023-4807
+  # https://nvd.nist.gov/vuln/detail/CVE-2024-34158
+  # Expecting upstream fix in next patch build of kubectl executable
+  - vulnerability: CVE-2024-34158
+    package:
+      location: /usr/local/bin/kubectl
 
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,15 @@
-FROM alpine:3.18 AS builder
+FROM alpine:3.20 AS builder
 
 ARG TARGETARCH
 
 RUN apk add --update --no-cache ca-certificates curl jq \
     && KUBECTL_LATEST_STABLE_VERSION=$(curl -L https://dl.k8s.io/release/stable.txt) \
-    && curl -L https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_LATEST_STABLE_VERSION}/bin/linux/$TARGETARCH/kubectl -o /usr/local/bin/kubectl \
+    && echo "kubectl version: ${KUBECTL_LATEST_STABLE_VERSION}" \
+    && curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/$TARGETARCH/kubectl" -o /usr/local/bin/kubectl \
+    && ls -al /usr/local/bin/kubectl \
     && chmod +x /usr/local/bin/kubectl
 
-FROM alpine:3.18
+FROM alpine:3.20
 ARG VCS_REF
 ARG BUILD_DATE