From dde274144dc68e1fbf0b2836137a33d61e989afb Mon Sep 17 00:00:00 2001 From: David Dority <57111997+misterdorito@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:26:14 -0400 Subject: [PATCH] Upgrade upload action. (#22) * Upgrade upload action. * debug test failure * debug test failure * Upgrade upload sarif action to v3 and more debug. * debug test failure * More debug. * More debug. * More debug. * More debug. * Fix kubectl download location, remove debug. * Updated grype ignore list and bumped alpine version. --- .github/workflows/docker-build.yml | 4 ++-- .grype.yaml | 20 ++++++++------------ Dockerfile | 8 +++++--- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index fd75783..ff920fc 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -60,7 +60,7 @@ jobs: - name: Publish Scan Results as Artifact if: always() - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: docker-scan-results path: ${{ steps.scan.outputs.sarif }} @@ -71,7 +71,7 @@ jobs: cat ${{ steps.scan.outputs.sarif }} - name: Upload Anchore Scan SARIF Report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.grype.yaml b/.grype.yaml index 7d45c82..00836b8 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,20 +1,16 @@ ignore: # For grype configuration, see https://github.com/anchore/grype#specifying-matches-to-ignore - - # The kubectl leverages a single function the github.com/docker/distribution v2.8.1 go - # package. It uses this function to validate that it was passed a syntactically - # correct image name. There is no way to exploit this vulnerability from kubectl. - # For more information, see: - # https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw - - vulnerability: GHSA-hqxw-f8mx-cpmw - fix-state: "fixed" + # https://nvd.nist.gov/vuln/detail/CVE-2024-34156 + # Expecting upstream fix in next patch build of kubectl executable + - vulnerability: CVE-2024-34156 package: location: /usr/local/bin/kubectl - # https://nvd.nist.gov/vuln/detail/CVE-2023-4807 - # There is not currently a fix available -- have implemented the suggested - # workaround. - - vulnerability: CVE-2023-4807 + # https://nvd.nist.gov/vuln/detail/CVE-2024-34158 + # Expecting upstream fix in next patch build of kubectl executable + - vulnerability: CVE-2024-34158 + package: + location: /usr/local/bin/kubectl diff --git a/Dockerfile b/Dockerfile index 4641541..1e7f30c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,15 @@ -FROM alpine:3.18 AS builder +FROM alpine:3.20 AS builder ARG TARGETARCH RUN apk add --update --no-cache ca-certificates curl jq \ && KUBECTL_LATEST_STABLE_VERSION=$(curl -L https://dl.k8s.io/release/stable.txt) \ - && curl -L https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_LATEST_STABLE_VERSION}/bin/linux/$TARGETARCH/kubectl -o /usr/local/bin/kubectl \ + && echo "kubectl version: ${KUBECTL_LATEST_STABLE_VERSION}" \ + && curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/$TARGETARCH/kubectl" -o /usr/local/bin/kubectl \ + && ls -al /usr/local/bin/kubectl \ && chmod +x /usr/local/bin/kubectl -FROM alpine:3.18 +FROM alpine:3.20 ARG VCS_REF ARG BUILD_DATE