Skip to content

fix(docker): Some versions stayed behind #11785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 24, 2025
Merged

fix(docker): Some versions stayed behind #11785

merged 2 commits into from
Feb 24, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Feb 10, 2025
edited
Loading

Renovate nor Dependabot are not able to identify the increased "os" part of docker tags. From time to time it needs a little help.

@kiblik kiblik force-pushed the docker_pins branch 2 times, most recently from 72e24e2 to bc2ed3c Compare February 10, 2025 15:42
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the docker_pins branch 2 times, most recently from a96e63a to 279fd66 Compare February 10, 2025 21:36
kiblik
kiblik commented Feb 10, 2025
View reviewed changes
Dockerfile.nginx-alpine
FROM node:23.7.0-alpine3.21@sha256:70eca392e3d52cb7d133b52d52e8600d8c410a5eaee6105c11324b28868f9ac9 AS node

FROM python:3.11.9-alpine3.20@sha256:f9ce6fe33d9a5499e35c976df16d24ae80f6ef0a28be5433140236c2ca482686 AS base
FROM python:3.11.11-alpine3.20@sha256:6e18772230b36e78251ed179a2a2a2b3cc94726f02e1fddccdcfbe05b17bdc96 AS base
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Originally I wanted to go up to alpine3.21 but it is failing with

 > [nginx collectstatic 2/8] RUN npm install -g yarn --force:
0.280 Error relocating /usr/bin/node: sqlite3session_attach: symbol not found
0.280 Error relocating /usr/bin/node: sqlite3changeset_apply: symbol not found
0.280 Error relocating /usr/bin/node: sqlite3session_create: symbol not found
0.280 Error relocating /usr/bin/node: sqlite3session_changeset: symbol not found
0.281 Error relocating /usr/bin/node: sqlite3session_patchset: symbol not found
0.281 Error relocating /usr/bin/node: sqlite3session_delete: symbol not found

It probably needs some additional customization. I will solve it in a separated PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During my arm64 testing I also noticed some issues on pythong 3.12.x / alpine 3.21. And on arm64 I also see issues with sqlite.

@kiblik kiblik marked this pull request as ready for review February 10, 2025 21:39
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 10, 2025
edited
Loading

DryRun Security Summary

Docker base images are being updated to newer versions across multiple services while several security issues were identified, including hardcoded empty passwords, insecure placeholder keys, and default credentials in environment variables.

Expand for full summary

The pull request updates base Docker images for multiple services, including Python, Nginx, Postgres, and Redis, with version bumps to 3.11.11, 1.27.4, 17.3, and 7.4.2 respectively, primarily targeting Alpine Linux 3.21.

Security findings:

  1. Dockerfile.integration-tests-debian: Hardcoded empty admin password (DD_ADMIN_PASSWORD='') is a significant security risk
  2. Dockerfile.nginx-alpine and Dockerfile.nginx-debian: Placeholder secret key (DD_SECRET_KEY='.') is not a secure practice
  3. docker-compose.yml: Default credentials in environment variables (POSTGRES_PASSWORD: ${DD_DATABASE_PASSWORD:-defectdojo}) pose a potential security risk if not overridden in production

Code Analysis

We ran 9 analyzers against 6 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

valentijnscholten
valentijnscholten reviewed Feb 11, 2025
View reviewed changes
@valentijnscholten
Copy link
Member

Apart from my comment it look good, nice to see index digest are used.

@kiblik kiblik closed this Feb 11, 2025
@kiblik kiblik reopened this Feb 11, 2025
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

mtesauro
mtesauro approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mtesauro mtesauro merged commit 2c85f33 into DefectDojo:dev Feb 24, 2025
73 checks passed
@kiblik kiblik deleted the docker_pins branch February 25, 2025 00:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees

No one assigned

Labels

docker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @valentijnscholten @mtesauro @dogboat @Maffooch