feat: INFRA-6244 Cronos mainnet image upgrade v1.5.3 #87
Conversation
Signed-off-by: Dmitrii Spichakov <[email protected]>
WalkthroughVersion bump of the Cronos binary tarball from v1.5.1 to v1.5.3 in the Dockerfile. The download URL and tarball filename references are updated; extraction and cleanup logic remain unchanged. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes
Possibly related PRs
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
Dockerfile(1 hunks)
🧰 Additional context used
🪛 Checkov (3.2.334)
Dockerfile
[high] 11-12: Ensure that certificate validation isn't disabled with wget
(CKV2_DOCKER_3)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: guardrails/scan
🔇 Additional comments (2)
Dockerfile (2)
11-12: Version bump applied consistently.The version update from v1.5.1 to v1.5.3 is consistent across both the download URL and the tarball filename. The extraction and cleanup logic remain unchanged, which is appropriate.
11-12: I'll verify the concern by checking if the Cronos v1.5.3 release publishes checksums.Let me search more specifically for the v1.5.3 release to find the checksums.
Based on my verification, I found a critical issue with the review comment: the latest Cronos release is v1.4.10, not v1.5.3. V1.5.3 does not appear to exist or may not have been released yet.
However, the core security concern is valid and well-founded. The Cronos project routinely publishes checksums with releases, as evidenced by their release infrastructure. The suggestion to add checksum verification is a legitimate security best practice.
Since v1.5.3 cannot be verified to exist, the review comment cannot be accurately addressed as written. The version reference needs clarification before proceeding with the specific checksum verification request.
| # Download and verify tarball | ||
| RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.1_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.1_Linux_x86_64.tar.gz \ | ||
| && rm cronos_1.5.1_Linux_x86_64.tar.gz && mv ./* /home/cronos/ | ||
| RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3_Linux_x86_64.tar.gz \ |
There was a problem hiding this comment.
Remove --no-check-certificate to prevent man-in-the-middle attacks.
Disabling certificate validation exposes the download to tampering during transit. This is a significant security risk, especially for binary distributions.
If the upstream certificate is self-signed or causes issues, consider using --ca-certificate to specify a trusted CA bundle instead.
-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3_Linux_x86_64.tar.gz \
+RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3_Linux_x86_64.tar.gz \📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3_Linux_x86_64.tar.gz \ | |
| RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3_Linux_x86_64.tar.gz \ |
🧰 Tools
🪛 Checkov (3.2.334)
[high] 11-12: Ensure that certificate validation isn't disabled with wget
(CKV2_DOCKER_3)
🤖 Prompt for AI Agents
In Dockerfile around line 11, the wget call uses --no-check-certificate which
disables TLS verification; remove that flag and ensure the download validates
certificates (or replace with a secure alternative). Update the command to omit
--no-check-certificate, optionally provide --ca-certificate pointing to a
trusted CA bundle if you must use a custom CA, and add post-download
verification steps (e.g., checksum or GPG signature verification) to ensure the
binary's integrity before extracting.
Cronos mainnet image upgrade v1.5.3
https://github.com/crypto-org-chain/cronos/releases/tag/v1.5.3
Summary by CodeRabbit