From 43b6c5eaad63cd9aaae84ed7a1d40f2e483108ac Mon Sep 17 00:00:00 2001 From: Moritz Johner Date: Fri, 19 Jan 2024 08:04:25 +0100 Subject: [PATCH] fix: hack/api-docs/requirements.txt to reduce vulnerabilities (#3036) The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6150717 - https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-5537286 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-5840803 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-6041512 Signed-off-by: Moritz Johner Co-authored-by: snyk-bot --- .github/dependabot.yml | 15 +++++++++++++++ Dockerfile.standalone | 4 ++-- e2e/Dockerfile | 3 +-- hack/api-docs/requirements.txt | 6 +++--- tilt.debug.dockerfile | 2 +- 5 files changed, 22 insertions(+), 8 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5070afb02..35a14bb61 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,3 +10,18 @@ updates: directory: "/" schedule: interval: "weekly" + + - package-ecosystem: docker + directory: /e2e + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /hack/api-docs + schedule: + interval: weekly + + - package-ecosystem: pip + directory: /hack/api-docs + schedule: + interval: weekly diff --git a/Dockerfile.standalone b/Dockerfile.standalone index 0d18284b7..5d05246b3 100644 --- a/Dockerfile.standalone +++ b/Dockerfile.standalone @@ -1,6 +1,6 @@ # This version of Dockerfile is for building without external dependencies. # Build a multi-platform image e.g. `docker buildx build --push --platform linux/arm64,linux/amd64 --tag external-secrets:dev --file Dockerfile.standalone .` -FROM golang:1.21.6-alpine AS builder +FROM golang:1.21.6-alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 AS builder ARG TARGETOS ARG TARGETARCH ENV CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} @@ -12,7 +12,7 @@ COPY . /app/ RUN go build -o external-secrets main.go -FROM gcr.io/distroless/static AS app +FROM gcr.io/distroless/static@sha256:9be3fcc6abeaf985b5ecce59451acbcbb15e7be39472320c538d0d55a0834edc AS app COPY --from=builder /app/external-secrets /bin/external-secrets # Run as UID for nobody diff --git a/e2e/Dockerfile b/e2e/Dockerfile index f245520ba..7b1ef10e2 100644 --- a/e2e/Dockerfile +++ b/e2e/Dockerfile @@ -1,5 +1,4 @@ -ARG GO_VERSION=1.21 -FROM golang:$GO_VERSION-bookworm as builder +FROM golang:1.21.6-bookworm@sha256:04cf306d01a03309934b49ac4b9f487abb8a054b71141fa53df6df482ab7d7eb as builder ENV KUBECTL_VERSION="v1.28.3" ENV HELM_VERSION="v3.13.1" diff --git a/hack/api-docs/requirements.txt b/hack/api-docs/requirements.txt index c8f6eeba7..85c22b842 100644 --- a/hack/api-docs/requirements.txt +++ b/hack/api-docs/requirements.txt @@ -9,7 +9,7 @@ htmlmin==0.1.12 idna==3.6 importlib-metadata==7.0.1 importlib-resources==6.1.1 -Jinja2==3.1.2 +Jinja2==3.1.3 jsmin==3.0.1 livereload==2.6.3 Markdown==3.5.2 @@ -29,13 +29,13 @@ platformdirs==4.1.0 Pygments==2.17.2 pymdown-extensions==10.7 python-dateutil==2.8.2 -PyYAML==5.3.1 +PyYAML==6.0.1 pyyaml_env_tag==0.1 regex==2023.12.25 requests==2.31.0 six==1.16.0 termcolor==2.4.0 -tornado==6.1 +tornado==6.3.3 urllib3==2.1.0 verspec==0.1.0 watchdog==3.0.0 diff --git a/tilt.debug.dockerfile b/tilt.debug.dockerfile index 758c1a384..1c6293586 100644 --- a/tilt.debug.dockerfile +++ b/tilt.debug.dockerfile @@ -2,7 +2,7 @@ FROM golang:1.21.6@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e8050 WORKDIR / COPY ./bin/external-secrets /external-secrets -RUN go install github.com/go-delve/delve/cmd/dlv@latest +RUN go install github.com/go-delve/delve/cmd/dlv@v1.22.0 RUN chmod +x /go/bin/dlv RUN mv /go/bin/dlv /