Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump trivy to resolve CVEs #225

Open
wants to merge 1 commit into
base: development
Choose a base branch
from
Open

Bump trivy to resolve CVEs #225

wants to merge 1 commit into from

Conversation

sfowl
Copy link
Collaborator

@sfowl sfowl commented Oct 9, 2024

This bumps the version of trivy from 0.49.1 to 0.54.1, to resolve critical CVE detections found on quay.io:

image

This change also replaces the install method with the one documented here:

https://aquasecurity.github.io/trivy/v0.56/getting-started/installation/#rhelcentos-official

Why version 0.54.1?

Version 0.54.0 is the first version after 0.49.1 to include both of the critical CVE fixes. 0.54.1 includes a few additional patches. Based on changelog it looks like there can be breaking in changes in minor releases (y-stream), so I have tried to be conservative and minimise the number of versions we jump ahead.

This change will likely need some manul testing before it lands in a stable release.

COPY --from=deps /tmp/redocly/node_modules /opt/redocly/node_modules

RUN rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.rpm
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The two stage build is used to reduce the image size. Can this be improved to reduce size too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants