fix: CVE-2021-3997 in image build

fix tess
kubernetes-csi · Jan 14, 2022 · 98191a7 · 98191a7
1 parent 79a34dc
commit 98191a7
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -21,8 +21,7 @@ jobs:
           export REGISTRY=test
           export IMAGE_VERSION=latest
           export DOCKER_CLI_EXPERIMENTAL=enabled
-          make
-          make container-build
+          make container
       
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master

diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM ubuntu
+FROM k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0
+
+RUN apt update && apt-mark unhold libcap2
+RUN clean-install ca-certificates mount
+# install updated packages to fix CVE issues
+RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10
 
 # Copy iscsiplugin.sh
 COPY iscsiplugin.sh /iscsiplugin.sh

diff --git a/Makefile b/Makefile
@@ -29,8 +29,9 @@ OUTPUT_TYPE ?= docker
 ARCH ?= amd64
 IMAGE_TAG = $(REGISTRY)/$(IMAGENAME):$(IMAGE_VERSION)
 
-.PHONY: container-build
-container-build:
+.PHONY: container
+container:
+	make
 	docker buildx build --pull --output=type=$(OUTPUT_TYPE) --platform="linux/$(ARCH)" \
 		-t $(IMAGE_TAG) --build-arg ARCH=$(ARCH) .