SYS-598 improve security of several images using trivy

instantlinux · Jul 27, 2023 · 8c05a01 · 8c05a01
1 parent f797f05
commit 8c05a01
Show file tree

Hide file tree

Showing 11 changed files with 16 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -17,7 +17,8 @@ easy. Contents:
 | ssl | PKI certificate tools (deprecated by k8s) |
 | stacks | container resources in docker-compose format |
 
-Find images at [docker hub/instantlinux](https://hub.docker.com/r/instantlinux/).
+Find images at [docker hub/instantlinux](https://hub.docker.com/r/instantlinux/). Each image is scanned for published CVE vulnerabilities by (trivy)[https://trivy.dev/] before promotion to Docker Hub.
+
 Find a lot more details about the Kubernetes bare-metal installer in [k8s/README](k8s/README.md).
 
 ### Kubernetes capabilities

diff --git a/images/blacklist/Dockerfile b/images/blacklist/Dockerfile
@@ -20,7 +20,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
 ARG RBLDNSD_VERSION=1.0~20210120-2
 
 COPY src/ /root/
-RUN apt-get -yq update && \
+RUN apt-get -yq update && apt-get -y upgrade && \
     apt-get -yq --no-install-recommends install \
       cron curl rbldnsd=$RBLDNSD_VERSION perl libdbd-mysql-perl \
       mariadb-client && \

diff --git a/images/haproxy-keepalived/Dockerfile b/images/haproxy-keepalived/Dockerfile
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG KEEPALIVED_VERSION=2.2.7-r2
+ARG KEEPALIVED_VERSION=2.2.8-r0
 ENV KEEPALIVE_CONFIG_ID=main \
     PORT_HAPROXY_STATS=8080 \
     STATS_ENABLE=yes \

diff --git a/images/haproxy-keepalived/helm/Chart.yaml b/images/haproxy-keepalived/helm/Chart.yaml
@@ -7,8 +7,8 @@ sources:
 - https://github.com/haproxy/haproxy
 - https://github.com/acassen/keepalived
 type: application
-version: 0.1.10
-appVersion: "2.8.1-alpine-2.2.7-r2"
+version: 0.1.11
+appVersion: "2.8.1-alpine-2.2.8-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/mythtv-backend/Dockerfile b/images/mythtv-backend/Dockerfile
@@ -29,7 +29,8 @@ ARG PPA_BRANCH=32
 ARG MYTHLINK_SHA=459cb8b60adae4b631a95a9cfb1b41dcb959cc4a0b9053582a711d58b8d8a0d2
 
 RUN \
-  apt-get -yq update && apt-get install -yq gnupg locales wget && \
+  apt-get -yq update && apt-get -y upgrade && \
+  apt-get install -yq gnupg locales wget && \
   apt-key adv --recv-keys --keyserver keyserver.ubuntu.com $APT_KEY && \
   echo "deb $MYTHTV_PPA/ubuntu jammy main" \
     > /etc/apt/sources.list.d/mythbuntu.list && \

diff --git a/images/nagios/Dockerfile b/images/nagios/Dockerfile
@@ -11,7 +11,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
 ARG NAGIOS_VERSION=4.4.13-r0
 ARG NAGIOS_GID=1000
 ARG NAGIOS_UID=999
-ARG PLUGINS_VERSION=2.4.5-r0
+ARG PLUGINS_VERSION=2.4.5-r2
 ARG WWW_UID=33
 ENV AUTHORIZED_USERS=nagiosadmin \
     CONFIG_CHECK=yes \

diff --git a/images/openldap/Dockerfile b/images/openldap/Dockerfile
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG OPENLDAP_VERSION=2.6.4-r3
+ARG OPENLDAP_VERSION=2.6.5-r0
 ENV SLAPD_DN_ATTR=uid \
     SLAPD_FQDN=example.com \
     SLAPD_LOG_LEVEL=Config,Stats \

diff --git a/images/openldap/helm/Chart.yaml b/images/openldap/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://git.openldap.org/openldap/openldap
 type: application
-version: 0.1.3
-appVersion: "2.6.4-r3"
+version: 0.1.4
+appVersion: "2.6.5-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/rsyslogd/Dockerfile b/images/rsyslogd/Dockerfile
@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG RSYSLOG_VERSION=8.2306.0-r0
+ARG RSYSLOG_VERSION=8.2306.0-r2
 ENV TZ=UTC
 RUN apk add --update gzip logrotate rsyslog=$RSYSLOG_VERSION \
       rsyslog-mysql=$RSYSLOG_VERSION tar xz && \

diff --git a/images/rsyslogd/helm/Chart.yaml b/images/rsyslogd/helm/Chart.yaml
@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/rsyslog/rsyslog
 type: application
-version: 0.1.8
-appVersion: "8.2306.0-r0"
+version: 0.1.9
+appVersion: "8.2306.0-r2"
 dependencies:
 - name: chartlib
   version: 0.1.8

diff --git a/images/spamassassin/Dockerfile b/images/spamassassin/Dockerfile
@@ -20,7 +20,7 @@ ARG SPAMD_VERSION=4.0.0-6
 ARG DCC_SHA=3fc932325b36a46a93258bdaa483d00ee3a826bea1d00de04f6e84cfbea63bc2
 ARG SPAMD_UID=2022
 
-RUN apt-get -yq update && \
+RUN apt-get -yq update && apt-get -y upgrade && \
     apt-get -y --no-install-recommends install \
      ca-certificates cron curl gcc libc6-dev libdbd-mysql-perl \
      libmail-dkim-perl libnet-ident-perl make pyzor razor gpg gpg-agent \