Address vulnerability reports against runner-helper alpine images (!3958) · Merge requests · GitLab.org / gitlab-runner

Axel von Bertoldi requested to merge avonbertoldi/29642/fix-helper-image-vulns into main Mar 06, 2023

Address vulnerability reports against applications only in runner-helper alpine images. Vulnerability reports against runner-helper go modules will be addressed elsewhere.

See the issue for a full list of the vulnerabilities reported, but is summary they are against the following applications:

busybox
git
libssl
lubcurl
git-lfs

This included a number of critical and high reports.

This MR addressed the vulnerabilities by installing the latest (or at least very new) versions of the relevant applications/libraries, using two approaches.

for all of the above applications/libs excluding git-lfs, we use an alternate package repository as suggested here. This repo includes newer versions of git, libcurl, libssl, busybox, and their dependencies.
for git-lfs, we install version 3.3.0 (the latest as of today) from the official pre-compiled binary distribution.

closes #29642 (closed)

Edited Mar 07, 2023 by Romuald Atchadé

Address vulnerability reports against runner-helper alpine images

Merge request reports