Resolve CVE-2022-2097 (!28) · Merge requests · Prod Manager / Prod Manager

Guillaume MARTINEZ requested to merge prod-manager/prod-manager-confidential:62-confidential-issue into develop Jul 09, 2022

What does this MR do and why?

Resolve CVE-2022-2097 by updating Alpine packages

Screenshots or screen recordings

Before :

$ docker scan registry.gitlab.com/prod-manager/prod-manager:latest

Testing registry.gitlab.com/prod-manager/prod-manager:latest...

✗ Low severity vulnerability found in openssl/libcrypto1.1
  Description: CVE-2022-2097
  Info: https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-2941806
  Introduced through: openssl/libcrypto1.1@1.1.1o-r0, openssl/libssl1.1@1.1.1o-r0, .python-rundeps@20220607.192557, apk-tools/apk-tools@2.12.9-r3, busybox/ssl_client@1.35.0-r13, ca-certificates/ca-certificates@20211220-r0, krb5-conf/krb5-conf@1.0-r2
  From: openssl/libcrypto1.1@1.1.1o-r0
  From: openssl/libssl1.1@1.1.1o-r0 > openssl/libcrypto1.1@1.1.1o-r0
  From: .python-rundeps@20220607.192557 > openssl/libcrypto1.1@1.1.1o-r0
  and 9 more...
  Image layer: 'apk add --update --no-cache make ca-certificates'
  Fixed in: 1.1.1q-r0

Package manager:   apk
Project name:      docker-image|registry.gitlab.com/prod-manager/prod-manager
Docker image:      registry.gitlab.com/prod-manager/prod-manager:latest
Platform:          linux/amd64
Base image:        python:3.10.5-alpine3.16

Tested 38 dependencies for known vulnerabilities, found 1 vulnerability.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

After:

$ docker scan prod-manager:be77b7a377f0d3c9fcb092298550bb0337fa0a9e 

Testing prod-manager:be77b7a377f0d3c9fcb092298550bb0337fa0a9e...

Package manager:   apk
Project name:      docker-image|prod-manager
Docker image:      prod-manager:be77b7a377f0d3c9fcb092298550bb0337fa0a9e
Platform:          linux/amd64
Base image:        python:3.10.5-alpine3.16

✔ Tested 38 dependencies for known vulnerabilities, no vulnerable paths found.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

MR acceptance checklist

My code follows the style guidelines of this project
I ran pylint and other linters for modified files
I have performed a self-review of my own code and tested it
I have commented my code, particularly in hard-to-understand areas
My changes generate no new warnings
My code needed automated testing. I have added them (this is optional task)
I have added user readable comment in the CHANGELOG

Closes #62 (closed)

Edited Jul 09, 2022 by Guillaume MARTINEZ

Resolve CVE-2022-2097

What does this MR do and why?

Screenshots or screen recordings

MR acceptance checklist

Merge request reports