fix: pin .NET SDK digests and disable NuGet audit in nethermind Dockerfile

mw2000 · mw2000 · commit 3b026581c0cf · 2026-04-27T16:46:14.000-07:00
The nethermind Dockerfile used floating tags (dotnet/sdk:10.0-noble and dotnet/aspnet:10.0-noble). Pin both to the exact digests that Nethermind 1.36.2 uses upstream. Additionally, NuGet's vulnerability database was updated after the 1.36.2 release to flag Microsoft.AspNetCore.DataProtection 10.0.1 as critically vulnerable (GHSA-9mv3-2cwr-p262). Since Nethermind treats warnings as errors, dotnet restore now fails with NU1904. Disable NuGet audit at build time with -p:NuGetAudit=false to unblock CI. The vulnerability is an upstream Nethermind concern, not ours to patch.
diff --git a/nethermind/Dockerfile b/nethermind/Dockerfile
@@ -13,7 +13,7 @@ RUN . /tmp/versions.env && git clone $OP_NODE_REPO --branch $OP_NODE_TAG --singl
 RUN . /tmp/versions.env && cd op-node && \
     just VERSION=$OP_NODE_TAG op-node
 
-FROM mcr.microsoft.com/dotnet/sdk:10.0-noble AS build
+FROM mcr.microsoft.com/dotnet/sdk:10.0.101-noble@sha256:d1823fecac3689a2eb959e02ee3bfe1c2142392808240039097ad70644566190 AS build
 
 ARG BUILD_CONFIG=release
 ARG TARGETARCH
@@ -29,9 +29,9 @@ RUN . /tmp/versions.env && git clone $NETHERMIND_REPO --branch $NETHERMIND_TAG -
 RUN TARGETARCH=${TARGETARCH#linux/} && \
     arch=$([ "$TARGETARCH" = "amd64" ] && echo "x64" || echo "$TARGETARCH") && \
     echo "Using architecture: $arch" && \
-    dotnet publish src/Nethermind/Nethermind.Runner -c $BUILD_CONFIG -a $arch -o /publish --sc false
+    dotnet publish src/Nethermind/Nethermind.Runner -c $BUILD_CONFIG -a $arch -o /publish --sc false -p:NuGetAudit=false
 
-FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble
+FROM mcr.microsoft.com/dotnet/aspnet:10.0.1-noble@sha256:eaa79205c3ade4792a7f7bf310a3aac51fe0e1d91c44e40f70b7c6423d475fe0
 
 RUN apt-get update && \
     apt-get install -y jq curl supervisor && \
