Skip to content

Commit 21339b8

Browse files
geroplona-agent
andauthored
Fix CVE-2026-22184 and auto-track base image tags in digest workflow (#21333)
* Fix CVE-2026-22184: bump Alpine-based Dockerfiles This ensures the zlib package is updated from 1.3.1-r2 to 1.3.2-r0, fixing CVE-2026-22184 detected by the daily vulnerability scan. Co-authored-by: Ona <no-reply@ona.com> * Add tag-based base image updates to digest workflow The daily update-image-digest workflow only updated images pinned with @sha256: digests. Dockerfiles using tag-based references like node:22.22.0-alpine or caddy/caddy:2.11-alpine were not tracked, causing them to go stale and accumulate vulnerabilities. Add a new step that uses crane ls to find the latest patch release for tracked base images (node, caddy/caddy) and updates FROM lines in Dockerfiles accordingly. Co-authored-by: Ona <no-reply@ona.com> * Add apk upgrade --no-cache to Dockerfiles for immediate zlib fix Base image tags (node:22.22.1-alpine, caddy/caddy:2.11.2-alpine) still ship zlib 1.3.1-r2. The fix (1.3.2-r0) is available in Alpine repos but the upstream images haven't been rebuilt yet. Running apk upgrade in the Dockerfile ensures the fix is picked up at build time regardless. This matches the existing pattern in ide-proxy and proxy Dockerfiles. Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com>
1 parent 5eb3ebb commit 21339b8

5 files changed

Lines changed: 57 additions & 9 deletions

File tree

.github/workflows/update-image-digest.yml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,54 @@ jobs:
7272
sed -i -e "s/^\(\s*ImageDigest\s*=\s*\)\".*\"/\1\"$redisImageDigest\"/" install/installer/pkg/components/redis/constants.go
7373
sed -i -e "s/^\(\s*ExporterImageDigest\s*=\s*\)\".*\"/\1\"$redisExporterDigest\"/" install/installer/pkg/components/redis/constants.go
7474
go fmt install/installer/pkg/components/redis/constants.go
75+
- name: Update base image tags in Dockerfiles
76+
shell: bash
77+
run: |
78+
# Updates FROM lines in Dockerfiles that use tag-based references (not @sha256: pinned).
79+
# For each tracked image, finds the latest patch release matching the same major.minor
80+
# prefix and suffix, then updates all Dockerfiles that reference an older version.
81+
#
82+
# Entry format: "image|tag_grep_in_dockerfile|tag_ls_filter"
83+
# - image: the registry image name (e.g. "node", "caddy/caddy")
84+
# - tag_grep_in_dockerfile: grep -oP regex to extract the current tag from FROM lines
85+
# - tag_ls_filter: grep -E regex to filter crane ls output for candidate tags
86+
87+
declare -a TRACKED_IMAGES=(
88+
"node|22\\.22\\.[0-9]+-alpine|^22\\.22\\.[0-9]+-alpine$"
89+
"node|22\\.22\\.[0-9]+$|^22\\.22\\.[0-9]+$"
90+
"caddy/caddy|2\\.11[0-9.]*-alpine|^2\\.11(\\.[0-9]+)?-alpine$"
91+
)
92+
93+
for entry in "${TRACKED_IMAGES[@]}"; do
94+
IFS='|' read -r image tag_grep tag_ls_filter <<< "$entry"
95+
echo "Checking for updates: ${image} (filter: ${tag_ls_filter})"
96+
97+
# List all tags matching the pattern and pick the highest version
98+
latest_tag=$(crane ls "$image" 2>/dev/null \
99+
| grep -E "$tag_ls_filter" \
100+
| sort -V \
101+
| tail -1 || true)
102+
103+
if [ -z "$latest_tag" ]; then
104+
echo " No matching tags found, skipping"
105+
continue
106+
fi
107+
108+
echo " Latest tag: ${image}:${latest_tag}"
109+
110+
# Escape slashes in image name for use in grep/sed
111+
image_escaped="${image//\//\\/}"
112+
113+
# Find and update Dockerfiles with older versions of this image
114+
while IFS= read -r -d '' file; do
115+
current=$(grep -oP "(?<=FROM ${image_escaped}:)${tag_grep}" "$file" 2>/dev/null | head -1 || true)
116+
if [ -n "$current" ] && [ "$current" != "$latest_tag" ]; then
117+
echo " Updating ${file}: ${image}:${current} -> ${image}:${latest_tag}"
118+
sed -i "s|FROM ${image}:${current}|FROM ${image}:${latest_tag}|g" "$file"
119+
fi
120+
done < <(find "$(pwd)/components" -type f \( -name "Dockerfile*" -o -name "leeway.Dockerfile" \) -print0)
121+
done
122+
75123
- name: Check workspace
76124
id: create_pr
77125
shell: bash

components/dashboard/leeway.Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,8 @@ COPY components-gitpod-protocol--gitpod-schema/gitpod-schema.json /www/static/sc
2222
FROM caddy:builder AS caddy-builder
2323
RUN xcaddy build v2.11.0-beta.2 --output /caddy
2424

25-
FROM caddy/caddy:2.11-alpine
25+
FROM caddy/caddy:2.11.2-alpine
26+
RUN apk upgrade --no-cache
2627

2728
COPY --from=caddy-builder /caddy /usr/bin/caddy
2829
COPY components-dashboard--static/conf/Caddyfile /etc/caddy/Caddyfile

components/gitpod-db/leeway.Dockerfile

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,9 @@ FROM node:22.22.0-alpine as proxy
1717
RUN wget https://storage.googleapis.com/cloudsql-proxy/v1.37.6/cloud_sql_proxy.linux.amd64 -O /bin/cloud_sql_proxy \
1818
&& chmod +x /bin/cloud_sql_proxy
1919

20-
FROM node:22.22.0-alpine
21-
22-
# Install bash
23-
RUN apk update && \
24-
apk add bash && \
25-
rm -rf /var/cache/apk/*
20+
FROM node:22.22.1-alpine
21+
RUN apk upgrade --no-cache \
22+
&& apk add --no-cache bash
2623

2724
ENV NODE_OPTIONS=--unhandled-rejections=warn
2825
COPY migrate.sh /app/migrate.sh

components/server/leeway.Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ COPY components-server--app /installer/
1414
WORKDIR /app
1515
RUN /installer/install.sh
1616

17-
FROM node:22.22.0-alpine
17+
FROM node:22.22.1-alpine
18+
RUN apk upgrade --no-cache
1819
ENV NODE_OPTIONS="--unhandled-rejections=warn --max_old_space_size=2048"
1920

2021
EXPOSE 3000

components/ws-manager-bridge/leeway.Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ COPY components-ws-manager-bridge--app /installer/
1414
WORKDIR /app
1515
RUN /installer/install.sh
1616

17-
FROM node:22.22.0-alpine
17+
FROM node:22.22.1-alpine
18+
RUN apk upgrade --no-cache
1819
ENV NODE_OPTIONS=--unhandled-rejections=warn
1920
EXPOSE 3000
2021
COPY --from=builder --chown=node:node /app /app/

0 commit comments

Comments
 (0)