Skip to content

fix(#159): upgrade OS packages at build time to patch CVE-2026-31789#163

Merged
longieirl merged 2 commits into
mainfrom
fix/159-openssl-cve
May 1, 2026
Merged

fix(#159): upgrade OS packages at build time to patch CVE-2026-31789#163
longieirl merged 2 commits into
mainfrom
fix/159-openssl-cve

Conversation

@longieirl
Copy link
Copy Markdown
Owner

@longieirl longieirl commented Apr 30, 2026

Pull Request

Summary

Adds apt-get upgrade to the production Docker stage so every image build pulls the latest patched Debian packages. Fixes the 3 critical OpenSSL vulnerabilities reported by the weekly Trivy scan (issue #159).

Changes

  • Dockerfile: add apt-get upgrade -y --no-install-recommends to the production stage RUN step alongside the existing apt-get install

Type

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Documentation
  • Performance
  • Security

Testing

  • Tests pass (coverage >= 91%)
  • Manually tested
  • make docker-integration passed locally (required when touching Dockerfile, entrypoint.sh, docker-compose.yml, or packages/parser-core/)

The scan-pr-image CI job builds from source on this PR and will run Trivy — that scan result is the verification. No Python source changed so unit tests are unaffected.

Checklist

  • Code follows project style
  • Self-reviewed
  • Documentation updated (if needed)
  • No new warnings

Downstream impact

  • This PR changes a public interface in bankstatements_core (exported class, function, or exception)

CVE details

Package CVE Severity Installed Fixed In
libssl3t64 CVE-2026-31789 CRITICAL 3.5.4-1~deb13u2 3.5.5-1~deb13u2
openssl CVE-2026-31789 CRITICAL 3.5.4-1~deb13u2 3.5.5-1~deb13u2
openssl-provider-legacy CVE-2026-31789 CRITICAL 3.5.4-1~deb13u2 3.5.5-1~deb13u2

After merge, cut core-v0.1.4 to publish :latest and clear the weekly scan.

Closes #159

web-flow added 2 commits April 30, 2026 21:00
@web-flow
chore: ignore .worktrees directory
8154ee8
@web-flow
fix(#159): upgrade OS packages at build time to patch CVE-2026-31789
ca537c8 
Add apt-get upgrade to the production stage so every Docker build pulls
the latest patched Debian packages. Fixes 3 critical OpenSSL findings
(libssl3t64, openssl, openssl-provider-legacy) reported by Trivy.
@longieirl longieirl self-assigned this Apr 30, 2026
@github-actions github-actions Bot added bug Something isn't working docker labels Apr 30, 2026
@longieirl longieirl merged commit 08abb89 into main May 1, 2026
15 checks passed
@longieirl longieirl deleted the fix/159-openssl-cve branch May 1, 2026 08:02
@longieirl longieirl mentioned this pull request May 1, 2026
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@longieirl longieirl

Labels

bug Something isn't working docker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🚨 Security Alert: 3 Critical Vulnerabilities Found

2 participants

@longieirl @web-flow