deps(deps): bump alpine from 3.21 to 3.23 in the docker-minor-and-patch group across 1 directory#242
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
added
the
dependencies
Semgrep Scan ResultsRepository:
Scanned at 2026-05-19 02:35 UTC |
Security Scan ResultsRepository:
Scanned at 2026-05-19 02:35 UTC |
Cre-eD
added a commit
that referenced
this pull request
May 16, 2026
Comprehensive SCA pass on top of the Go 1.25.10 + go-billy 5.9.0 work in this PR's first commit. Identifies + fixes additional vulnerable deps that the first triage missed. ## go-git/v5 5.18.0 → 5.19.0 CVE-2026-45022 (HIGH) — go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git. Trivy fs flagged this; my earlier triage missed it because Scorecard's flag pointed at the v6-alpha advisory and I incorrectly classified the v5 sibling as a false positive too. Same upstream advisory, separate v5 advisory: GHSA-389r-gv7p-r3rp (v6) and CVE-2026-45022 (v5). Fix is in 5.19.0. ## Caddy 2.11.2 → 2.11.3 (caddy.Dockerfile) Caddy 2.11.2 image scan revealed 18 CVEs (2 CRITICAL, 9 HIGH) all in the binary's vendored deps. Caddy 2.11.3 released after our Phase 1 lock; it bumps: - go-jose/v4 4.1.3 → 4.1.4 (CVE-2026-34986 HIGH) - otel + otel/sdk 1.42→1.43 (CVE-2026-29181, CVE-2026-39883 HIGH) - smallstep/certificates 0.30.0-rc3 → 0.30.0 (CVE-2026-30836 CRITICAL) - Plus Caddy core fixes: fastcgi non-PHP execution bug, admin-socket auth-bypass via array-index normalization + path-prefix matching. Source: https://github.com/caddyserver/caddy/releases/tag/v2.11.3 Updated all three sites (builder FROM + final FROM + xcaddy build arg) per the in-file note. New digests resolved via Docker Hub registry API on 2026-05-16. ## Net source-side state after this commit - trivy fs: 0 vulnerabilities (was 1 HIGH = CVE-2026-45022, now fixed) - govulncheck: 0 reachable; 2 unreachable in modules (the documented aws-sdk-go v1 s3crypto false positives) ## Image-side state (verify post-rebuild) Each prod image at v2026.5.14: kubectl 8 (5H/3M) — all upstream kubectl-binary stdlib@1.26.2; no SC action; track upstream rebuild caddy 18 (2C/9H/6M/1L) — should drop to ~6 after rebuild with Caddy 2.11.3 (this PR) github-actions 27 (17H/10M) — 7 fixed by Go 1.25.10 + go-git/go-billy bumps (this PR); remaining 20 are bundled pulumi/gcloud binaries @ 1.26.2 (upstream) cloud-helpers 17 (9H/8M) — glibc 2.34-231.amzn2023.0.4 NOW patched (Phase 1 deferred status closes); rebuild auto-picks via dnf upgrade. Plus stdlib fixed by Go 1.25.10. ## Dependabot reconciliation | PR | What | Verdict | |---|---|---| | #162 | go-git/v5 5.13.1 → 5.16.5 | SUPERSEDED — we're at 5.19.0 now | | #237 | pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND | | #242 | alpine 3.21 → 3.23 (docker-minor-and-patch group) | LET STAND — fixes Alpine OS-pkg CVEs in kubectl/github-actions images | | #243 | caddy digest bump (still 2.11.2) | SUPERSEDED — this PR bumps to 2.11.3 | | #244 | alpine/kubectl base digest bump | LET STAND | | #245-247 | mkdocs deps | LET STAND | | #248-251 | GitHub Actions bumps | LET STAND | | #252 | gomod-minor-and-patch group (26 deps) | PARTIAL SUPERSEDE — go-billy/go-git/go-jose/otel/grpc bumps from this PR. Dependabot will auto-rebase #252 on top with the remaining 22 non-security minor/patch bumps. | | #233 | reecetech/version-increment | LET STAND | ## Validation - `go build ./...` clean - `go vet ./...` clean - `go test -short ./pkg/security/...` — all 8 packages PASS - `govulncheck ./...` — 0 reachable - `trivy fs` — 0 findings (any severity) Refs HARDENING.md Phase 8 Scorecard climb plan. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Cre-eD
added a commit
that referenced
this pull request
May 16, 2026
…addy 2.11.3 (#261) ## SCA pass — comprehensive deps + image scan Goes beyond the initial Scorecard `Vulnerabilities` fix to address **every** vulnerable dep found across source + 4 published images, all severities. Per the `feedback_all_severities` rule. Two commits in this PR: 1. Go 1.25.9 → **1.25.10** + go-billy/v5 5.8.0 → **5.9.0** 2. go-git/v5 5.18.0 → **5.19.0** + Caddy `caddy.Dockerfile` 2.11.2 → **2.11.3** ## Source-side (govulncheck + trivy fs) | Before | After | |---|---| | 6 reachable stdlib HIGH/MEDIUM + 1 HIGH go-git in `trivy fs` | **0 trivy fs findings · 0 reachable govulncheck** | ### Reachable Go stdlib (6, all fixed by Go 1.25.10) | Advisory | Module | Severity | Call path govulncheck traced | |---|---|---|---| | GO-2026-4986 | `net/mail` consumeComment — quadratic concat | HIGH | `pulumi.init` → `mail.ParseAddress` | | GO-2026-4977 | `net/mail` consumePhrase — quadratic concat | HIGH | same | | GO-2026-4982 | `html/template` meta-content URL escaping bypass | HIGH | `mcp.Start` → `http.Server.Serve` → `template.Execute` | | GO-2026-4980 | `html/template` escaper bypass | HIGH | same | | GO-2026-4971 | `net` Dial / LookupPort NUL-byte panic | HIGH | many call sites (aws, mongo, mcp) | | GO-2026-4918 | `net/http` HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite loop | HIGH | many call sites | ### Reachable Go-deps (3 fixed, 2 documented) | Advisory | Module | Old → New | Status | |---|---|---|---| | GHSA-m3xc-h892-ggx6 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅ fixed | | GHSA-qw64-3x98-g7q2 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅ fixed | | **CVE-2026-45022** | `go-git/go-git/v5 < 5.19.0` | 5.18.0 → 5.19.0 | ✅ fixed (trivy fs flagged) | | GO-2022-0635 | `aws-sdk-go v1 service/s3/s3crypto` | n/a | ❌ FALSE POSITIVE — we import aws-sdk-go v1 for cloudtrail code but NOT `s3crypto`. govulncheck reachability confirms 0 hits. No upstream fix (architectural deprecation; AWS recommends migrating to v3 in `aws-sdk-go-v2`). Documented; standalone migration PR tracked. | | GO-2022-0646 | same as above | n/a | ❌ FALSE POSITIVE — same | (GHSA-389r-gv7p-r3rp / CVE-2026-45022 — initial triage misread the GHSA as a v6-alpha flag; the Dependabot record makes clear it is the v5 advisory. Bumping to 5.19.0 closes it.) ## Image-side (Trivy + Grype on the 4 v2026.5.14 published images) | Image | Before (v2026.5.14) | Source of fix | After next release | |---|---|---|---| | **simplecontainer/kubectl** | 8 (5H/3M) — all `kubectl` binary stdlib@1.26.2 | Upstream kubectl needs Go 1.26.3 rebuild | unchanged this PR; track upstream | | **simplecontainer/caddy** | 18 (2C/9H/6M/1L) — all Caddy 2.11.2 vendored deps | **Caddy 2.11.3 bump in this PR** | drops to ~6 (residual: grpc 1.79.1 — Caddy 2.11.3 ships only 1.79.0; tracked upstream) | | **simplecontainer/github-actions** | 27 (17H/10M) — 7 our binary, 20 bundled gcloud/pulumi | Our 7 fixed by Go 1.25.10 + go-git/go-billy in this PR; rest are upstream | drops to ~20 | | **simplecontainer/cloud-helpers** | 17 (9H/8M) — 4× glibc, 4× curl/krb5/libgcrypt (AL2023 now patched!), 8× stdlib in cloud-helpers binary | AL2023 `dnf upgrade` auto-picks patched packages; Go 1.25.10 fixes the binary | drops to ~0 | ### Phase 1 deferred items — status check Reviewed all four Phase 1 deferred items per HARDENING.md: | Phase 1 deferred | Now | |---|---| | `glibc` CVE-2026-4046 (HIGH, AL2023 pending) | ✅ **AL2023 published 2.34-231.amzn2023.0.4** — picked up automatically by Dockerfile's `dnf upgrade` on next rebuild | | Caddy 2.11.2 upstream transitives (2C/4H/3M/1L originally) | 🟡 **Caddy 2.11.3 ships partial fix** (this PR); residual ~6 vulns track Caddy 2.11.4+ | | `docker/docker` CVE-2026-34040 / CVE-2026-33997 | ❓ Re-check via `go list -m -versions github.com/docker/docker` — separate triage. Was migrated to `github.com/moby/moby` in PR #238; need to re-verify reachability. | | Caddy non-root USER | ⏳ Phase 6 (TUF + distro repackaging) | | github-actions non-root USER | ⏳ Track upstream GitHub Actions OIDC/userns guidance | ## Dependabot security alerts addressed Three OPEN Dependabot alerts as of this PR — all close automatically when this merges to `main`: | Alert | GHSA | CVE | Sev | Package | Fixed in | Source of fix in this PR | |---|---|---|---|---|---|---| | [#62](https://github.com/simple-container-com/api/security/dependabot/62) | GHSA-389r-gv7p-r3rp | CVE-2026-45022 | HIGH | `github.com/go-git/go-git/v5` | 5.19.0 | ✅ `go.mod`: 5.18.0 → 5.19.0 | | [#63](https://github.com/simple-container-com/api/security/dependabot/63) | GHSA-m3xc-h892-ggx6 | CVE-2026-44740 | MED | `github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 | | [#64](https://github.com/simple-container-com/api/security/dependabot/64) | GHSA-qw64-3x98-g7q2 | CVE-2026-44973 | HIGH | `github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 | What each one is: - **GHSA-389r-gv7p-r3rp** — go-git parses specially-crafted objects inconsistently with upstream Git, which can cause divergent state on a clone. Reachable via the SC `welder` git-driver path. - **GHSA-m3xc-h892-ggx6** — go-billy lacks depth/cycle detection in symlink resolution; a crafted repo can spin the resolver into infinite loops / resource exhaustion. Reachable via `welder` clone. - **GHSA-qw64-3x98-g7q2** — go-billy path-traversal across multiple components (`osfs.ChrootOS` deprecated in v5, removed in v6 — upstream recommendation is `osfs.New(path, WithBoundOS())`). Reachable via `welder` clone. (The 60 historical Dependabot alerts in `state: fixed` were closed by earlier PRs over 2025 — full audit available via `gh api repos/simple-container-com/api/dependabot/alerts`. No additional outstanding security alerts remain after this PR.) ## Dependabot PR reconciliation | PR | What | Verdict | |---|---|---| | [#162](#162) | go-git/v5 5.13.1 → 5.16.5 | **SUPERSEDED** — now at 5.19.0 | | [#237](#237) | pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND | | [#242](#242) | alpine 3.21 → 3.23 (docker-minor-and-patch group) | **LET STAND + merge first** — fixes Alpine OS-pkg CVEs in kubectl/github-actions images | | [#243](#243) | caddy digest bump (still 2.11.2) | **SUPERSEDED** — this PR bumps to 2.11.3 | | [#244](#244) | alpine/kubectl base digest bump | LET STAND | | #245-247 | mkdocs deps | LET STAND (docs/) | | #248-251 | GitHub Actions bumps | LET STAND | | [#252](#252) | gomod-minor-and-patch group (26 deps) | **PARTIAL SUPERSEDE** — go-billy / go-git / go-jose / otel / grpc bumps from this PR. Dependabot will auto-rebase #252 on top with the remaining ~22 non-security bumps. | | [#233](#233) | reecetech/version-increment | LET STAND | ## Scorecard `Vulnerabilities` projection | State | Score | |---|---| | Pre-PR (5 advisories flagged) | 5/10 | | Post-PR + Scorecard rescan | **9-10/10** (3 advisories remaining are documented false-positives + Scorecard's go-git/v6 flag, all reachability-clean per govulncheck) | ## Validation - `go build ./...` clean - `go vet ./...` clean (no output) - `go test -short ./pkg/security/...` — all 8 packages PASS (29 tests; HMAC integrity cache from PR #254 still green) - `govulncheck ./...` — **0 reachable** (was 6) - `trivy fs --severity CRITICAL,HIGH,MEDIUM,LOW` — **0 findings** (was 1 HIGH) - `trivy image simplecontainer/caddy:2026.5.14` — flagged 18; expected ~6 after Caddy 2.11.3 rebuild - `trivy image simplecontainer/cloud-helpers:aws-2026.5.14` — flagged 17; expected ~0 after rebuild (AL2023 + Go 1.25.10) ## Follow-ups out of this PR's scope - **aws-sdk-go v1 → v2 migration** — 3 `.go` files in `pkg/clouds/{pulumi/,}aws/` use v1 cloudtrail / cloudwatch / session APIs. The migration is a separate refactor PR; documented false-positives in govulncheck suffice for the security signal. - **`docker/docker` reachability re-check** — verify if PR #238's moby/moby migration cleared the original CVE. - **github-actions image bundled binaries** (pulumi, gcloud) — Track upstream rebuilds with Go 1.26.3. - **kubectl base bump** — Dependabot #244 will pick it up. Refs HARDENING.md Phase 8 Scorecard climb plan; the SAST coverage audit produced today is a separate follow-up. --------- Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/docker/docker-minor-and-patch-60be0b6e22
branch
from
22bf89b to
8d216eb
Compare
dependabot
Bot
force-pushed
the
dependabot/docker/docker-minor-and-patch-60be0b6e22
branch
from
8d216eb to
daf0cd7
Compare
Bumps the docker-minor-and-patch group with 1 update in the / directory: alpine. Updates `alpine` from 3.21 to 3.23 --- updated-dependencies: - dependency-name: alpine dependency-version: '3.23' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/docker/docker-minor-and-patch-60be0b6e22
branch
from
daf0cd7 to
368e945
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the docker-minor-and-patch group with 1 update in the / directory: alpine.
Updates
alpinefrom 3.21 to 3.23