akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

refactor: update current planning document to focus on c-ares security vulnerability remediation

Browse Source 
This update revises the planning document to address the c-ares security vulnerability (CVE-2025-62408) and removes the previous analysis regarding Go version compatibility issues. The document now emphasizes the need to rebuild the Docker image to pull the patched version of c-ares from Alpine repositories, with no Dockerfile changes required.

Key changes include:
- Removal of outdated Go version mismatch analysis.
- Addition of details regarding the c-ares vulnerability and its impact.
- Streamlined focus on remediation steps and testing checklist.
This commit is contained in:
GitHub Actions
2025-12-14 02:03:15 +00:00
parent 71ba83c2cd
commit 0f0e5c6af7
3 changed files with 1215 additions and 342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
.github/workflows/security-weekly-rebuild.yml vendored Normal file
View File

@@ -0,0 +1,146 @@
name: Weekly Security Rebuild
on:
schedule:
- cron: '0 2 * * 0' # Sundays at 02:00 UTC
workflow_dispatch:
inputs:
force_rebuild:
description: 'Force rebuild without cache'
required: false
type: boolean
default: true
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository_owner }}/charon
jobs:
security-rebuild:
name: Security Rebuild & Scan
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
- name: Normalize image name
run: |
echo "IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Resolve Caddy base digest
id: caddy
run: |
docker pull caddy:2-alpine
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' caddy:2-alpine)
echo "image=$DIGEST" >> $GITHUB_OUTPUT
- name: Log in to Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=security-scan-{{date 'YYYYMMDD'}}
- name: Build Docker image (NO CACHE)
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
build-args: |
VERSION=security-scan
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VCS_REF=${{ github.sha }}
CADDY_IMAGE=${{ steps.caddy.outputs.image }}
- name: Run Trivy vulnerability scanner (CRITICAL+HIGH)
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
format: 'table'
severity: 'CRITICAL,HIGH'
exit-code: '1' # Fail workflow if vulnerabilities found
continue-on-error: true
- name: Run Trivy vulnerability scanner (SARIF)
id: trivy-sarif
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
format: 'sarif'
output: 'trivy-weekly-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
with:
sarif_file: 'trivy-weekly-results.sarif'
- name: Run Trivy vulnerability scanner (JSON for artifact)
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
format: 'json'
output: 'trivy-weekly-results.json'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
- name: Upload Trivy JSON results
uses: actions/upload-artifact@v4
with:
name: trivy-weekly-scan-${{ github.run_number }}
path: trivy-weekly-results.json
retention-days: 90
- name: Check Alpine package versions
run: |
echo "## 📦 Installed Package Versions" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Checking key security packages:" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
sh -c "apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
- name: Create security scan summary
if: always()
run: |
echo "## 🔒 Weekly Security Rebuild Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- **Build Date:** $(date -u +"%Y-%m-%d %H:%M:%S UTC")" >> $GITHUB_STEP_SUMMARY
echo "- **Image:** ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}" >> $GITHUB_STEP_SUMMARY
echo "- **Cache Used:** No (forced fresh build)" >> $GITHUB_STEP_SUMMARY
echo "- **Trivy Scan:** Completed (see Security tab for details)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Next Steps:" >> $GITHUB_STEP_SUMMARY
echo "1. Review Security tab for new vulnerabilities" >> $GITHUB_STEP_SUMMARY
echo "2. Check Trivy JSON artifact for detailed package info" >> $GITHUB_STEP_SUMMARY
echo "3. If critical CVEs found, trigger production rebuild" >> $GITHUB_STEP_SUMMARY
- name: Notify on security issues (optional)
if: failure()
run: |
echo "::warning::Weekly security scan found HIGH or CRITICAL vulnerabilities. Review the Security tab."

1053
docs/plans/c-ares_remediation_plan.md Normal file
View File

File diff suppressed because it is too large Load Diff

358
docs/plans/current_spec.md
View File

@@ -1,354 +1,28 @@
# CI Docker Build Failure - Root Cause Analysis and Remediation Plan
# Current Planning Document Pointer
**Active Plan:** [c-ares Security Vulnerability Remediation Plan (CVE-2025-62408)](c-ares_remediation_plan.md)
**Version:** 1.0
**Date:** 2025-12-14
**Status:** 🔴 CRITICAL - Docker builds failing in CI
**Status:** 🟡 MEDIUM Priority - Security vulnerability remediation
**Component:** c-ares (Alpine package dependency)
---
## Executive Summary
## Quick Summary
The CI Docker build is failing during the xcaddy build process. The root cause is a **Go version mismatch** introduced by a recent commit that downgraded Go from 1.25.x to 1.23.x based on the incorrect assumption that Go 1.25.5 doesn't exist.
Trivy has identified CVE-2025-62408 in c-ares 1.34.5-r0. The fix requires rebuilding the Docker image to pull c-ares 1.34.6-r0 from Alpine repositories.
### Key Finding
**No Dockerfile changes required** - the existing `apk upgrade` command will automatically pull the patched version on the next build.
**Go 1.25.5 IS a valid, released version** (as of December 2025). The commit `481208c` ("fix: correct Go version to 1.23 in Dockerfile (1.25.5 does not exist)") incorrectly downgraded Go and **broke the build**.
See the full remediation plan for:
- Root cause analysis
- CVE details and impact assessment
- Step-by-step implementation guide
- Testing checklist
- Rollback procedures
---
## Root Cause Analysis
## Previous Plans
### 1. Version Compatibility Matrix (Current State)
| Component | Version Required | Version in Dockerfile | Status |
|-----------|------------------|----------------------|--------|
| **Go** (for Caddy build) | 1.25+ | 1.23 ❌ | **INCOMPATIBLE** |
| **Go** (for backend build) | 1.23+ | 1.23 ✅ | Compatible |
| **Caddy** | 2.10.2 | 2.10.2 ✅ | Correct |
| **xcaddy** | 0.4.5 | latest ✅ | Correct |
### 2. The Problem
Caddy 2.10.2's `go.mod` declares:
```go
go 1.25
```
When xcaddy tries to build Caddy 2.10.2 with Go 1.23, it fails because:
- Go's toolchain directive enforcement (Go 1.21+) prevents building modules that require a newer Go version
- The error manifests during the xcaddy build step in the Dockerfile
### 3. Error Location
**File:** [Dockerfile](../../Dockerfile)
**Stage:** `caddy-builder` (lines 101-145)
**Root Cause Lines:**
- Line 51: `FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS backend-builder`
- Line 101: `FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS caddy-builder`
### 4. Evidence from go.mod Files
**Caddy 2.10.2** (`github.com/caddyserver/caddy/v2`):
```go
go 1.25
```
**xcaddy 0.4.5** (`github.com/caddyserver/xcaddy`):
```go
go 1.21
toolchain go1.23.0
```
**Backend** (`/projects/Charon/backend/go.mod`):
```go
go 1.23
```
**Workspace** (`/projects/Charon/go.work`):
```go
go 1.23
```
### 5. Plugin Compatibility
| Plugin | Go Version Required | Caddy Version Tested |
|--------|---------------------|---------------------|
| caddy-security | 1.24 | v2.9.1 |
| coraza-caddy/v2 | 1.23 | v2.9.1 |
| caddy-crowdsec-bouncer | 1.23 | v2.9.1 |
| caddy-geoip2 | varies | - |
| caddy-ratelimit | varies | - |
**Note:** Plugin compatibility with Caddy 2.10.2 requires Go 1.25 since Caddy itself requires it.
---
## Remediation Plan
### Option A: Upgrade Go to 1.25 (RECOMMENDED)
**Rationale:** Go 1.25.5 exists and is stable. Upgrading aligns with Caddy 2.10.2 requirements.
#### File Changes Required
##### 1. Dockerfile (lines 51, 101)
**Current (BROKEN):**
```dockerfile
FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS backend-builder
...
FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS caddy-builder
```
**Fix:**
```dockerfile
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS backend-builder
...
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS caddy-builder
```
##### 2. backend/go.mod (line 3)
**Current:**
```go
go 1.23
```
**Fix:**
```go
go 1.25
```
##### 3. go.work (line 1)
**Current:**
```go
go 1.23
```
**Fix:**
```go
go 1.25
```
---
### Option B: Downgrade Caddy to 2.9.x (NOT RECOMMENDED)
**Rationale:** Would require pinning to an older Caddy version that still supports Go 1.23.
**Downsides:**
- Miss security fixes in Caddy 2.10.x
- Need to update `CADDY_VERSION` ARG
- Still need to verify plugin compatibility
**File Changes:**
```dockerfile
ARG CADDY_VERSION=2.9.1 # Downgrade from 2.10.2
```
**Not recommended** because it's a regression and delays inevitable Go upgrade.
---
## Recommended Implementation: Option A
### Step-by-Step Remediation
#### Step 1: Update Dockerfile
**File:** [Dockerfile](../../Dockerfile)
| Line | Current | New |
|------|---------|-----|
| 51 | `golang:1.23-alpine` | `golang:1.25-alpine` |
| 101 | `golang:1.23-alpine` | `golang:1.25-alpine` |
#### Step 2: Update go.mod
**File:** [backend/go.mod](../../backend/go.mod)
| Line | Current | New |
|------|---------|-----|
| 3 | `go 1.23` | `go 1.25` |
Then run:
```bash
cd backend && go mod tidy
```
#### Step 3: Update go.work
**File:** [go.work](../../go.work)
| Line | Current | New |
|------|---------|-----|
| 1 | `go 1.23` | `go 1.25` |
#### Step 4: Verify Local Build
```bash
# Build Docker image locally
docker build -t charon:test .
# Run the test suite
cd backend && go test ./...
cd frontend && npm run test
```
#### Step 5: Validate CI Workflows
The following workflows use Go and will automatically use the container's Go version:
- [docker-build.yml](../../.github/workflows/docker-build.yml) - Uses Dockerfile Go version
- [docker-publish.yml](../../.github/workflows/docker-publish.yml) - Uses Dockerfile Go version
- [quality-checks.yml](../../.github/workflows/quality-checks.yml) - May need `go-version` update
Check if `quality-checks.yml` specifies Go version explicitly and update if needed.
---
## Version Compatibility Matrix (After Fix)
| Component | Version | Source |
|-----------|---------|--------|
| Go | 1.25 | Dockerfile, go.mod, go.work |
| Caddy | 2.10.2 | Dockerfile ARG |
| xcaddy | latest (0.4.5+) | go install |
| Node.js | 24.12.0 | Dockerfile |
| Alpine | 3.23 | Dockerfile |
### Plugin Versions (auto-resolved by xcaddy)
| Plugin | Current Version | Notes |
|--------|-----------------|-------|
| caddy-security | 1.1.31 | Works with Caddy 2.x |
| coraza-caddy/v2 | 2.1.0 | Works with Caddy 2.x |
| caddy-crowdsec-bouncer | main | Works with Caddy 2.x |
| caddy-geoip2 | main | Works with Caddy 2.x |
| caddy-ratelimit | main | Works with Caddy 2.x |
---
## Potential Side Effects
### 1. Backend Code Compatibility
Go 1.25 is backwards compatible with Go 1.23 code. The backend should compile without issues.
**Risk:** Low
**Mitigation:** Run `go build ./...` and `go test ./...` after update.
### 2. CI/CD Pipeline
Some workflows may cache Go 1.23 artifacts. Force cache invalidation if builds fail after fix.
**Risk:** Low
**Mitigation:** Clear GitHub Actions cache if needed.
### 3. Local Development
Developers using Go 1.23 locally will need to upgrade to Go 1.25.
**Risk:** Medium
**Mitigation:** Document required Go version in README.md.
---
## Testing Checklist
Before merging the fix:
- [ ] Local Docker build succeeds: `docker build -t charon:test .`
- [ ] Backend compiles: `cd backend && go build ./...`
- [ ] Backend tests pass: `cd backend && go test ./...`
- [ ] Frontend builds: `cd frontend && npm run build`
- [ ] Frontend tests pass: `cd frontend && npm run test`
- [ ] Pre-commit passes: `pre-commit run --all-files`
- [ ] Container starts: `docker run --rm charon:test /app/charon --version`
- [ ] Caddy works: `docker run --rm charon:test caddy version`
---
## Commit Message
```text
fix: upgrade Go to 1.25 for Caddy 2.10.2 compatibility
Caddy 2.10.2 requires Go 1.25 (declared in its go.mod). The previous
commit incorrectly downgraded to Go 1.23 based on the false assumption
that Go 1.25.5 doesn't exist.
This fix:
- Updates Dockerfile Go images from 1.23-alpine to 1.25-alpine
- Updates backend/go.mod to go 1.25
- Updates go.work to go 1.25
Fixes CI Docker build failures in xcaddy stage.
```
---
## Files to Modify (Summary)
| File | Line(s) | Change |
|------|---------|--------|
| `Dockerfile` | 51 | `golang:1.23-alpine``golang:1.25-alpine` |
| `Dockerfile` | 101 | `golang:1.23-alpine``golang:1.25-alpine` |
| `backend/go.mod` | 3 | `go 1.23``go 1.25` |
| `go.work` | 1 | `go 1.23``go 1.25` |
---
## Related Issues
- Previous (incorrect) fix commit: `481208c` "fix: correct Go version to 1.23 in Dockerfile (1.25.5 does not exist)"
- Previous commit: `65443a1` "fix: correct Go version to 1.23 (1.25.5 does not exist)"
Both commits should be effectively reverted by this fix.
---
## Appendix: Go Version Verification
As of December 14, 2025, Go 1.25.5 is available:
```json
{
"version": "go1.25.5",
"stable": true,
"files": [
{"filename": "go1.25.5.linux-amd64.tar.gz", "...": "..."},
{"filename": "go1.25.5.linux-arm64.tar.gz", "...": "..."},
{"filename": "go1.25.5.darwin-amd64.tar.gz", "...": "..."}
]
}
```
Source: <https://go.dev/dl/?mode=json>
---
## Next Steps
1. Implement the file changes listed above
2. Run local validation tests
3. Push fix with conventional commit message
4. Monitor CI pipeline for successful build
5. Update any documentation that references Go version requirements
Plans are archived when resolved or superseded. Check the `archive/` directory for historical planning documents.