chore: clean .gitignore cache
This commit is contained in:
GitHub Actions
@@ -1,80 +0,0 @@
|
||||
# Workstream C: CrowdSec Go Version Fix
|
||||
|
||||
**Date:** 2026-01-10
|
||||
**Issue:** CrowdSec binaries built with Go 1.25.1 containing 4 HIGH CVEs
|
||||
**Solution:** Pin CrowdSec builder to Go 1.25.5+
|
||||
|
||||
## Problem
|
||||
|
||||
Trivy scan identified that the CrowdSec binaries (`crowdsec` and `cscli`) embedded in the container image were built with Go 1.25.1, which has 4 HIGH severity CVEs:
|
||||
|
||||
- CVE-2025-58183
|
||||
- CVE-2025-58186
|
||||
- CVE-2025-58187
|
||||
- CVE-2025-61729
|
||||
|
||||
The CrowdSec builder stage in the Dockerfile was using `golang:1.25-alpine`, which resolved to the vulnerable Go 1.25.1 version.
|
||||
|
||||
## Solution
|
||||
|
||||
Updated the `CrowdSec Builder` stage in the Dockerfile to explicitly pin to Go 1.25.5:
|
||||
|
||||
```dockerfile
|
||||
# Before:
|
||||
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS crowdsec-builder
|
||||
|
||||
# After:
|
||||
# renovate: datasource=docker depName=golang versioning=docker
|
||||
FROM --platform=$BUILDPLATFORM golang:1.25.5-alpine AS crowdsec-builder
|
||||
```
|
||||
|
||||
## Changes Made
|
||||
|
||||
### File: `Dockerfile`
|
||||
|
||||
**Line ~275-279:** Updated the CrowdSec builder stage base image
|
||||
|
||||
- Changed from: `golang:1.25-alpine` (resolves to 1.25.1)
|
||||
- Changed to: `golang:1.25.5-alpine` (fixed version)
|
||||
- Added Renovate annotation to track future Go version updates
|
||||
|
||||
## Impact
|
||||
|
||||
- **Security:** Eliminates 4 HIGH CVEs in the CrowdSec binaries
|
||||
- **Build Process:** No changes to build logic, only base image version
|
||||
- **CrowdSec Version:** Remains at v1.7.4 (no version change needed)
|
||||
- **Compatibility:** No breaking changes; CrowdSec functionality unchanged
|
||||
|
||||
## Verification
|
||||
|
||||
After this change, the following validations should be performed:
|
||||
|
||||
1. **Rebuild the image** (no-cache recommended):
|
||||
|
||||
```bash
|
||||
# Use task: Build & Run: Local Docker Image No-Cache
|
||||
```
|
||||
|
||||
2. **Run Trivy scan** on the rebuilt image:
|
||||
|
||||
```bash
|
||||
# Use task: Security: Trivy Scan
|
||||
```
|
||||
|
||||
3. **Expected outcome:**
|
||||
- Trivy image scan should report **0 HIGH/CRITICAL** vulnerabilities
|
||||
- CrowdSec binaries should be built with Go 1.25.5+
|
||||
- All CrowdSec functionality should remain operational
|
||||
|
||||
## Related
|
||||
|
||||
- **Plan:** [docs/plans/current_spec.md](../plans/current_spec.md) - Workstream C
|
||||
- **CVE List:** Go 1.25.1 stdlib vulnerabilities (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
|
||||
- **Dependencies:** CrowdSec v1.7.4 (no change)
|
||||
- **Next Step:** QA validation after image rebuild
|
||||
|
||||
## Notes
|
||||
|
||||
- The Backend Builder stage already uses `golang:1.25-alpine` but may resolve to a patched minor version. If needed, it can be pinned similarly.
|
||||
- Renovate will track the pinned `golang:1.25.5-alpine` image and suggest updates when newer patch versions are available.
|
||||
- The explicit version pin ensures reproducible builds and prevents accidental rollback to vulnerable versions.
|
||||
Reference in New Issue
Block a user