starlingx/app-node-interface-metrics-exporter
Code Issues Proposed changes
app-node-interface-metrics-.../metrics-exporter-api/debian/Dockerfile
AbhishekJ 4e1f29dd73 Update container images, and packages for CVE fix 
This commit updates golang, alpine docker images, and several packages
including github.com/emicklei/go-restful/v3 and golang.org/x/net to fix
multiple CVE bugs.

CVE ID: PRISMA-2022-0227
Issue: https://github.com/emicklei/go-restful/issues/497
Description: The go-restful/v3 module prior to v3.10.0 is vulnerable to
Authentication Bypass by Primary Weakness due to an inconsistency in URL
path parsing. This could lead to security check bypass in a complex system.

CVE ID: CVE-2023-45288
Issue: https://pkg.go.dev/vuln/GO-2024-2687
Description: An attacker may cause an HTTP/2 endpoint to read arbitrary
amounts of header data by sending an excessive number of CONTINUATION
frames. The fix sets a limit on the amount of excess header frames we will
process before closing a connection.

CVE ID: CVE-2024-4741
Issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4741
Description: openssl: Use After Free with SSL_free_buffers

Test Plan:
PASSED: Metrics consumed properly by a scraping tool without
        any error.
PASSED: Validate necessary information is being displayed with
        new metric type Gauge.
PASSED: API Test with SRIOV enabled, VF Pods created and
        verified if the information is retrieved properly

Story: 2010918
Task: 50521

Change-Id: Ia7effb3161a84193fc1fbb3425e25b39d80dec7b
Signed-off-by: AbhishekJ <abhishek.jaiswal@windriver.com>
2024-07-09 15:21:43 +00:00

43 lines
929 B
Docker
Raw Permalink Blame History

#
# Copyright (c) 2023 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# All Rights Reserved.
#
# ARG BASE
# FROM ${BASE}
# Build Stage
FROM golang:alpine3.20 as buildstage
# Set destination for COPY
WORKDIR /app
COPY metrics-exporter-api /app/
RUN go mod download
ARG VERSION="v1.0.0-stable"
# Build
RUN CGO_ENABLED=0 GOOS=linux go build -v -ldflags="-X main.Version=$VERSION" -o /metrics-api-server
# Deploy binary which will make image size smaller
FROM alpine:3.20.1
# Set workdir context of current path wrt image
WORKDIR /
COPY --from=buildstage /metrics-api-server /metrics-api-server
# Optional:
# To bind to a TCP port, runtime parameters must be supplied to the
# docker command.
# But we can document in the Dockerfile what ports
# the application is going to listen on by default.
# https://docs.docker.com/engine/reference/builder/#expose
EXPOSE 9110
ENTRYPOINT ["/metrics-api-server"]
View Git Blame Copy Permalink