Skip to content

Patch base-image CVEs in the minimal image (apt upgrade)#150

Merged
jsokol merged 4 commits into
testingfrom
FIX-base-image-cve-refresh
Jul 12, 2026
Merged

Patch base-image CVEs in the minimal image (apt upgrade)#150
jsokol merged 4 commits into
testingfrom
FIX-base-image-cve-refresh

Conversation

@jsokol

@jsokol jsokol commented Jul 12, 2026

Copy link
Copy Markdown
Member

Problem

Grype (--fail-on critical --only-fixed) fails every simplerisk-minimal build (PHP 8.3/8.4/8.5) on critical, upstream-fixed CVEs in the base image's own packages:

  • curl 8.3.32 → fixed 8.21.0: CVE-2026-11856, CVE-2026-10536, CVE-2026-8927, CVE-2026-8924
  • apache2 2.4.67 → fixed 2.4.68: CVE-2026-29167, CVE-2026-42535

The pinned php:${php_version}-apache base ships these at its build-time versions, and the Dockerfile only installs specific packages — so the pre-installed base packages never get patched. (These are CVE-2026-*, disclosed after the last green run — this is base-image drift, not any code change.)

Fix

Add apt-get -y upgrade after apt-get update in the minimal image's apt RUN, so Debian security updates are pulled for the base packages. Edited the generator (simplerisk-minimal/generate_dockerfile.sh) and regenerated the committed Dockerfile — diff is only the upgrade line + an explanatory comment.

Scope / testing

🤖 Generated with Claude Code

The pinned php:${php_version}-apache base ships apache2/curl at its own
build-time versions, and the Dockerfile only `install`s specific packages — so
base packages accumulate upstream-fixed CVEs. Grype (--fail-on critical
--only-fixed) flags criticals on every minimal build: curl
(CVE-2026-11856/10536/8927/8924, fixed 8.21.0) and apache2
(CVE-2026-29167/42535, fixed 2.4.68). Add `apt-get -y upgrade` after
`apt-get update` so the Debian security fixes are pulled; regenerate the
Dockerfile from the generator.

Targets testing (features land here, then promote to master). Full/Ubuntu
image currently passes Grype and is untouched.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jsokol jsokol force-pushed the FIX-base-image-cve-refresh branch from 98e3b72 to f0a5884 Compare July 12, 2026 22:26
@jsokol jsokol changed the base branch from master to testing July 12, 2026 22:26
@jsokol

jsokol commented Jul 12, 2026

Copy link
Copy Markdown
Member Author

Retargeted from master to testing — features land on testing and promote to master, so a master-only fix would drift from testing. Rebuilt the change on top of testing (the diff is the same: apt-get -y upgrade in the minimal image's apt RUN + regenerated Dockerfile). It reaches master via the normal testing→master promotion.

jsokol and others added 3 commits July 12, 2026 17:36
Grype's binary classifier reads the PHP interpreter's version string (PHP 8.3.32,
embedded in /usr/local/bin/php, libphp.so, and extensions) as a "curl" binary at
8.3.32 and flags curl CVEs (CVE-2026-11856/10536/8927/8924, fixed 8.21.0). The
real curl is the Debian package, patched to 8.14.1-2+deb13u4 and correctly not
flagged. Scope the ignore to binary-type curl so the deb curl stays scanned.

With the apt-get upgrade (apache2 -> 2.4.68) this clears the minimal Grype gate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Security review flagged the previous `package: {name: curl, type: binary}` rule
as over-broad — it would silently suppress any future binary-curl finding. Narrow
it to the four specific PHP-version-misidentified CVEs (CVE-2026-11856/10536/8927/
8924) so a genuine curl vulnerability still surfaces.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both gates only triggered on pull_request -> master, so feature PRs to testing
(where features land before promotion) were never validated. Add testing to the
branch filter so the gates cover the branch features actually target.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jsokol

jsokol commented Jul 12, 2026

Copy link
Copy Markdown
Member Author

Added a commit so container-validation + shellcheck also run on pull_request → testing (previously master-only, so testing PRs — where features land — went unvalidated). Note: this PR's own checks still had to be workflow_dispatched because the base testing doesn't carry the widened trigger until this merges; PRs to testing after that auto-run.

@jsokol jsokol merged commit 1165902 into testing Jul 12, 2026
6 checks passed
@jsokol jsokol deleted the FIX-base-image-cve-refresh branch July 12, 2026 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant