Patch base-image CVEs in the minimal image (apt upgrade)#150
Merged
Conversation
The pinned php:${php_version}-apache base ships apache2/curl at its own
build-time versions, and the Dockerfile only `install`s specific packages — so
base packages accumulate upstream-fixed CVEs. Grype (--fail-on critical
--only-fixed) flags criticals on every minimal build: curl
(CVE-2026-11856/10536/8927/8924, fixed 8.21.0) and apache2
(CVE-2026-29167/42535, fixed 2.4.68). Add `apt-get -y upgrade` after
`apt-get update` so the Debian security fixes are pulled; regenerate the
Dockerfile from the generator.
Targets testing (features land here, then promote to master). Full/Ubuntu
image currently passes Grype and is untouched.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
98e3b72 to
f0a5884
Compare
Member
Author
|
Retargeted from |
Grype's binary classifier reads the PHP interpreter's version string (PHP 8.3.32, embedded in /usr/local/bin/php, libphp.so, and extensions) as a "curl" binary at 8.3.32 and flags curl CVEs (CVE-2026-11856/10536/8927/8924, fixed 8.21.0). The real curl is the Debian package, patched to 8.14.1-2+deb13u4 and correctly not flagged. Scope the ignore to binary-type curl so the deb curl stays scanned. With the apt-get upgrade (apache2 -> 2.4.68) this clears the minimal Grype gate. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Security review flagged the previous `package: {name: curl, type: binary}` rule
as over-broad — it would silently suppress any future binary-curl finding. Narrow
it to the four specific PHP-version-misidentified CVEs (CVE-2026-11856/10536/8927/
8924) so a genuine curl vulnerability still surfaces.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both gates only triggered on pull_request -> master, so feature PRs to testing (where features land before promotion) were never validated. Add testing to the branch filter so the gates cover the branch features actually target. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Member
Author
|
Added a commit so |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Grype (
--fail-on critical --only-fixed) fails everysimplerisk-minimalbuild (PHP 8.3/8.4/8.5) on critical, upstream-fixed CVEs in the base image's own packages:CVE-2026-11856,CVE-2026-10536,CVE-2026-8927,CVE-2026-8924CVE-2026-29167,CVE-2026-42535The pinned
php:${php_version}-apachebase ships these at its build-time versions, and the Dockerfile onlyinstalls specific packages — so the pre-installed base packages never get patched. (These areCVE-2026-*, disclosed after the last green run — this is base-image drift, not any code change.)Fix
Add
apt-get -y upgradeafterapt-get updatein the minimal image's aptRUN, so Debian security updates are pulled for the base packages. Edited the generator (simplerisk-minimal/generate_dockerfile.sh) and regenerated the committedDockerfile— diff is only the upgrade line + an explanatory comment.Scope / testing
container-validationon this PR is the real test: the minimal Grype scan should now clear the criticals.🤖 Generated with Claude Code