Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

Upgrade dind version to 26.0.0 to patch vulnerabilities#61735

Merged
willdollman merged 3 commits intomainfrom
will/update-dind-26.0.0
Apr 10, 2024
Merged

Upgrade dind version to 26.0.0 to patch vulnerabilities#61735
willdollman merged 3 commits intomainfrom
will/update-dind-26.0.0

Conversation

@willdollman
Copy link
Contributor

@willdollman willdollman commented Apr 9, 2024
edited
Loading

The dind image has finally received an update which patches a large number of vulnerabilities! (7 high, 2 critical).

Six months ago when we previously updated dind, there was some discussion about whether it was still used. @sourcegraph/search-platform is there any change to this - are customers still using this image?

Test plan

  • Basic local testing
  • Any further testing that @sourcegraph/search-platform can think of

@willdollman willdollman self-assigned this Apr 9, 2024
@cla-bot cla-bot bot added the cla-signed label Apr 9, 2024
@willdollman willdollman changed the title Upgrade dind version Upgrade dind version to 26.0.0 to fix vulns Apr 9, 2024
@sourcegraph-bot
Copy link
Contributor

sourcegraph-bot commented Apr 9, 2024

📖 Storybook live preview

@willdollman
Copy link
Contributor Author

willdollman commented Apr 9, 2024
edited
Loading

Some basic local testing of functionality, building manually then running a container in docker:

will@mac ~> docker build --platform linux/amd64 -t sourcegraph-dind .
[...]

will@mac ~> docker run -it --entrypoint /bin/sh -v /var/run/docker.sock:/var/run/docker.sock sourcegraph-dind

/ # docker run -it --entrypoint /bin/sh alpine:latest
/ #

@willdollman
Copy link
Contributor Author

willdollman commented Apr 9, 2024

All vulnerabilities patched:

~> trivy image --severity=HIGH,CRITICAL --platform linux/x86_64 docker:26.0.0-dind@sha256:b52760bc3766143ca050ab3f36f01108c30bbd6bc16094400855adfb9bd66f12
2024-04-09T18:04:37.334+0100    INFO    Vulnerability scanning is enabled
2024-04-09T18:04:37.334+0100    INFO    Secret scanning is enabled
2024-04-09T18:04:37.334+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-09T18:04:37.334+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-04-09T18:04:39.788+0100    INFO    Detected OS: alpine
2024-04-09T18:04:39.789+0100    INFO    Detecting Alpine vulnerabilities...
2024-04-09T18:04:39.793+0100    INFO    Number of language-specific files: 4
2024-04-09T18:04:39.793+0100    INFO    Detecting gobinary vulnerabilities...

docker:26.0.0-dind@sha256:b52760bc3766143ca050ab3f36f01108c30bbd6bc16094400855adfb9bd66f12 (alpine 3.19.1)

Total: 0 (HIGH: 0, CRITICAL: 0)

@willdollman willdollman requested a review from a team April 9, 2024 17:19
@jtibshirani
Copy link
Contributor

jtibshirani commented Apr 9, 2024

I think you're looking for our batch changes/ executors experts instead of search platform (which is more narrow). So tagging @camdencheek and @eseliger too!

@keegancsmith keegancsmith removed the request for review from a team April 10, 2024 06:27
@willdollman
Copy link
Contributor Author

willdollman commented Apr 10, 2024

Ah thanks for tagging the right people @jtibshirani, the last slack thread mentioned it being owned by search suite which my brain autocompleted to search platform 😁

@willdollman willdollman changed the title Upgrade dind version to 26.0.0 to fix vulns Upgrade dind version to 26.0.0 to patch vulnerabilities Apr 10, 2024
@willdollman willdollman merged commit afe261f into main Apr 10, 2024
@willdollman willdollman deleted the will/update-dind-26.0.0 branch April 10, 2024 08:38
sourcegraph-release-bot pushed a commit that referenced this pull request Apr 10, 2024
@willdollman @github-actions
[executors] Upgrade dind to 26.0.0 to patch vulnerabilities (#61735)
d521aad 
(cherry picked from commit afe261f)
@sourcegraph-release-bot sourcegraph-release-bot mentioned this pull request Apr 10, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

3 more reviewers

@dcomas dcomas dcomas approved these changes

@mohammadualam mohammadualam mohammadualam approved these changes

@eseliger eseliger eseliger approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@willdollman willdollman

Labels

backport 5.3.9104 cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@willdollman @sourcegraph-bot @jtibshirani @dcomas @mohammadualam @eseliger