Skip to content

Commit

Permalink
Merge pull request #60 from conjurdemos/update-base-images
Browse files Browse the repository at this point in the history
Migrate from deprecated openjdk base image to eclipse-temurin
  • Loading branch information
szh authored Apr 25, 2023
2 parents 23198d3 + 980de59 commit 573e46d
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 67 deletions.
63 changes: 8 additions & 55 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -1,55 +1,8 @@
# CVE-2022-25857
# The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of
# Service (DoS) due missing to nested depth limitation for collections.
#
# org.yaml/snakeyaml is an indirect dependency we get from spring boot. A
# spring boot maintainer stated that "Most Sping Boot applications only need
# SnakeYaml to parse their own application.yml configuration. I don't
# think we can consider this content as untrusted input." I take this to mean
# we're likely not vulnerable to this issue. It should be fixed in Spring Boot
# 2.7.4, which as of 9/15 is not yet released. Snyk will notify us when a fix
# is available. At that time, we should remove this entry from the .trivyignore.
CVE-2022-25857


# CVE-2021-23840
# Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
# the output length argument in some cases where the input length is close to the
# maximum permissable length for an integer on the platform. In such cases the return
# value from the function call will be 1 (indicating success), but the output length
# value will be negative. This could cause applications to behave incorrectly or crash.
# OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions
# should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by
# this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public
# updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other
# users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).
# Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
#
# We've determined that we are not impacted by this vulnerability because:
# - we do not directly make any calls to the affected methods
#
# Performed by @daneleblanc, approved by @andytinkham
CVE-2021-23840

# CVE-2021-23840
# The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a
# unique hash value based on the issuer and serial number data contained within an X509
# certificate. However it fails to correctly handle any errors that may occur while
# parsing the issuer field (which might occur if the issuer field is maliciously
# constructed). This may subsequently result in a NULL pointer deref and a crash
# leading to a potential denial of service attack. The function
# X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so
# applications are only vulnerable if they use this function directly and they use
# it on certificates that may have been obtained from untrusted sources. OpenSSL
# versions 1.1.1i and below are affected by this issue. Users of these versions should
# upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this
# issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates.
# Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
# upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y
# (Affected 1.0.2-1.0.2x).
#
# We've determined that we are not impacted by this vulnerability because:
# - we do not directly make any calls to the affected methods
#
# Performed by @daneleblanc, approved by @andytinkham
CVE-2021-23841
# The following 4 CVEs are in indirect dependencies. There is no easy workaround to avoid
# them and they are not exploitable in our application. Additionally this application is only
# used for demos so harm from DoS attacks is very limited. We will ignore them until they
# are fixed in the indirect dependencies.
CVE-2022-3510
CVE-2022-3171
CVE-2022-3509
CVE-2022-1471
10 changes: 8 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [1.2.1] - 2023-04-24

### Security
- Updated Springboot to 3.0.2 and Dockerfile to openjdk:21
- Updated Spring boot to 3.0.6 and Dockerfile to eclipse-temurin
[conjurdemos/pet-store-demo#60](https://github.com/conjurdemos/pet-store-demo/pull/60)
- Updated Spring boot to 3.0.2 and Dockerfile to openjdk:21
[conjurdemos/pet-store-demo#58](https://github.com/conjurdemos/pet-store-demo/pull/58)
- Updated postgresql to 42.5.1 to resolve CVE-2022-41946
[conjurdemos/pet-store-demo#57](https://github.com/conjurdemos/pet-store-demo/pull/57)
Expand Down Expand Up @@ -46,5 +51,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

The first tagged version.

[Unreleased]: https://github.com/cyberark/secretless-broker/compare/v1.2.0...HEAD
[Unreleased]: https://github.com/cyberark/secretless-broker/compare/v1.2.1...HEAD
[1.2.1]: https://github.com/cyberark/secretless-broker/compare/v1.2.0...v1.2.1
[1.2.0]: https://github.com/cyberark/secretless-broker/compare/v1.1.0...v1.2.0
5 changes: 1 addition & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,9 @@ RUN mvn package && cp target/petstore-*.jar app.jar
# This base is used for the final image
# It extracts the packaged application from the previous stage
# and builds the final image
FROM openjdk:21-slim
FROM eclipse-temurin:20-jre-alpine
LABEL org.opencontainers.image.authors="CyberArk"

# Install the fix for CVE-2022-1271
RUN apt-get update && apt-get dist-upgrade -y

COPY --from=summon /usr/local/lib/summon /usr/local/lib/summon
COPY --from=summon /usr/local/bin/summon /usr/local/bin/summon
COPY --from=maven /app/app.jar /app.jar
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.2.0
1.2.1
10 changes: 5 additions & 5 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,19 @@

<groupId>org.springframework</groupId>
<artifactId>petstore</artifactId>
<version>0.1.0</version>
<version>0.2.1</version>

<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.0.2</version>
<version>3.0.6</version>
</parent>

<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>3.0.2</version>
<version>3.0.6</version>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
Expand All @@ -41,7 +41,7 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>3.0.2</version>
<version>3.0.6</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
Expand All @@ -51,7 +51,7 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
<version>3.0.2</version>
<version>3.0.6</version>
</dependency>
</dependencies>

Expand Down

0 comments on commit 573e46d

Please sign in to comment.