diff --git a/.github/workflows/container-validation.yml b/.github/workflows/container-validation.yml index 12544fb..887c8ff 100644 --- a/.github/workflows/container-validation.yml +++ b/.github/workflows/container-validation.yml @@ -3,7 +3,7 @@ name: Full checkup for SimpleRisk Docker images on: workflow_dispatch: pull_request: - branches: [ master ] + branches: [ master, testing ] jobs: simplerisk-jammy: diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index d468de4..d6f9e53 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -2,7 +2,7 @@ name: Shell script checkup with ShellCheck on: pull_request: - branches: [ master ] + branches: [ master, testing ] jobs: shellcheck: diff --git a/.grype.yaml b/.grype.yaml index 1131684..684e38e 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,2 +1,24 @@ ignore: - vulnerability: CVE-2025-27558 # Not able to fix it at the moment + # False positive: Grype's binary classifier reads the PHP interpreter's own version + # string (PHP 8.3.32 — embedded in /usr/local/bin/php, libphp.so, and the bundled + # extensions) as a "curl" binary at 8.3.32, then flags these curl CVEs (all fixed in + # curl 8.21.0). The REAL curl is the Debian package, patched (8.14.1-2+deb13u4) and + # correctly not flagged. Scoped per-CVE to binary-classified curl so a genuine future + # curl finding still surfaces instead of being blanket-ignored. + - vulnerability: CVE-2026-11856 + package: + name: curl + type: binary + - vulnerability: CVE-2026-10536 + package: + name: curl + type: binary + - vulnerability: CVE-2026-8927 + package: + name: curl + type: binary + - vulnerability: CVE-2026-8924 + package: + name: curl + type: binary diff --git a/simplerisk-minimal/Dockerfile b/simplerisk-minimal/Dockerfile index f1648b2..ca2cba1 100644 --- a/simplerisk-minimal/Dockerfile +++ b/simplerisk-minimal/Dockerfile @@ -36,7 +36,11 @@ ARG TARGETARCH # NOTE: The MySQL key was taken from https://dev.mysql.com/doc/refman/8.4/en/checking-gpg-signature.html # amd64: mysql-community-client from MySQL's Debian repo # arm64: default-mysql-client from Debian (MySQL's apt repo has no arm64 packages) +# apt-get upgrade patches base-image packages (apache2, curl, ...) with Debian +# security updates — the pinned php:${php_version}-apache base ships them at its +# own build-time versions, so without this they accumulate fixed CVEs (Grype gate). RUN apt-get update && \ + apt-get -y upgrade && \ apt-get install -y --no-install-recommends \ libldap2-dev \ libicu-dev \ diff --git a/simplerisk-minimal/generate_dockerfile.sh b/simplerisk-minimal/generate_dockerfile.sh index 8978e33..1171271 100755 --- a/simplerisk-minimal/generate_dockerfile.sh +++ b/simplerisk-minimal/generate_dockerfile.sh @@ -71,7 +71,11 @@ ARG TARGETARCH # NOTE: The MySQL key was taken from https://dev.mysql.com/doc/refman/8.4/en/checking-gpg-signature.html # amd64: mysql-community-client from MySQL's Debian repo # arm64: default-mysql-client from Debian (MySQL's apt repo has no arm64 packages) +# apt-get upgrade patches base-image packages (apache2, curl, ...) with Debian +# security updates — the pinned php:\${php_version}-apache base ships them at its +# own build-time versions, so without this they accumulate fixed CVEs (Grype gate). RUN apt-get update && \\ + apt-get -y upgrade && \\ apt-get install -y --no-install-recommends \\ libldap2-dev \\ libicu-dev \\