From f0a5884a5c049a8778b84632686949a2326c744d Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 12 Jul 2026 17:26:15 -0500 Subject: [PATCH 1/4] fix(minimal): apt-get upgrade to patch base-image CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pinned php:${php_version}-apache base ships apache2/curl at its own build-time versions, and the Dockerfile only `install`s specific packages — so base packages accumulate upstream-fixed CVEs. Grype (--fail-on critical --only-fixed) flags criticals on every minimal build: curl (CVE-2026-11856/10536/8927/8924, fixed 8.21.0) and apache2 (CVE-2026-29167/42535, fixed 2.4.68). Add `apt-get -y upgrade` after `apt-get update` so the Debian security fixes are pulled; regenerate the Dockerfile from the generator. Targets testing (features land here, then promote to master). Full/Ubuntu image currently passes Grype and is untouched. Co-Authored-By: Claude Opus 4.8 (1M context) --- simplerisk-minimal/Dockerfile | 4 ++++ simplerisk-minimal/generate_dockerfile.sh | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/simplerisk-minimal/Dockerfile b/simplerisk-minimal/Dockerfile index f1648b2..ca2cba1 100644 --- a/simplerisk-minimal/Dockerfile +++ b/simplerisk-minimal/Dockerfile @@ -36,7 +36,11 @@ ARG TARGETARCH # NOTE: The MySQL key was taken from https://dev.mysql.com/doc/refman/8.4/en/checking-gpg-signature.html # amd64: mysql-community-client from MySQL's Debian repo # arm64: default-mysql-client from Debian (MySQL's apt repo has no arm64 packages) +# apt-get upgrade patches base-image packages (apache2, curl, ...) with Debian +# security updates — the pinned php:${php_version}-apache base ships them at its +# own build-time versions, so without this they accumulate fixed CVEs (Grype gate). RUN apt-get update && \ + apt-get -y upgrade && \ apt-get install -y --no-install-recommends \ libldap2-dev \ libicu-dev \ diff --git a/simplerisk-minimal/generate_dockerfile.sh b/simplerisk-minimal/generate_dockerfile.sh index 8978e33..1171271 100755 --- a/simplerisk-minimal/generate_dockerfile.sh +++ b/simplerisk-minimal/generate_dockerfile.sh @@ -71,7 +71,11 @@ ARG TARGETARCH # NOTE: The MySQL key was taken from https://dev.mysql.com/doc/refman/8.4/en/checking-gpg-signature.html # amd64: mysql-community-client from MySQL's Debian repo # arm64: default-mysql-client from Debian (MySQL's apt repo has no arm64 packages) +# apt-get upgrade patches base-image packages (apache2, curl, ...) with Debian +# security updates — the pinned php:\${php_version}-apache base ships them at its +# own build-time versions, so without this they accumulate fixed CVEs (Grype gate). RUN apt-get update && \\ + apt-get -y upgrade && \\ apt-get install -y --no-install-recommends \\ libldap2-dev \\ libicu-dev \\ From be61fa5f89af0834477358e9aa236c7ddd127783 Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 12 Jul 2026 17:36:24 -0500 Subject: [PATCH 2/4] grype: ignore binary-classified curl (PHP-version false positive) Grype's binary classifier reads the PHP interpreter's version string (PHP 8.3.32, embedded in /usr/local/bin/php, libphp.so, and extensions) as a "curl" binary at 8.3.32 and flags curl CVEs (CVE-2026-11856/10536/8927/8924, fixed 8.21.0). The real curl is the Debian package, patched to 8.14.1-2+deb13u4 and correctly not flagged. Scope the ignore to binary-type curl so the deb curl stays scanned. With the apt-get upgrade (apache2 -> 2.4.68) this clears the minimal Grype gate. Co-Authored-By: Claude Opus 4.8 (1M context) --- .grype.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index 1131684..ac697c4 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,2 +1,11 @@ ignore: - vulnerability: CVE-2025-27558 # Not able to fix it at the moment + # False positive: Grype's binary classifier reads the PHP interpreter's own + # version string (PHP 8.3.32 — embedded in /usr/local/bin/php, libphp.so, and the + # bundled extensions) as a "curl" binary at 8.3.32, then flags curl CVEs + # (CVE-2026-11856/10536/8927/8924, fixed 8.21.0). The REAL curl in the image is + # the Debian package, patched (8.14.1-2+deb13u4) and correctly NOT flagged. Ignore + # binary-classified curl so this FP drops while the deb-packaged curl stays scanned. + - package: + name: curl + type: binary From 5591ab067f3787b08f3379d81359f76de8c7b49e Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 12 Jul 2026 17:40:49 -0500 Subject: [PATCH 3/4] grype: scope the binary-curl ignore per-CVE (not the whole package) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security review flagged the previous `package: {name: curl, type: binary}` rule as over-broad — it would silently suppress any future binary-curl finding. Narrow it to the four specific PHP-version-misidentified CVEs (CVE-2026-11856/10536/8927/ 8924) so a genuine curl vulnerability still surfaces. Co-Authored-By: Claude Opus 4.8 (1M context) --- .grype.yaml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/.grype.yaml b/.grype.yaml index ac697c4..684e38e 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,11 +1,24 @@ ignore: - vulnerability: CVE-2025-27558 # Not able to fix it at the moment - # False positive: Grype's binary classifier reads the PHP interpreter's own - # version string (PHP 8.3.32 — embedded in /usr/local/bin/php, libphp.so, and the - # bundled extensions) as a "curl" binary at 8.3.32, then flags curl CVEs - # (CVE-2026-11856/10536/8927/8924, fixed 8.21.0). The REAL curl in the image is - # the Debian package, patched (8.14.1-2+deb13u4) and correctly NOT flagged. Ignore - # binary-classified curl so this FP drops while the deb-packaged curl stays scanned. - - package: + # False positive: Grype's binary classifier reads the PHP interpreter's own version + # string (PHP 8.3.32 — embedded in /usr/local/bin/php, libphp.so, and the bundled + # extensions) as a "curl" binary at 8.3.32, then flags these curl CVEs (all fixed in + # curl 8.21.0). The REAL curl is the Debian package, patched (8.14.1-2+deb13u4) and + # correctly not flagged. Scoped per-CVE to binary-classified curl so a genuine future + # curl finding still surfaces instead of being blanket-ignored. + - vulnerability: CVE-2026-11856 + package: + name: curl + type: binary + - vulnerability: CVE-2026-10536 + package: + name: curl + type: binary + - vulnerability: CVE-2026-8927 + package: + name: curl + type: binary + - vulnerability: CVE-2026-8924 + package: name: curl type: binary From 5b8dae1923fd368ae03cee7fac21e904b09969ad Mon Sep 17 00:00:00 2001 From: Josh Sokol Date: Sun, 12 Jul 2026 17:48:21 -0500 Subject: [PATCH 4/4] ci: run container-validation + shellcheck on testing PRs too Both gates only triggered on pull_request -> master, so feature PRs to testing (where features land before promotion) were never validated. Add testing to the branch filter so the gates cover the branch features actually target. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/container-validation.yml | 2 +- .github/workflows/shellcheck.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-validation.yml b/.github/workflows/container-validation.yml index 12544fb..887c8ff 100644 --- a/.github/workflows/container-validation.yml +++ b/.github/workflows/container-validation.yml @@ -3,7 +3,7 @@ name: Full checkup for SimpleRisk Docker images on: workflow_dispatch: pull_request: - branches: [ master ] + branches: [ master, testing ] jobs: simplerisk-jammy: diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index d468de4..d6f9e53 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -2,7 +2,7 @@ name: Shell script checkup with ShellCheck on: pull_request: - branches: [ master ] + branches: [ master, testing ] jobs: shellcheck: