security: update alpine base image to 3.20 (#21729)

* security: update alpine base image to 3.20 * security: update scan config to remove old triage exceptions
hashicorp · Sep 13, 2024 · c40eecf · c40eecf
1 parent de281cb
commit c40eecf
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 9 deletions.
diff --git a/.changelog/21729.txt b/.changelog/21729.txt
@@ -0,0 +1,4 @@
+```release-notes:security
+Bump Dockerfile base image to `alpine:3.20`.
+This resolves CVE-2024-7264 and CVE-2024-8096 (curl).
+```
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -38,11 +38,6 @@ container {
 		suppress {
 			# N.b. `vulnerabilites` is the correct spelling for this tool.
 			vulnerabilites = [
-				"CVE-2023-46218", # [email protected]
-				"CVE-2023-46219", # [email protected]
-				"CVE-2023-5678",  # [email protected]
-				"CVE-2024-7264", # [email protected]
-				"CVE-2024-8096", # [email protected]
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",

diff --git a/Dockerfile b/Dockerfile
@@ -16,7 +16,7 @@
 # Official docker image that includes binaries from releases.hashicorp.com. This
 # downloads the release from releases.hashicorp.com and therefore requires that
 # the release is published before building the Docker image.
-FROM docker.mirror.hashicorp.services/alpine:3.19 as official
+FROM docker.mirror.hashicorp.services/alpine:3.20 as official
 
 # This is the release of Consul to pull in.
 ARG VERSION
@@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Production docker image that uses CI built binaries.
 # Remember, this image cannot be built locally.
-FROM docker.mirror.hashicorp.services/alpine:3.19 as default
+FROM docker.mirror.hashicorp.services/alpine:3.20 as default
 
 ARG PRODUCT_VERSION
 ARG BIN_NAME

diff --git a/test/integration/connect/envoy/Dockerfile-tcpdump b/test/integration/connect/envoy/Dockerfile-tcpdump
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.20
 
 RUN apk add --no-cache tcpdump
 VOLUME  [ "/data" ]

diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash
@@ -652,7 +652,7 @@ function docker_consul_for_proxy_bootstrap {
 function docker_wget {
   local DC=$1
   shift 1
-  docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.17 wget "$@"
+  docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.20 wget "$@"
 }
 
 function docker_curl {