Skip to content

Automate CVE patches removal #54

Description

@renatomefi

Context

When a new CVE comes up we tend to upgrade the package using apk upgrade --no-cache curl for instance.
Since our images are based on official ones, eventually they get the upgraded package which causes us to remove the patches from our Dockerfiles

Solution

  • Embrace all CVE patches in blocks like:
###> CVE: 1234 ###

###< CVE: 1234 ###
  • Write a script that removes them and tries to build the images and check for vulnerabilities, if it passes then automatically opens a PR with the CVEs removed

Metadata

Metadata

Assignees

No one assigned

    Labels

    FeatureNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions