Update OS baseline and reduce container attack surface#2
Open
xuara wants to merge 34 commits into
Open
Conversation
…korecko#140) - Resolved 18 High and 26 Medium vulnerabilities (CVE-2026-42499, etc.) by upgrading OS packages. - Addressed transitive Go-based vulnerabilities within the Docker CLI and system libraries. - Restructured build into explicit stages (base, build, final) for better security isolation. - Implemented GPG key verification for Docker repository to ensure package integrity. - Maintained non-root 'app' user execution for production hardening.
- Minor comment adjustment to trigger GitHub Actions build. - Verifying multi-stage Dockerfile logic and architecture mapping.
- Added temporary workflow to verify Dockerfile syntax and multi-stage logic. - Ensuring apt-get upgrade and GPG key verification work as intended. - Validating non-root user transitions.
- Created docker-build-check.yml to automate Dockerfile validation. - Configured to trigger on push, pull_request, and manual dispatch. - Ensures future changes to the Dockerfile do not break image builds.
- Upgraded docker/setup-buildx-action to v4. - Upgraded docker/login-action to v4. - Upgraded docker/build-push-action to v7. - Added id-token permissions for OIDC build attestations. - Refactored GHCR login to use GITHUB_TOKEN for improved security. - Simplified tag generation using native GitHub context variables.
- Enabled NuGet package caching in setup-dotnet@v4 for faster CI cycles. - Hardened security by reducing GITHUB_TOKEN permissions to read-only. - Standardized checkout logic for Pull Request triggers. - Added normal verbosity to test output for better mobile debugging.
- Upgraded Docker actions to v4 (setup/login) and v7 (build-push). - Implemented OIDC id-token permissions for secure build provenance. - Refactored GHCR auth to use native GITHUB_TOKEN. - Optimized multi-arch test matrix by replacing 50s sleep with direct binary verification. - Standardized architecture naming for arm/v7 across workflows.
- Corrected Buildx setup to use docker/setup-buildx-action@v4. - Migrated raw docker build command to docker/build-push-action@v7. - Enabled GitHub Actions (GHA) caching for faster subsequent builds. - Set push to false to ensure this remains a validation-only check.
- Removed 'cache: true' from setup-dotnet@v4. - Resolved "Dependencies lock file is not found" error. - Standardized build workflow for repositories without packages.lock.json.
- Upgraded base and build images to `10.0-resolute` (Ubuntu 24.04 -> 26.04). - Remediates 8 High/Medium CVEs (inc. CVE-2026-42499) in Go `stdlib 1.26.2`. - Vulnerabilities were transitive via `docker-ce-cli` and OS-level system utilities. - Resolute baseline provides Go `1.26.3+` binaries, addressing the security lag in Noble. - Maintained `apt-get` support while reducing total package footprint by 50%.
…ages Reverted to the stable Dockerfile structure from the main branch to fix permission errors while explicitly using 10.0-resolute tags for CVE remediation.
Refactored Dockerfile for performance and security: - Fixed non-root permission errors using atomic 'install' and native '--chown'. - Reduced image bloat by eliminating redundant filesystem layers. - Minimized attack surface by purging build-time tools (gnupg) from the final stage. - Improved build reproducibility by removing non-deterministic 'apt-get upgrade' calls. - Standardized multi-arch RID mapping for amd64, arm64, and arm/v7.
Set environment variable to force JavaScript actions to Node.js 24.
…lities Upgrades TargetFramework to net10.0 across the web and unit test projects. Aligns Entity Framework Core dependencies with version 10.0.0 and updates test runners for compatibility. Implements explicit package overrides for golang.org/x/net, spdystream, and OpenTelemetry to remediate high-severity CVEs identified in transitive Go-based dependencies.
Removes non-NuGet Go package references from project files to resolve dotnet restore errors during build. Retains TargetFramework upgrades to net10.0 and Entity Framework Core 10.0 alignment.
Extends FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 to build, release, and unstable workflows. This synchronizes with existing docker-build settings and ensures compatibility with the Ubuntu 26.04 (Resolute Raccoon) environment.
…de analysis - Updated base image to Ubuntu 26.04 and SDK to .NET 10.0. - Patched System.Security.Cryptography.Xml to 10.0.6 to resolve high-severity vulnerabilities. - Refactored Constants to PascalCase and flattened structure. - Internalized types (CA1515) and resolved all latest-all analyzer warnings. - Synchronized unit tests with new naming and visibility standards.
- Internalized controllers and DTOs. - Added standard exception constructors to custom exceptions. - Fully aligned codebase with .NET 10 'latest-all' analysis standards.
… project suppressions
Addresses all static analysis warnings and modernizes core services to achieve a strict zero-warning build under .NET 10. This includes fixes for memory leaks, routing performance, and background task reliability. Resource Management & Memory Safety (CA2000): - Enforced proper disposal of StringContent via 'using' declarations in PortainerService and OllamaService to prevent connection leaks. Performance Optimization (CA2234, SYSLIB1045): - Refactored HttpClient calls across AppriseService, DiscordService, PortainerService, and OllamaService to use Uri overloads, eliminating repeated string parsing overhead. - Migrated runtime regex evaluations to compile-time [GeneratedRegex] partial methods in UpdateService and ParsingHelper for improved performance. - Resolved collection initialization warnings (IDE0305) in ParsingHelper using modern collection expressions [.. ]. Service Reliability & Task Cancellation (CA1031): - Replaced broad catch-all blocks across background workers (DockerService, UpdateService, VersionCheckHostedService, ParsingHelper). - Added explicit 'when (ex is not OperationCanceledException)' filters to allow graceful shutdown and propagation of cancellation tokens.
…tests - Fix Unhandled ArgumentNullException in UpdateService when config path reads fail - Enforce regex matching against app.Version instead of the raw variable block in .env update strategy - Add strict validation checks to prevent incomplete (fewer than 3 steps) update plans from executing - Update test suite Moq configurations to dynamically handle absolute paths for .env resolution - Fix exact match string constraint bugs in UpdateServiceTests test hooks
…ode analysis warnings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates the container base image to Ubuntu 26.04 (Resolute Raccoon) to improve the security posture of the application.
Key Improvements
apt-getremains available for necessary package installations.Technical Blockers
While this significantly hardens the image, 11 vulnerabilities remain because they are inherent to the upstream Microsoft base images and cannot be fixed at our level:
Impact
Moving to the latest LTS release provides a much cleaner environment by remediating unpatchable vulnerabilities in packages like
curlandotel/sdk, even while we wait for upstream toolchain updates to clear the remaining Go-related items.