From ae1dc1bfa01b3409fa9d6c2350dfec6c53164405 Mon Sep 17 00:00:00 2001 From: Daniel Valdivia Date: Mon, 1 Jun 2026 14:46:00 -0700 Subject: [PATCH 1/4] fix(kubernetes): eliminate Critical/High CVEs via slim runtime base + Go bumps The controller/operator image (kubernetes/Dockerfile) shipped the full `golang:1.24` build toolchain image as its *runtime* stage, dragging in the entire Debian 13 userland (python3.13, perl, gnutls), the build toolchain (binutils, gcc, git, gnupg, libc6-dev) and kernel headers (linux-libc-dev). Trivy flagged ~340 Critical/High CVEs against it; the same Dockerfile also builds the task-executor image, which carried the identical surface. Four changes fix it: 1. Runtime base golang:1.24 -> debian:13-slim (digest-pinned) installing ONLY util-linux-extra (nsenter; it left util-linux in trixie) and ca-certificates, with `apt-get upgrade` for security patches and a `command -v nsenter` build assertion so sidecar task execution can't silently break. 2. Builder golang:1.24 -> golang:1.25 (digest-pinned). The binary was built with Go stdlib 1.24.13, which is EOL for the stdlib CVEs (fixed only in 1.25.10+). 3. otel cluster -> v1.43.0 (go.mod/go.sum); grpc resolved to v1.80.0. This moves the go.mod directive to go 1.25.0. 4. Dockerfile.image-committer builder golang:1.24-alpine -> golang:1.25-alpine (digest-pinned) so it can still compile the now-go-1.25.0 module; its runtime alpine:3.19 -> alpine:3.21 to match execd/ingress. Result on the scanned image: Critical 19 -> 2, High 321 -> 7. The 9 residuals have no upstream fix yet and sit on essential base packages (perl-base, libcap2, ncurses); they will clear automatically on rebuild once Debian ships patches. CRITICAL fixed (17): - CVE-2026-33186 grpc -> rebuild (go.mod grpc v1.80.0) - CVE-2026-31789 openssl/libssl3 -> apt upgrade to 3.5.5-1~deb13u2 - CVE-2026-23112 linux-libc-dev -> removed (kernel headers not in runtime) - CVE-2026-7210 python3.13 (x4) -> removed (no python in slim runtime) - CVE-2026-8376 perl/-modules -> removed (full perl not in slim runtime) - CVE-2026-42496 perl/-modules -> removed (full perl not in slim runtime) - CVE-2026-33845 libgnutls30t64 -> removed (gnutls not in slim runtime) - CVE-2026-42010 libgnutls30t64 -> removed (gnutls not in slim runtime) HIGH fixed (314): - 12 Go stdlib (built w/ 1.24.13) -> golang:1.25 builder (>=1.25.10): CVE-2026-25679, -32280, -32281, -32283, -33811, -33814, -39820, -39823, -39825, -39826, -39836, -42499 - 2 otel/sdk -> v1.43.0: CVE-2026-24051 (fix 1.40.0), CVE-2026-39883 (1.43.0) - 12 openssl family -> apt upgrade 3.5.5-1~deb13u2: CVE-2026-28387, -28388, -28389, -28390 - 288 toolchain/trixie packages removed with the slim base, dominated by linux-libc-dev (239 kernel-header CVEs), plus python3.13, full perl, gnutls, curl/krb5, gnupg, binutils, openssh-client, libexpat1, libncursesw6 RESIDUAL (no upstream fix; monitor): - perl-base: CVE-2026-8376, CVE-2026-42496 (Critical); CVE-2026-42497, CVE-2026-48962, CVE-2026-9538 (High) - libcap2: CVE-2026-4878 (High) - ncurses (libtinfo6/ncurses-base/ncurses-bin): CVE-2025-69720 (High) Verified: `go build ./...`, `go mod verify`, and docker build of the controller (uid 65532), task-executor (uid 0) and image-committer images; nsenter + /bin/sh confirmed present in the built runtime images. Co-Authored-By: Claude Opus 4.8 (1M context) --- kubernetes/Dockerfile | 27 +++++++-- kubernetes/Dockerfile.image-committer | 7 ++- kubernetes/go.mod | 38 ++++++------- kubernetes/go.sum | 80 +++++++++++++-------------- 4 files changed, 87 insertions(+), 65 deletions(-) diff --git a/kubernetes/Dockerfile b/kubernetes/Dockerfile index 8ce31232f..6e52cbef4 100644 --- a/kubernetes/Dockerfile +++ b/kubernetes/Dockerfile @@ -13,7 +13,9 @@ # limitations under the License. # Build the manager binary -FROM golang:1.24 AS builder +# Go 1.25 (>=1.25.10) is required to pick up Go stdlib security fixes; the 1.24 +# branch is EOL for them. Pinned by digest (dependabot keeps tag+digest current). +FROM golang:1.25@sha256:c138bff780910acf4254ab3a6f7ff0f64bbd841f27bd82bfa986fe122c109538 AS builder ARG TARGETOS ARG TARGETARCH ARG GOFLAGS= @@ -60,10 +62,27 @@ RUN if [ -n "${CC}" ]; then export CC; fi; \ -ldflags "${LDFLAGS} -buildid= -B none -X main.commitID=${COMMIT_ID} -X main.buildDate=${BUILD_DATE}" \ -o server ${PACKAGE} -# Use golang image as base to ensure nsenter (util-linux) is available -# distroless does not contain shell or nsenter -FROM golang:1.24 +# Minimal runtime instead of the full golang toolchain image (which shipped the +# entire Debian 13 userland + build tools -> hundreds of OS-package CVEs). +# The task-executor needs nsenter + /bin/sh; the controller shells out to nothing. +# distroless is unusable here because it has neither nsenter nor a shell. +# Pinned by digest (dependabot keeps tag+digest current). +FROM debian:13-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 ARG USERID=65532 + +# Apply outstanding security patches (clears the fixable OpenSSL CVEs) and install +# ONLY the runtime deps. In Debian trixie nsenter lives in util-linux-extra +# (util-linux merely Recommends it), so install util-linux-extra explicitly. +RUN apt-get update \ + && apt-get upgrade -y --no-install-recommends \ + && apt-get install -y --no-install-recommends \ + util-linux-extra \ + ca-certificates \ + && rm -rf /var/lib/apt/lists/* + +# Fail the build early if the runtime deps are missing. +RUN command -v nsenter >/dev/null && [ -x /bin/sh ] + WORKDIR /workspace COPY --from=builder /workspace/server . USER $USERID diff --git a/kubernetes/Dockerfile.image-committer b/kubernetes/Dockerfile.image-committer index 5e229d6f4..171ec1d73 100644 --- a/kubernetes/Dockerfile.image-committer +++ b/kubernetes/Dockerfile.image-committer @@ -13,7 +13,9 @@ # limitations under the License. # Build stage -FROM golang:1.24-alpine AS builder +# Go 1.25 to match the go.mod directive (the kubernetes module requires go 1.25). +# Pinned by tag@digest; Dependabot keeps both current. +FROM golang:1.25-alpine@sha256:8d22e29d960bc50cd025d93d5b7c7d220b1ee9aa7a239b3c8f55a57e987e8d45 AS builder # Use Aliyun mirror for faster downloads in China RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories @@ -31,7 +33,8 @@ COPY cmd/image-committer/ cmd/image-committer/ RUN CGO_ENABLED=0 GOOS=linux go build -o /usr/local/bin/image-committer ./cmd/image-committer/ # Runtime stage -FROM alpine:3.19 +# Pinned by tag@digest for reproducibility; Dependabot keeps both current. +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d # Use Aliyun mirror for faster downloads in China RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories diff --git a/kubernetes/go.mod b/kubernetes/go.mod index 3e03d6a0a..4d273a31c 100644 --- a/kubernetes/go.mod +++ b/kubernetes/go.mod @@ -1,6 +1,6 @@ module github.com/alibaba/OpenSandbox/sandbox-k8s -go 1.24.0 +go 1.25.0 require ( github.com/golang/mock v1.6.0 @@ -50,7 +50,7 @@ require ( github.com/google/go-cmp v0.7.0 // indirect github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect github.com/google/uuid v1.6.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -70,28 +70,28 @@ require ( github.com/x448/float16 v0.8.4 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect - go.opentelemetry.io/otel v1.41.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect - go.opentelemetry.io/otel/metric v1.41.0 // indirect - go.opentelemetry.io/otel/sdk v1.41.0 // indirect - go.opentelemetry.io/otel/trace v1.41.0 // indirect - go.opentelemetry.io/proto/otlp v1.9.0 // indirect + go.opentelemetry.io/otel v1.43.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect + go.opentelemetry.io/otel/metric v1.43.0 // indirect + go.opentelemetry.io/otel/sdk v1.43.0 // indirect + go.opentelemetry.io/otel/trace v1.43.0 // indirect + go.opentelemetry.io/proto/otlp v1.10.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/net v0.50.0 // indirect - golang.org/x/oauth2 v0.34.0 // indirect - golang.org/x/sync v0.19.0 // indirect - golang.org/x/sys v0.41.0 // indirect - golang.org/x/term v0.40.0 // indirect - golang.org/x/text v0.34.0 // indirect + golang.org/x/net v0.52.0 // indirect + golang.org/x/oauth2 v0.35.0 // indirect + golang.org/x/sync v0.20.0 // indirect + golang.org/x/sys v0.42.0 // indirect + golang.org/x/term v0.41.0 // indirect + golang.org/x/text v0.35.0 // indirect golang.org/x/time v0.9.0 // indirect - golang.org/x/tools v0.41.0 // indirect + golang.org/x/tools v0.42.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect - google.golang.org/grpc v1.79.3 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/grpc v1.80.0 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/kubernetes/go.sum b/kubernetes/go.sum index 38e7104c2..32e36899b 100644 --- a/kubernetes/go.sum +++ b/kubernetes/go.sum @@ -70,8 +70,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -149,22 +149,22 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= -go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c= -go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 h1:ao6Oe+wSebTlQ1OEht7jlYTzQKE+pnx/iNywFvTbuuI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0/go.mod h1:u3T6vz0gh/NVzgDgiwkgLxpsSF6PaPmo2il0apGJbls= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= -go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ= -go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps= -go.opentelemetry.io/otel/sdk v1.41.0 h1:YPIEXKmiAwkGl3Gu1huk1aYWwtpRLeskpV+wPisxBp8= -go.opentelemetry.io/otel/sdk v1.41.0/go.mod h1:ahFdU0G5y8IxglBf0QBJXgSe7agzjE4GiTJ6HT9ud90= -go.opentelemetry.io/otel/sdk/metric v1.41.0 h1:siZQIYBAUd1rlIWQT2uCxWJxcCO7q3TriaMlf08rXw8= -go.opentelemetry.io/otel/sdk/metric v1.41.0/go.mod h1:HNBuSvT7ROaGtGI50ArdRLUnvRTRGniSUZbxiWxSO8Y= -go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0= -go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis= -go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= -go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= +go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= +go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk= +go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= +go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY= +go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg= +go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg= +go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw= +go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A= +go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= +go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= +go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= +go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -184,31 +184,31 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= -golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= -golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= -golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= +golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= -golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= +golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= -golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= -golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= -golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -216,22 +216,22 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= -golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= +golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k= +golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= -gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 h1:JLQynH/LBHfCTSbDWl+py8C+Rg/k1OVH3xfcaiANuF0= -google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:kSJwQxqmFXeo79zOmbrALdflXQeAYcUbgS7PbpMknCY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 h1:mWPCjDEyshlQYzBpMNHaEof6UX1PmHcaUODUywQ0uac= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= -google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= -google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= +gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= +google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From c70c7350e46034604b661887e5a8a49d6a7c3606 Mon Sep 17 00:00:00 2001 From: Daniel Valdivia Date: Mon, 1 Jun 2026 14:46:00 -0700 Subject: [PATCH 2/4] chore(ci): add Dependabot config and pin component base images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Stale container base images were the root cause of the bulk of the Critical/High OS-package CVEs Trivy found: Go modules were being bumped by Dependabot, but no `docker` ecosystem was configured, so base images were never refreshed and images were rarely rebuilt (the scanned binary still embedded grpc v1.68.1 while go.mod was already at v1.79.3). - Add .github/dependabot.yml (previously UI-only, not in-tree). Covers gomod, pip and npm to preserve existing coverage, adds github-actions, and — critically — adds the `docker` ecosystem across every Dockerfile directory so base images stay patched. Updates are grouped to keep PR volume manageable. - Pin components/execd and components/ingress from the floating `alpine:latest` to `alpine:3.21@sha256:...` for reproducible builds and so Dependabot can track them. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 99 +++++++++++++++++++++++++++++++++++ components/execd/Dockerfile | 3 +- components/ingress/Dockerfile | 3 +- 3 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..b65bf9e40 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,99 @@ +# Dependabot configuration for OpenSandbox. +# +# This file makes the previously UI-only Dependabot setup reviewable in-tree and, +# critically, adds the "docker" ecosystem so container base images (golang, debian, +# alpine, python, ubuntu) are kept patched. Stale base images were the root cause of +# the bulk of the Critical/High OS-package CVEs found by Trivy: Go modules were being +# bumped but the images they ship in were never refreshed. +# +# Updates are grouped per ecosystem to keep PR volume manageable. +version: 2 +updates: + # ---- Go modules ---------------------------------------------------------- + - package-ecosystem: gomod + directories: + - /kubernetes + - /components/egress + - /components/execd + - /components/ingress + - /components/internal + - /sdks/sandbox/go + - /tests/go + - /examples/chrome + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + go-minor-patch: + update-types: + - minor + - patch + + # ---- Container base images ---------------------------------------------- + # The gap that let OS-package CVEs accumulate. Covers every Dockerfile dir; + # bases are pinned by tag@digest so Dependabot bumps both the tag and digest. + - package-ecosystem: docker + directories: + - /kubernetes + - /components/egress + - /components/execd + - /components/ingress + - /server + - /sandboxes/code-interpreter + - /examples/chrome + - /examples/desktop + - /examples/playwright + - /examples/vscode + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + docker-images: + patterns: + - "*" + + # ---- Python (uv / pip) --------------------------------------------------- + - package-ecosystem: pip + directories: + - /server + - /cli + - /sdks/code-interpreter/python + - /sdks/mcp/sandbox/python + - /sdks/sandbox/python + - /tests/python + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + python-minor-patch: + update-types: + - minor + - patch + + # ---- JavaScript / npm ---------------------------------------------------- + - package-ecosystem: npm + directories: + - /docs + - /sdks + - /sdks/code-interpreter/javascript + - /sdks/sandbox/javascript + - /tests/javascript + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + npm-minor-patch: + update-types: + - minor + - patch + + # ---- GitHub Actions ------------------------------------------------------ + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 5 + groups: + actions: + patterns: + - "*" diff --git a/components/execd/Dockerfile b/components/execd/Dockerfile index 586434bc0..01dd08566 100644 --- a/components/execd/Dockerfile +++ b/components/execd/Dockerfile @@ -64,7 +64,8 @@ RUN CGO_ENABLED=0 GOOS=windows go build ${GOFLAGS} -trimpath -buildvcs=false \ -X 'github.com/alibaba/opensandbox/internal/version.GitCommit=${GIT_COMMIT}'" \ -o /build/execd.exe ./main.go -FROM alpine:latest +# Pinned by tag@digest for reproducibility; Dependabot keeps both current. +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d COPY --from=builder /build/execd . COPY --from=builder /build/execd.exe ./execd.exe diff --git a/components/ingress/Dockerfile b/components/ingress/Dockerfile index 265b50bd1..d723761e8 100644 --- a/components/ingress/Dockerfile +++ b/components/ingress/Dockerfile @@ -59,7 +59,8 @@ RUN if [ -n "${CC}" ]; then export CC; fi; \ -X 'github.com/alibaba/opensandbox/internal/version.GitCommit=${GIT_COMMIT}'" \ -o /build/ingress ./main.go -FROM alpine:latest +# Pinned by tag@digest for reproducibility; Dependabot keeps both current. +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d COPY --from=builder /build/ingress . From 3d5869a31a192df8dd3b8f91c6e2b54bc91b94a0 Mon Sep 17 00:00:00 2001 From: Daniel Valdivia Date: Mon, 1 Jun 2026 23:53:12 -0700 Subject: [PATCH 3/4] fix: address PR review comments kubernetes/Dockerfile: - Pin the builder to an explicit patch tag golang:1.25.10 (the digest already resolves to go1.25.10), so the tag, digest and the ">=1.25.10" comment are consistent. (Copilot) - Drop `apt-get upgrade` for reproducible builds. The pinned debian:13-slim digest already ships libssl3t64 3.5.6-1~deb13u1 (newer than the 3.5.5-1~deb13u2 OpenSSL fix), so the OpenSSL CVEs stay fixed via the base digest; OS patches now come from Dependabot bumping the pinned base rather than a non-deterministic upgrade. Verified the rebuilt image still carries libssl3t64 3.5.6 + nsenter, and the Critical/High residual is unchanged. (Copilot) .github/dependabot.yml: - Switch the Python block from pip to the uv ecosystem; all six dirs pin deps with uv.lock (no requirements.txt), which pip would not maintain. (Codex) - Drop the overlapping npm child dirs. /sdks is a pnpm workspace root whose pnpm-lock.yaml already covers sdks/{code-interpreter,sandbox}/javascript, so listing them alongside /sdks violated Dependabot's non-overlap rule. (Codex) - Keep the plural `directories:` key (GA-supported since 2024). (Copilot) Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 13 ++++++++----- kubernetes/Dockerfile | 16 +++++++++------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b65bf9e40..cb4675eac 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -52,8 +52,10 @@ updates: patterns: - "*" - # ---- Python (uv / pip) --------------------------------------------------- - - package-ecosystem: pip + # ---- Python (uv) --------------------------------------------------------- + # These dirs pin deps with uv.lock (+ pyproject.toml), so use the uv ecosystem; + # the pip ecosystem would not maintain the uv.lock files. + - package-ecosystem: uv directories: - /server - /cli @@ -70,13 +72,14 @@ updates: - minor - patch - # ---- JavaScript / npm ---------------------------------------------------- + # ---- JavaScript / npm (handles pnpm) ------------------------------------- + # /sdks is a pnpm workspace root whose pnpm-lock.yaml already covers + # sdks/{code-interpreter,sandbox}/javascript, so those children are NOT listed + # separately (Dependabot requires non-overlapping directories per ecosystem). - package-ecosystem: npm directories: - /docs - /sdks - - /sdks/code-interpreter/javascript - - /sdks/sandbox/javascript - /tests/javascript schedule: interval: weekly diff --git a/kubernetes/Dockerfile b/kubernetes/Dockerfile index 6e52cbef4..879bd6f7a 100644 --- a/kubernetes/Dockerfile +++ b/kubernetes/Dockerfile @@ -13,9 +13,10 @@ # limitations under the License. # Build the manager binary -# Go 1.25 (>=1.25.10) is required to pick up Go stdlib security fixes; the 1.24 -# branch is EOL for them. Pinned by digest (dependabot keeps tag+digest current). -FROM golang:1.25@sha256:c138bff780910acf4254ab3a6f7ff0f64bbd841f27bd82bfa986fe122c109538 AS builder +# Go >=1.25.10 is required to pick up Go stdlib security fixes; the 1.24 branch is +# EOL for them. Pinned to an explicit patch tag + digest (the digest resolves to +# 1.25.10); dependabot keeps tag and digest in lockstep. +FROM golang:1.25.10@sha256:c138bff780910acf4254ab3a6f7ff0f64bbd841f27bd82bfa986fe122c109538 AS builder ARG TARGETOS ARG TARGETARCH ARG GOFLAGS= @@ -70,11 +71,12 @@ RUN if [ -n "${CC}" ]; then export CC; fi; \ FROM debian:13-slim@sha256:b6e2a152f22a40ff69d92cb397223c906017e1391a73c952b588e51af8883bf8 ARG USERID=65532 -# Apply outstanding security patches (clears the fixable OpenSSL CVEs) and install -# ONLY the runtime deps. In Debian trixie nsenter lives in util-linux-extra -# (util-linux merely Recommends it), so install util-linux-extra explicitly. +# Install ONLY the runtime deps that are not already in the slim base. OS security +# fixes come from the pinned base digest (kept current by Dependabot), not from an +# `apt-get upgrade` which would make builds non-reproducible. In Debian trixie +# nsenter lives in util-linux-extra (util-linux merely Recommends it), so install +# util-linux-extra explicitly. RUN apt-get update \ - && apt-get upgrade -y --no-install-recommends \ && apt-get install -y --no-install-recommends \ util-linux-extra \ ca-certificates \ From e1462b30c29a60584e6c58dddc08cb05c636c78a Mon Sep 17 00:00:00 2001 From: Daniel Valdivia Date: Wed, 3 Jun 2026 10:34:15 -0700 Subject: [PATCH 4/4] ci(kubernetes): bump CI Go to 1.25 to match go.mod The go directive in kubernetes/go.mod was raised to 1.25.0 (otel v1.43.0 requires it), but the kubernetes CI still set up Go 1.24 with GOTOOLCHAIN=local: - Controller E2E jobs failed at `make manifests`: go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local) - the `test` job failed at `make lint`: golangci-lint (installed via `go install`) was built with go1.24, lower than the targeted 1.25.0 Bump actions/setup-go to 1.25 in kubernetes-test.yml (E2E matrix GO_VERSION + the test job) and in kubernetes-nightly-build.yml. golangci-lint is then rebuilt with 1.25, satisfying its build-version guard. Verified locally on Go >=1.25: make manifests, make lint (0 issues), make build all pass. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/kubernetes-nightly-build.yml | 2 +- .github/workflows/kubernetes-test.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/kubernetes-nightly-build.yml b/.github/workflows/kubernetes-nightly-build.yml index a64c99cd7..0e56fa537 100644 --- a/.github/workflows/kubernetes-nightly-build.yml +++ b/.github/workflows/kubernetes-nightly-build.yml @@ -56,7 +56,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: "1.24.0" + go-version: "1.25.0" - name: Add Go bin to PATH run: echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH" diff --git a/.github/workflows/kubernetes-test.yml b/.github/workflows/kubernetes-test.yml index 224018e5f..5ec59ec95 100644 --- a/.github/workflows/kubernetes-test.yml +++ b/.github/workflows/kubernetes-test.yml @@ -15,7 +15,8 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '1.24' + # Must be >= the go directive in kubernetes/go.mod (currently 1.25.0). + GO_VERSION: '1.25' jobs: controller-e2e: @@ -48,7 +49,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.24.0' + go-version: '1.25.0' - name: Check gofmt working-directory: kubernetes