Skip to content

Commit 314b54a

Browse files
danperezsandanperezsan
authored
Merge pull request #108 from mesoform/pg-v14
pg-v14 to main - Updates to resolve Snyk alerts
2 parents e0a3840 + 542123a commit 314b54a

1 file changed

Lines changed: 28 additions & 9 deletions

File tree

Dockerfile

Lines changed: 28 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.20-alpine AS builder
1+
FROM golang:1.24-alpine AS builder
22

33
ENV WALG_VERSION=v1.1
44

@@ -9,18 +9,37 @@ RUN set -ex \
99
&& git clone https://github.com/wal-g/wal-g/ $GOPATH/src/wal-g \
1010
&& cd $GOPATH/src/wal-g/ \
1111
&& git checkout $WALG_VERSION \
12+
# Resolves vulnerability CVE-2021-38561 - Out-of-bounds Read
13+
&& go get golang.org/x/text@v0.3.7 \
14+
# Resolves vulnerabilities CVE-2023-44487, CVE-2021-44716, CVE-2022-41723 & CVE-2022-27664 - Denial of Service (DoS)
15+
# Resolves vulnerability CVE-2023-45288 & CVE-2023-39325- Allocation of Resources Without Limits or Throttling
16+
&& go get golang.org/x/net/http2@v0.34.0 \
17+
# Resolves vulnerability CVE-2023-44487 - Denial of Service (DoS)
18+
&& go get google.golang.org/grpc@v1.71.1 \
19+
# Resolves vulnerability CVE-2025-22868 - Allocation of Resources Without Limits or Throttling
20+
&& go get golang.org/x/oauth2@v0.28.0 \
21+
# Resolves vulnerability CVE-2024-27304 - SQL Injection \
22+
&& go get github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1 \
23+
# Resolves vulnerability CVE-2024-45337 - Incorrect Implementation of Authentication Algorithm
24+
# Resolves vulnerability CVE-2025-22869 - Allocation of Resources Without Limits or Throttling
25+
# Resolves vulnerability CVE-2020-29652 - NULL Pointer Dereference
26+
# Resolves vulnerability CVE-2021-43565 - Denial of Service (DoS)
27+
&& go get -u golang.org/x/crypto@v0.35.0 \
28+
# Update all dependencies safely
29+
&& go mod tidy \
30+
&& go mod download \
1231
&& make install \
1332
&& make deps \
1433
&& make pg_build \
1534
&& install main/pg/wal-g / \
1635
&& /wal-g --help
1736

18-
FROM postgres:14.15-alpine3.21
37+
FROM postgres:14.17-alpine3.21
1938

2039
RUN apk add --update iputils htop curl busybox-suid jq \
2140
&& curl -sOL https://cronitor.io/dl/linux_amd64.tar.gz \
2241
&& tar xvf linux_amd64.tar.gz -C /usr/bin/ \
23-
&& apk upgrade
42+
&& apk upgrade --no-cache
2443

2544
# Copy compiled wal-g binary from builder
2645
COPY --from=builder /wal-g /usr/local/bin
@@ -29,22 +48,22 @@ COPY --from=builder /wal-g /usr/local/bin
2948
RUN mkdir -p /usr/local/scripts
3049
COPY scripts/setup-master.sh /docker-entrypoint-initdb.d/
3150
COPY scripts/setup-slave.sh /docker-entrypoint-initdb.d/
32-
RUN chown -R root:postgres /docker-entrypoint-initdb.d/
33-
RUN chmod -R 775 /docker-entrypoint-initdb.d
51+
RUN chown -R root:postgres /docker-entrypoint-initdb.d/ \
52+
&& chmod -R 775 /docker-entrypoint-initdb.d
3453

3554
# Add WAL-G backup script
3655
COPY scripts/walg_caller.sh /usr/local/scripts/
3756
COPY scripts/base_backup.sh /usr/local/scripts/
38-
RUN chown -R root:postgres /usr/local/scripts
39-
RUN chmod -R 775 /usr/local/scripts
57+
RUN chown -R root:postgres /usr/local/scripts \
58+
&& chmod -R 775 /usr/local/scripts
4059

4160
# Add custom entrypoint
4261
COPY scripts/entrypoint.sh /
4362
RUN chmod +x /entrypoint.sh
4463

4564
# Add cron permissions to postgres user
46-
RUN chown -R root:postgres /etc/crontabs/root
47-
RUN chmod g+rw /etc/crontabs/root
65+
RUN chown -R root:postgres /etc/crontabs/root \
66+
&& chmod g+rw /etc/crontabs/root
4867

4968
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
5069
CMD ["postgres"]

0 commit comments

Comments
 (0)