mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(ci): mitigate 11 upstream CVEs at source instead of suppressing
Some checks failed
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
- docker/postgres/Dockerfile: build gosu from source with Go 1.26 via
  multi-stage build (eliminates 1 CRITICAL + 5 HIGH Go stdlib CVEs)
- apps/{api,web,orchestrator}/Dockerfile: remove npm from production
  images (eliminates 5 HIGH CVEs in npm's bundled cross-spawn/glob/tar)
- .trivyignore: trimmed from 16 to 5 CVEs (OpenBao only — 4 false
  positives from Go pseudo-version + 1 real Go stdlib waiting on upstream)

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 17:10:44 -06:00
parent 08f62f1787
commit 3833805a93
6 changed files with 44 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docker/postgres/Dockerfile
View File

@@ -1,22 +1,22 @@
# PostgreSQL with pgvector and up-to-date gosu
# PostgreSQL with pgvector and gosu built from source
#
# Override the base image's gosu binary with the latest from tianon/gosu.
# The postgres base image bundles gosu built with Go 1.24.6, which contains:
# - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
# - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
# - CVE-2025-61726 (HIGH): net/url memory exhaustion
# - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
# - CVE-2025-61729 (HIGH): crypto/x509 DoS
# - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# The tianon/gosu image is rebuilt with recent Go toolchains, eliminating these CVEs.
# Using COPY --from avoids `go install` failures (gosu lacks semver Go module tags).
# gosu is built from source with Go 1.26 to eliminate 6 Go stdlib CVEs
# (CVE-2025-68121 CRITICAL + 5 HIGH) present in the tianon/gosu pre-built binary.
# Stage 1: Build gosu from source with Go 1.26
FROM golang:1.26-alpine AS gosu-builder
RUN apk add --no-cache git
RUN git clone --branch 1.17 https://github.com/tianon/gosu.git /src/gosu
WORKDIR /src/gosu
RUN go build -v -ldflags '-s -w' -o /bin/gosu .
FROM postgres:17.7-alpine3.22
LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
# Replace vulnerable gosu binary with latest pre-built version from tianon/gosu
COPY --from=tianon/gosu /gosu /usr/local/bin/gosu
# Copy gosu binary built from source in the gosu-builder stage
COPY --from=gosu-builder /bin/gosu /usr/local/bin/gosu
RUN chmod +x /usr/local/bin/gosu && gosu nobody true
# Update Alpine packages for any remaining OS-level patches