From 7fb70210a408e4cc5f8c4e6896de5d6f4c09c16a Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Thu, 12 Feb 2026 19:19:27 -0600 Subject: [PATCH] fix(ci): move spec removal to builder stage + suppress tar CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two Trivy fixes: 1. Dockerfile: moved spec/test file deletion from production RUN step to builder stage. The previous approach (COPY then RUN rm) left files in the COPY layer — Trivy scans all layers, not just the final FS. Now spec files are deleted in builder BEFORE COPY to production. 2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with documented rationale. tar@7.5.2 is bundled inside npm which ships with node:20-alpine. Not upgradeable — not our dependency. npm is already removed from all production images. Verified: local Trivy scan passes (exit code 0, 0 findings) Co-Authored-By: Claude Opus 4.6 --- .trivyignore | 14 ++++++++++++++ apps/orchestrator/Dockerfile | 9 ++++++--- docs/tasks.md | 2 +- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.trivyignore b/.trivyignore index 5115dbe..3b67c38 100644 --- a/.trivyignore +++ b/.trivyignore @@ -16,6 +16,20 @@ CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3) CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1) CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4) +# === npm bundled tar CVEs (not upgradeable — not our dependency) === +# Why suppressed instead of fixed: +# - tar@7.5.2 is bundled INSIDE npm, which ships with the node:20-alpine base image +# - It is NOT in pnpm-lock.yaml — not a direct or transitive app dependency +# - We already remove npm from all production images: +# `RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx` +# - Locally-built images have zero tar packages (verified via Trivy scan 2026-02-12) +# - CVEs may reappear in CI due to Docker layer caching of the base image +# To fully eliminate: switch to a distroless/slim base image without npm, or +# wait for Node.js 20 to bundle a patched npm release. +CVE-2026-23745 # HIGH: tar arbitrary file overwrite via unsanitized linkpaths +CVE-2026-23950 # HIGH: tar arbitrary file overwrite via Unicode path collision +CVE-2026-24842 # HIGH: tar arbitrary file creation via hardlink path traversal + # === OpenBao Go stdlib (waiting on upstream rebuild) === # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7. # Cannot build OpenBao from source (large project). Waiting for upstream release. diff --git a/apps/orchestrator/Dockerfile b/apps/orchestrator/Dockerfile index ccd9134..0722743 100644 --- a/apps/orchestrator/Dockerfile +++ b/apps/orchestrator/Dockerfile @@ -49,6 +49,11 @@ COPY --from=deps /app/apps/orchestrator/node_modules ./apps/orchestrator/node_mo # Build the orchestrator app using TurboRepo RUN pnpm turbo build --filter=@mosaic/orchestrator +# Remove compiled test/spec files from dist BEFORE copying to production. +# These contain test fixture secrets (fake AWS keys, RSA keys) that trigger Trivy. +# Must happen in builder stage so they never appear in any production image layer. +RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' \) -delete + # ====================== # Production stage # ====================== @@ -81,10 +86,8 @@ COPY --from=builder --chown=nestjs:nodejs /app/node_modules ./node_modules # Copy built packages (includes dist/ directories) COPY --from=builder --chown=nestjs:nodejs /app/packages ./packages -# Copy built orchestrator application +# Copy built orchestrator application (spec/test files already removed in builder stage) COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/dist ./apps/orchestrator/dist -# Remove compiled test files from production (contain test fixtures that trigger Trivy secret scanning) -RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' \) -print | xargs rm -f 2>/dev/null || true COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/package.json ./apps/orchestrator/ # Copy app's node_modules which contains symlinks to root node_modules diff --git a/docs/tasks.md b/docs/tasks.md index cc510d0..036bde0 100644 --- a/docs/tasks.md +++ b/docs/tasks.md @@ -71,6 +71,6 @@ | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ----------- | ------ | -------------------------------------------------------------------------------------------- | ----- | ------------ | ---------- | ----------------------- | ----------- | ----- | ----------------- | ----------------- | -------- | ---- | | CI-FIX6-001 | done | Add @mosaic/ui build to web.yml build-shared step (fixes 10 test suites + 20 typecheck errs) | | ci | fix/ci-366 | | CI-FIX6-003 | w-14 | 2026-02-12T21:00Z | 2026-02-12T21:01Z | 3K | 3K | -| CI-FIX6-002 | done | Fix Dockerfile find -o parentheses bug (fixes 5 Trivy false positives in spec files) | | orchestrator | fix/ci-366 | | CI-FIX6-004 | w-15 | 2026-02-12T21:00Z | 2026-02-12T21:01Z | 3K | 3K | +| CI-FIX6-002 | done | Move spec file removal to builder stage (layer-aware); add tar CVEs to .trivyignore | | orchestrator | fix/ci-366 | | CI-FIX6-004 | w-15 | 2026-02-12T21:00Z | 2026-02-12T21:15Z | 3K | 5K | | CI-FIX6-003 | done | Add React.ChangeEvent types to ~10 web files with untyped event handlers (49 lint + 19 TS) | | web | fix/ci-366 | CI-FIX6-001 | CI-FIX6-004 | w-16 | 2026-02-12T21:02Z | 2026-02-12T21:08Z | 12K | 8K | | CI-FIX6-004 | done | Verification: pnpm lint && pnpm typecheck && pnpm test on web; Dockerfile find validation | | all | fix/ci-366 | CI-FIX6-002,CI-FIX6-003 | | orch | 2026-02-12T21:08Z | 2026-02-12T21:10Z | 5K | 2K |