Replies: 5 comments 1 reply
-
Hey @jakereps! Thanks for the finding! It seems Go Releaser is configured to use Dockerfile.goreleaser which has not been updated and still uses As for our release process it's entirely automated once a tag is pushed, including the building of the image and pushing to dockerhub. We seem to have had some issues with provenance in the Thanks for the heads up! We'll update our dependabot configuration to target that file too. |
Beta Was this translation helpful? Give feedback.
-
openfga/openfga#1503 addresses it. |
Beta Was this translation helpful? Give feedback.
-
Ah, that'll do it! Didn't catch the second Dockerfile on a first pass. Thanks all! I suppose I can close this one out 👍 |
Beta Was this translation helpful? Give feedback.
-
Hey all, this appears to have happened again. I see main has x.26 on |
Beta Was this translation helpful? Give feedback.
-
I see you all use Snyk, is there anything that could be done to pre-test images that get pushed to Dockerhub? It seems both images since OpenFGA v1.5.3 would have failed a scan due to the bad health checker. We were previously blocked from upgrading to 1.5.x due to figuring out the authz model reads issue, posted here: openfga/openfga#1668 - so are only now discovering the lingering CVE on the latest version ourselves. |
Beta Was this translation helpful? Give feedback.
-
Hi 👋 We're currently investigating some issues related to vulnerability scans, and it led me to discover that the docker container for openfga v1.5.1 does not match the source code in Github for v1.5.1. The Dockerfile on v1.5.1 specifies to use the grpc health probe v0.4.25 (fixed version, with no CVEs), but in reality the v1.5.1 openfga image still contains v0.4.24 (triggers CVE scanners).
Expectation:
The v1.5.1 Dockerfile specifies v0.4.25, https://github.com/openfga/openfga/blob/v1.5.1/Dockerfile#L1
vcs.revision=2c814fcadd44e38afd1755a2b8c036d3576db502
is v0.4.25 of the health probe as expected: https://github.com/search?q=repo%3Agrpc-ecosystem%2Fgrpc-health-probe+2c814fcadd44e38afd1755a2b8c036d3576db502&type=commitsReality
vcs.revision=645566fc4b06a8d51552166a34717ce7090fddf7
is still v0.4.24 of the health probe, and what is included in v1.5.1 of openfga's Docker image: https://github.com/search?q=repo%3Agrpc-ecosystem%2Fgrpc-health-probe+645566fc4b06a8d51552166a34717ce7090fddf7&type=commitsThis slightly worries me that there may even be code changes missing. What does the process for release -> docker image updates look like and should something like this be expected, or should they always mirror each other for each stable version cut?
Beta Was this translation helpful? Give feedback.
All reactions