Skip to content

fix(deps): rebuild factory with latest debian fixes #1218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 30, 2024
Merged

fix(deps): rebuild factory with latest debian fixes #1218

merged 1 commit into from
Sep 30, 2024

Conversation

@MikeMcC399
Copy link
Collaborator

@MikeMcC399 MikeMcC399 commented Sep 30, 2024
edited
Loading

Issue

Concerning

Image Debian Published Version
cypress/factory 12.7 Sep 10, 2024 4.2.0 
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory:latest

reports critical fixed issues not yet installed

cypress/factory:latest (debian 12.7)

Total: 5 (CRITICAL: 5)

┌───────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version    │                            Title                            │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ git       │ CVE-2024-32002 │ CRITICAL │ fixed  │ 1:2.39.2-1.1      │ 1:2.39.5-0+deb12u1 │ git: Recursive clones RCE                                   │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-32002                  │
├───────────┤                │          │        │                   │                    │                                                             │
│ git-man   │                │          │        │                   │                    │                                                             │
│           │                │          │        │                   │                    │                                                             │
├───────────┼────────────────┤          │        ├───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat1 │ CVE-2024-45490 │          │        │ 2.5.0-1           │ 2.5.0-1+deb12u1    │ libexpat: Negative Length Parsing Vulnerability in libexpat │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45490                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45491 │          │        │                   │                    │ libexpat: Integer Overflow or Wraparound                    │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45491                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45492 │          │        │                   │                    │ libexpat: integer overflow                                  │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45492                  │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────┴─────────────────────────────────────────────────────────────┘

Change

Bump factory/.env environment variable FACTORY_VERSION from 4.2.0 to 4.2.1 to rebuild cypress/factory and incorporate all Debian 12.x published fixes from the Debian repository.

Verify

cd factory
docker compose build factory
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory:4.2.1
docker run -it --rm cypress/factory:4.2.1

should show

cypress/factory:4.2.1 (debian 12.7)

Total: 0 (CRITICAL: 0)

git --version
apt list git
apt list git-man
apt list libexpat1

should show versions according to "After" column:

Package Before After
git git version 2.39.2 git version 2.39.5
git git/stable,now 1:2.39.2-1.1 amd64 [installed] git/stable-security,now 1:2.39.5-0+deb12u1 amd64 [installed]
git-man git-man/stable,now 1:2.39.2-1.1 all [installed,automatic] git-man/stable-security,now 1:2.39.5-0+deb12u1 all [installed,automatic]
libexpat1 libexpat1/stable,now 2.5.0-1 amd64 [installed,automatic] libexpat1/stable-security,now 2.5.0-1+deb12u1 amd64 [installed,automatic]

@MikeMcC399 MikeMcC399 self-assigned this Sep 30, 2024
@cypress-app-bot
Copy link

@MikeMcC399 MikeMcC399 mentioned this pull request Sep 30, 2024
Closed
4 tasks
@MikeMcC399 MikeMcC399 marked this pull request as ready for review September 30, 2024 13:37
@jennifer-shehane jennifer-shehane merged commit 5a1e878 into cypress-io:master Sep 30, 2024
33 checks passed
@MikeMcC399 MikeMcC399 deleted the update/factory branch September 30, 2024 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane approved these changes

Assignees

@MikeMcC399 MikeMcC399

Labels

bug topic: build process

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeMcC399 @cypress-app-bot @jennifer-shehane