Skip to content

Commit 709c747

Browse files
almaslennikovalmaslennikov
authored
Merge pull request #290 from almaslennikov/cve-fix-rhel-release
Update packages to fix CVEs in RHEL STIG images
2 parents bf411e3 + 2ecd363 commit 709c747

File tree

3 files changed

+15
-0
lines changed

3 files changed

+15
-0
lines changed

.gitlab-ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ variables: # additional variables are defined at the gitlab group scope
3232
OPERATOR_IMAGE_NAME: nic-configuration-operator-stig-fips
3333
DAEMON_IMAGE_NAME: nic-configuration-operator-daemon-stig-fips
3434
GOV_READY_POLICY_FILE_PATH: pulse-scan-policies/prodsec_approved_govready_release_policy.json
35+
CVE_UPDATES_RHEL: "openssl python3-urllib3"
3536

3637
# Common job template for building STIG images
3738
.build-stig-image:
@@ -162,6 +163,7 @@ build-operator-stig-image-rhel:
162163
docker build \
163164
--build-arg GOPROXY=$GOPROXY \
164165
--build-arg RHEL_STIG_BASE_IMAGE=$RHEL_STIG_BASE_IMAGE \
166+
--build-arg CVE_UPDATES_RHEL="$CVE_UPDATES_RHEL" \
165167
--file Dockerfile.operator.stig-rhel \
166168
--tag $DOCKER_REGISTRY/$OPERATOR_IMAGE_NAME:$DOCKER_TAG-rhel \
167169
.
@@ -182,6 +184,7 @@ build-daemon-stig-image-rhel:
182184
docker build \
183185
--build-arg GOPROXY=$GOPROXY \
184186
--build-arg RHEL_STIG_BASE_IMAGE=$RHEL_STIG_BASE_IMAGE \
187+
--build-arg CVE_UPDATES_RHEL="$CVE_UPDATES_RHEL" \
185188
--file Dockerfile.daemon.stig-rhel \
186189
--tag $DOCKER_REGISTRY/$DAEMON_IMAGE_NAME:$DOCKER_TAG-rhel \
187190
.

Dockerfile.daemon.stig-rhel

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ RUN --mount=type=cache,target=/go/pkg/mod/ GO_GCFLAGS=${GCFLAGS} make build-daem
4444
FROM $RHEL_STIG_BASE_IMAGE
4545

4646
ENV MFT_VERSION=4.33.0-169
47+
ARG CVE_UPDATES_RHEL
4748

4849
ARG DOCA_VERSION=3.2.1
4950
ARG DOCA_FULL_VERSION=3.2.1-044000-25.10
@@ -71,6 +72,11 @@ RUN curl -fsSL https://www.mellanox.com/downloads/MFT/mft-${MFT_VERSION}-x86_64-
7172
rm -rf /tmp/mft-${MFT_VERSION}-x86_64-rpm && \
7273
dnf clean all
7374

75+
RUN if [ -n "${CVE_UPDATES_RHEL}" ]; then \
76+
dnf update -y ${CVE_UPDATES_RHEL} && \
77+
dnf clean all; \
78+
fi
79+
7480
WORKDIR /
7581
COPY --from=builder /workspace/build/nic-configuration-daemon .
7682

Dockerfile.operator.stig-rhel

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ RUN --mount=type=cache,target=/go/pkg/mod/ GO_GCFLAGS=${GCFLAGS} make build-mana
4444
FROM $RHEL_STIG_BASE_IMAGE
4545

4646
ENV MFT_VERSION=4.33.0-169
47+
ARG CVE_UPDATES_RHEL
4748

4849
# Install MFT (Mellanox Firmware Tools) - amd64/x86_64 only for STIG
4950
# Note: curl-minimal is already in UBI base image, sufficient for downloads
@@ -55,6 +56,11 @@ RUN dnf install -y kmod && \
5556
rm -rf /tmp/mft-${MFT_VERSION}-x86_64-rpm && \
5657
dnf clean all
5758

59+
RUN if [ -n "${CVE_UPDATES_RHEL}" ]; then \
60+
dnf update -y ${CVE_UPDATES_RHEL} && \
61+
dnf clean all; \
62+
fi
63+
5864
WORKDIR /
5965
COPY --from=builder /workspace/build/manager .
6066

0 commit comments

Comments
 (0)