Trivy fixes (#251)

hemanthsm · kumara1-intel · web-flow · commit 29a9144ac9c5 · 2025-11-07T15:41:57.000+05:30
Signed-off-by: Kumar, Anand &lt;anand.kumar@intel.com&gt;
Co-authored-by: Kumar, Anand &lt;anand.kumar@intel.com&gt;
diff --git a/.trivyignore b/.trivyignore
@@ -10,3 +10,16 @@ CVE-2024-3056
 CVE-2025-6020
 CVE-2025-47906
 CVE-2025-47907
+
+# TODO: Remove once kubectl and kata-container release with upgraded go is available.
+CVE-2025-47912
+CVE-2025-58183
+CVE-2025-58186
+CVE-2025-58187
+CVE-2025-58188
+CVE-2025-61724
+
+# TODO: Remove once kata-container release with upgraded runc is available.
+CVE-2025-31133
+CVE-2025-52565
+CVE-2025-52881
diff --git a/attestation-manager/src/go.mod b/attestation-manager/src/go.mod
@@ -1,6 +1,6 @@
 module github.com/open-edge-platform/trusted-compute/attestation-manager/src
 
-go 1.24.7
+go 1.24.9
 
 require (
 	github.com/golang-jwt/jwt/v5 v5.3.0
diff --git a/attestation-verifier/attestation_verifier_inside_container.sh b/attestation-verifier/attestation_verifier_inside_container.sh
@@ -15,7 +15,7 @@ if [ -z "$1" ]; then
 fi
 
 BUILD_PARAM=$1
-GO_VER=go1.24.7
+GO_VER=go1.24.9
 
 #Installing Pre-requisites
 set -ex
diff --git a/attestation-verifier/src/go.mod b/attestation-verifier/src/go.mod
@@ -1,6 +1,6 @@
 module github.com/open-edge-platform/trusted-compute/attestation-verifier/src
 
-go 1.24.7
+go 1.24.9
 
 require (
 	github.com/DATA-DOG/go-sqlmock v1.5.2
diff --git a/attestation-verifier/utils/tools/containers/nats/Dockerfile b/attestation-verifier/utils/tools/containers/nats/Dockerfile
@@ -4,7 +4,7 @@
 # */
 
 # Multi-stage Dockerfile: build cfssl/cfssljson in a builder stage, copy only binaries into final image
-FROM golang:1.24.7-bookworm AS builder
+FROM golang:1.24.9-bookworm AS builder
 
 WORKDIR /src/cfssl
 
diff --git a/helm/trustagent/values.yaml b/helm/trustagent/values.yaml
@@ -57,7 +57,7 @@ config:
     /opt/kata/bin/qemu-system-x86_64
     /opt/kata/libexec/virtiofsd
     /opt/kata/share/defaults/kata-containers/configuration-qemu.toml
-    /opt/kata/share/kata-containers/vmlinuz-6.12.44-1.emt3
+    /opt/kata/share/kata-containers/vmlinuz-6.12.44-2.emt3
     /opt/kata/share/kata-containers/trusted-vm.img
     /opt/kata/share/kata-qemu/qemu/bios-256k.bin
     /opt/kata/share/kata-qemu/qemu/efi-virtio.rom
diff --git a/helm/trusted-workload/charts/cc-operator/templates/cc-operator-deployment.yaml b/helm/trusted-workload/charts/cc-operator/templates/cc-operator-deployment.yaml
@@ -6650,7 +6650,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/confidential-containers/operator:v0.14.0
+        image: quay.io/confidential-containers/operator:v0.16.0
         livenessProbe:
           httpGet:
             path: /healthz
diff --git a/helm/trusted-workload/charts/cc-operator/tests/cc-operator-deployment_test.yaml b/helm/trusted-workload/charts/cc-operator/tests/cc-operator-deployment_test.yaml
@@ -338,7 +338,7 @@ tests:
             value: metadata.namespace
         - equal:
             path: spec.template.spec.containers[0].image
-            value: quay.io/confidential-containers/operator:v0.14.0
+            value: quay.io/confidential-containers/operator:v0.16.0
         - equal:
             path: spec.template.spec.containers[0].livenessProbe.httpGet.path
             value: /healthz
diff --git a/trusted-vm/Makefile b/trusted-vm/Makefile
@@ -12,7 +12,7 @@ EDGE_MICROVISOR_COMMIT?="3.0.20250910"
 EDGE_MICROVISOR_SRC_DIR=$(BUILD_DIR)/microvisor_src
 
 KATA_CONTAINERS_SRC=https://github.com/kata-containers/kata-containers.git
-KATA_CONTAINERS_TAG?=3.17.0
+KATA_CONTAINERS_TAG?=3.21.0
 KATA_CONTAINERS_SRC_DIR=$(BUILD_DIR)/kata_src
 
 MAKEFILE_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
diff --git a/trusted-vm/tvm-agent/tvm_agent_build.sh b/trusted-vm/tvm-agent/tvm_agent_build.sh
@@ -11,7 +11,7 @@ TVM_AGENT_BUILD_DIR="${PWD}"
 KATA_CONTAINER_DIR="${TVM_AGENT_BUILD_DIR}/kata-containers"
 
 KATA_CONTAINER_GIT_URL="https://github.com/kata-containers/kata-containers.git"
-KATA_CONTAINER_GIT_BRANCH="3.17.0"
+KATA_CONTAINER_GIT_BRANCH="3.21.0"
 
 DOCKER_IMAGE="ubuntu:24.04"
 TVM_AGENT_CLEAN_AFTER_BUILD="yes"
diff --git a/trusted-workload/kata-deploy/build-kata-binary.sh b/trusted-workload/kata-deploy/build-kata-binary.sh
@@ -8,7 +8,7 @@ set -euo pipefail
 
 KATA_BUILD_DIR="${PWD}"
 KATA_REPO_URL="https://github.com/kata-containers/kata-containers.git"
-KATA_REPO_TAG="3.17.0"
+KATA_REPO_TAG="3.21.0"
 KATA_DIR="${KATA_BUILD_DIR}/kata-containers"
 PATCH_FILE="${KATA_BUILD_DIR}/increase_prefetch_memory_size.patch"
 
@@ -34,8 +34,8 @@ cat > "${KATA_BUILD_DIR}/build_kata_in_container.sh" <<'EOF'
 set -euo pipefail
 apt-get update
 apt-get install -y wget make git build-essential curl
-wget -q https://go.dev/dl/go1.25.0.linux-amd64.tar.gz
-tar -C /usr/local -xzf go1.25.0.linux-amd64.tar.gz
+wget -q https://go.dev/dl/go1.25.3.linux-amd64.tar.gz
+tar -C /usr/local -xzf go1.25.3.linux-amd64.tar.gz
 export PATH="/usr/local/go/bin:${PATH}"
 export GOPATH="${HOME}/go"
 git config --global --add safe.directory /workspace/kata-containers
@@ -57,4 +57,4 @@ echo "INFO: Kata binaries are in $KATA_BUILD_DIR"
 
 # Cleanup: remove cloned repo and build script
 rm -rf "${KATA_DIR}"
-rm -f "${KATA_BUILD_DIR}/build_kata_in_container.sh"
+rm -f "${KATA_BUILD_DIR}/build_kata_in_container.sh"
diff --git a/trusted-workload/kata-deploy/build-kata-deploy-image.sh b/trusted-workload/kata-deploy/build-kata-deploy-image.sh
@@ -32,10 +32,10 @@ fi
 KATA_DEPLOY_IMAGE_VERSION="$VERSION"
 
 
-KATA_ARTIFACT_RELEASE_URL="https://github.com/kata-containers/kata-containers/releases/download/${KATA_CONTAINERS_TAG}/kata-static-${KATA_CONTAINERS_TAG}-amd64.tar.xz"
+KATA_ARTIFACT_RELEASE_URL="https://github.com/kata-containers/kata-containers/releases/download/${KATA_CONTAINERS_TAG}/kata-static-${KATA_CONTAINERS_TAG}-amd64.tar.zst"
 KATA_ARTIFACT_FILE_NAME=$(basename "${KATA_ARTIFACT_RELEASE_URL##*/}")
-KATA_ARTIFACT_DIR="${KATA_ARTIFACT_FILE_NAME%.tar.xz}"
-KATA_ARTIFACT_NEW_NAME="kata-static.tar.xz"
+KATA_ARTIFACT_DIR="${KATA_ARTIFACT_FILE_NAME%.tar.zst}"
+KATA_ARTIFACT_NEW_NAME="kata-static.tar.zst"
 KATA_PATCH_DIR="patch/${KATA_CONTAINERS_TAG}"
 KATA_BOOT_COMPONENT_DIR="${KATA_ARTIFACT_DIR}/opt/kata/share/kata-containers"
 KATA_ARTIFACT_KERNEL_NAME="vmlinux.container"
@@ -57,6 +57,9 @@ if [ ! -d "${EDGE_MICROVISOR_SRC}" ]; then
 	echo "INFO: Starting edge microvisor kernel and rootfs build"
 	pushd $(realpath "${BUILD_DIR}/../../trusted-vm")
 	make build
+	# List files in current directory after build for debug
+	echo "INFO: Listing files in build folder after edge microvisor build:"
+	ls -alh build
 	popd 
 fi
 
@@ -131,7 +134,7 @@ popd
 
 #retar the artifacts
 echo "INFO: Retar the artifacts"
-tar -cJf "${KATA_ARTIFACT_NEW_NAME}" -C "${KATA_ARTIFACT_DIR}" .
+tar --zstd -cf "${KATA_ARTIFACT_NEW_NAME}" -C "${KATA_ARTIFACT_DIR}" .
 
 #remove kata repo if it exists
 [ -d "${KATA_CONTAINERS_DIR}" ] && rm -rf "${KATA_CONTAINERS_DIR}"
diff --git a/trusted-workload/kata-deploy/patch/3.21.0/0001-Necessary-changes-to-support-kata-deploy-image-for-t.patch b/trusted-workload/kata-deploy/patch/3.21.0/0001-Necessary-changes-to-support-kata-deploy-image-for-t.patch
@@ -0,0 +1,105 @@
+From 5b96e41847bce38bc8d8abd5fa0f401ddf7d5d3e Mon Sep 17 00:00:00 2001
+From: "Jena, Satyabrata" <satyabrata.jena@intel.com>
+Date: Tue, 8 Apr 2025 04:01:30 +0000
+Subject: [PATCH] Necessary changes to support kata-deploy image for
+ trusted-workload.
+
+Signed-off-by: Jena, Satyabrata <satyabrata.jena@intel.com>
+---
+ .../kata-deploy/scripts/kata-deploy.sh        | 30 +++++++++++--------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+index 9930e13d6..c557a7d4b 100755
+--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
++++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+@@ -1,8 +1,7 @@
+ #!/usr/bin/env bash
+-# Copyright (c) 2019 Intel Corporation
+-#
+-# SPDX-License-Identifier: Apache-2.0
+ #
++# Copyright (C) 2025 Intel Corporation
++# SPDX-License-Identifier: BSD-3-Clause
+ 
+ set -o errexit
+ set -o pipefail
+@@ -512,8 +511,9 @@ function configure_cri_runtime() {
+ 	elif [ "$1" == "microk8s" ]; then
+ 		host_systemctl restart snap.microk8s.daemon-containerd.service
+ 	else
+-		host_systemctl daemon-reload
+-		host_systemctl restart "$1"
++		#host_systemctl daemon-reload
++		#host_systemctl restart "$1"
++		echo "configure_cri_runtime"
+ 	fi
+ 
+ 	wait_till_node_is_ready
+@@ -700,8 +700,9 @@ function restart_cri_runtime() {
+ 	elif [ "$1" == "microk8s" ]; then
+ 		host_systemctl restart snap.microk8s.daemon-containerd.service
+ 	else
+-		host_systemctl daemon-reload
+-		host_systemctl restart "${runtime}"
++		#host_systemctl daemon-reload
++		#host_systemctl restart "${runtime}"
++		echo "restart_cri_runtime"
+ 	fi
+ }
+ 
+@@ -718,7 +719,7 @@ function cleanup_cri_runtime() {
+ 	[ "${HELM_POST_DELETE_HOOK}" == "false" ] && return
+ 
+ 	# Only run this code in the HELM_POST_DELETE_HOOK
+-	restart_cri_runtime "$1"
++	#restart_cri_runtime "$1"
+ }
+ 
+ function cleanup_crio() {
+@@ -745,10 +746,11 @@ function cleanup_containerd() {
+ 
+ function reset_runtime() {
+ 	kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime-
+-	restart_cri_runtime "$1"
++	#restart_cri_runtime "$1"
+ 
+ 	if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then
+-		host_systemctl restart kubelet
++		#host_systemctl restart kubelet
++		echo "reset_runtime"
+ 	fi
+ 
+ 	wait_till_node_is_ready
+@@ -894,7 +896,7 @@ function main() {
+ 			fi
+ 
+ 			install_artifacts
+-			configure_cri_runtime "$runtime"
++			#configure_cri_runtime "$runtime"
+ 			kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true
+ 			;;
+ 		cleanup)
+@@ -916,7 +918,9 @@ function main() {
+ 				fi
+ 			fi
+ 
+-			cleanup_cri_runtime "$runtime"
++			#cleanup_cri_runtime "$runtime"
++
++
+ 			if [ "${HELM_POST_DELETE_HOOK}" == "false" ]; then
+ 				# If we still have any other installation here, it means we'll break them
+ 				# removing the label, so we just don't do it.
+@@ -926,7 +930,7 @@ function main() {
+ 				fi
+ 			fi
+ 			remove_artifacts
+-
++			kubectl label node "$NODE_NAME" confidentialcontainers.org/startuninstall-
+ 			if [ "${HELM_POST_DELETE_HOOK}" == "true" ]; then
+ 				# After everything was cleaned up, there's no reason to continue
+ 				# and sleep forever.  Let's just return success..
+-- 
+2.34.1
+
diff --git a/trusted-workload/kata-deploy/patch/3.21.0/0002-remove-excutable-permission-for-binaries.patch b/trusted-workload/kata-deploy/patch/3.21.0/0002-remove-excutable-permission-for-binaries.patch
@@ -0,0 +1,26 @@
+From b2a2ea3a2afdc745a19c973bf2073aee58205b78 Mon Sep 17 00:00:00 2001
+From: "Kumar, Anand" <anand.kumar@intel.com>
+Date: Wed, 21 May 2025 07:22:01 +0000
+Subject: [PATCH] remove excutable permission for binaries
+
+Signed-off-by: Kumar, Anand <anand.kumar@intel.com>
+---
+ tools/packaging/kata-deploy/scripts/kata-deploy.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+index c557a7d4b..af05c9604 100755
+--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
++++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+@@ -389,7 +389,7 @@ function install_artifacts() {
+ 
+ 	mkdir -p ${host_install_dir}
+ 	cp -au /opt/kata-artifacts/opt/kata/* ${host_install_dir}/
+-	chmod +x ${host_install_dir}/bin/*
++	#chmod +x ${host_install_dir}/bin/*
+ 	[ -d ${host_install_dir}/runtime-rs/bin ] && \
+ 		chmod +x ${host_install_dir}/runtime-rs/bin/*
+ 
+-- 
+2.34.1
+
diff --git a/trusted-workload/kata-deploy/patch/3.21.0/0003-add-gpu-paramter-in-allowed-annoatation-list.patch b/trusted-workload/kata-deploy/patch/3.21.0/0003-add-gpu-paramter-in-allowed-annoatation-list.patch
@@ -0,0 +1,30 @@
+From 370fd3604246f50fc154b52078e57307ce8aa27c Mon Sep 17 00:00:00 2001
+From: "Kumar, Anand" <anand.kumar@intel.com>
+Date: Wed, 20 Aug 2025 09:43:48 +0000
+Subject: [PATCH] add gpu paramter in allowed annoatation list
+
+Signed-off-by: Kumar, Anand <anand.kumar@intel.com>
+---
+ tools/packaging/kata-deploy/scripts/kata-deploy.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+index af05c9604..fc259faef 100755
+--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
++++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+@@ -44,6 +44,12 @@ CREATE_DEFAULT_RUNTIMECLASS="${CREATE_DEFAULT_RUNTIMECLASS:-"false"}"
+ 
+ ALLOWED_HYPERVISOR_ANNOTATIONS="${ALLOWED_HYPERVISOR_ANNOTATIONS:-}"
+ 
++# Add default annotations if not present in ALLOWED_HYPERVISOR_ANNOTATIONS
++for annotation in default_memory pcie_root_port hot_plug_vfio; do
++	if [[ ! " $ALLOWED_HYPERVISOR_ANNOTATIONS " =~ " $annotation " ]]; then
++		ALLOWED_HYPERVISOR_ANNOTATIONS="${ALLOWED_HYPERVISOR_ANNOTATIONS} ${annotation}"
++	fi
++done
+ IFS=' ' read -a non_formatted_allowed_hypervisor_annotations <<< "$ALLOWED_HYPERVISOR_ANNOTATIONS"
+ allowed_hypervisor_annotations=""
+ for allowed_hypervisor_annotation in "${non_formatted_allowed_hypervisor_annotations[@]}"; do
+-- 
+2.34.1
+
diff --git a/trusted-workload/kata-deploy/version.yaml b/trusted-workload/kata-deploy/version.yaml
@@ -13,9 +13,9 @@ kata-deploy:
 
 kernel:
     description: "Edge Microvisor kernel image"
-    name : "vmlinuz-6.12.44-1.emt3"
-    version: 6.12.44-1.emt3
-    config: "config-6.12.44-1.emt3"
+    name : "vmlinuz-6.12.44-2.emt3"
+    version: 6.12.44-2.emt3
+    config: "config-6.12.44-2.emt3"
 
 rootfs:
     description: "Edge Microvisor initrd image"
@@ -25,4 +25,4 @@ kata-containers:
     description: "Kata Containers github repo"
     url: "https://github.com/kata-containers/kata-containers.git"
     name: "kata-containers"
-    version: 3.17.0
+    version: 3.21.0
