[Snyk] Security upgrade alpine from 3.16 to 3.22.2

[cruizen]

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• hostplumber/pkg/ovs-docker/Dockerfile

We recommend upgrading to alpine:3.22.2, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Out-of-bounds Write SNYK-ALPINE316-BUSYBOX-6913410	514
	Out-of-bounds Write SNYK-ALPINE316-BUSYBOX-6913410	514
	CVE-2025-26519 SNYK-ALPINE316-MUSL-8720632	364
	CVE-2025-26519 SNYK-ALPINE316-MUSL-8720632	364

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

Summary by Bito

This pull request updates the Dockerfile to upgrade the base image from alpine:3.16 to alpine:3.22.2, directly addressing multiple security vulnerabilities. The change enhances the security posture by ensuring the Docker image benefits from the latest security fixes. It involves a focused substitution that does not affect the functionality of the Docker file commands. Overall, the update aims to mitigate risk and maintain a secure dependency chain.

[windsurf-bot]

Looks good to me 🤙

💡 To request another review, post a new comment with "/windsurf-review".

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Bug Fix - Security Patch Update	- Dockerfile - Upgraded the alpine base image from 3.16 to 3.22.2 to address critical security vulnerabilities.

[bito-code-review]

Interaction Diagram by Bito

sequenceDiagram
participant DEV as Developer
participant REPO as Git Repository
participant DOCKERFILE as Dockerfile<br/>🔄 Updated | ●●○ Medium
participant CI as GitHub Actions<br/>🔄 Updated | ●●○ Medium
participant REGISTRY as Container Registry
participant CONTROLLER as NetworkPlugins Controller
participant K8S as Kubernetes Cluster
participant OVS as OVS DaemonSet
Note over DOCKERFILE: Alpine base image<br/>upgraded from 3.16 to 3.22.2
DEV->>REPO: Push Dockerfile changes
REPO->>CI: Trigger ovs-build-and-push workflow
CI->>DOCKERFILE: Build OVS container image
DOCKERFILE->>REGISTRY: Push quay.io/platform9/openvswitch
CONTROLLER->>REGISTRY: Pull updated OVS image
CONTROLLER->>K8S: Deploy OVS DaemonSet
K8S->>OVS: Create pods with new Alpine base
OVS-->>K8S: OpenVSwitch services running
K8S-->>CONTROLLER: Deployment status

Loading

Critical path: Git Repository->GitHub Actions->Dockerfile->Container Registry->NetworkPlugins Controller->Kubernetes Cluster->OVS DaemonSet

Note: The Alpine base image upgrade from 3.16 to 3.22.2 in the OVS Dockerfile triggers a CI rebuild. The NetworkPlugins controller deploys the updated image as a DaemonSet across Kubernetes nodes for OpenVSwitch networking services.

[bito-code-review]

Code Review Agent Run #f0f316

Actionable Suggestions - 1

• hostplumber/pkg/ovs-docker/Dockerfile - 1

  • Alpine version compatibility risk · Line 1-1

Review Details

• Files reviewed - 1 · Commit Range: 21a771b..21a771b

  • hostplumber/pkg/ovs-docker/Dockerfile
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Alpine version compatibility risk

The upgrade from Alpine 3.16 to 3.22.2 introduces significant compatibility risks that could break the DPDK 21.11.3 and Open vSwitch 2.17.5 build process. Alpine 3.22 uses Linux kernel 6.12, updated build toolchains (LLVM 20, GCC updates), and has stricter musl libc compatibility requirements. The legacy DPDK 21.11.3 (from 2021) and Open vSwitch 2.17.5 may fail to compile or run correctly with these newer dependencies. Consider using Alpine 3.19 instead, which provides security updates while maintaining better compatibility with these older versions, or update DPDK/OVS to versions compatible with Alpine 3.22.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	FROM alpine:3.22.2
	FROM alpine:3.19

Code Review Run #f0f316

---

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

• Yes, avoid them