diff --git a/.github/workflows/branch-build.yml b/.github/workflows/branch-build.yml index c32574a1e26d3e..8ad4e9f1676987 100644 --- a/.github/workflows/branch-build.yml +++ b/.github/workflows/branch-build.yml @@ -390,11 +390,13 @@ jobs: echo "No critical vulnerabilities found." fi - name: Upload SBOMs + if: ${{ always() && steps.scan.outputs.leeway_sboms_dir != '' }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4 with: name: sboms path: ${{ steps.scan.outputs.leeway_sboms_dir }} - name: Upload vulnerability reports + if: ${{ always() && steps.scan.outputs.leeway_vulnerability_reports_dir != '' }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4 with: name: vulnerability-reports diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3540fd57c3825e..7bc0bdb9f3c24f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -393,11 +393,13 @@ jobs: echo "No critical vulnerabilities found." fi - name: Upload SBOMs + if: ${{ always() && steps.scan.outputs.leeway_sboms_dir != '' }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4 with: name: sboms path: ${{ steps.scan.outputs.leeway_sboms_dir }} - name: Upload vulnerability reports + if: ${{ always() && steps.scan.outputs.leeway_vulnerability_reports_dir != '' }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4 with: name: vulnerability-reports diff --git a/WORKSPACE.yaml b/WORKSPACE.yaml index c5ef5fe182bfa1..f87699d39c10b9 100644 --- a/WORKSPACE.yaml +++ b/WORKSPACE.yaml @@ -52,6 +52,9 @@ sbom: GHSA-4c29-8rgm-jvjj / CVE-2026-33747, but grype matches the emitted github.com/moby/buildkit module version and still reports v0.20.1-gitpod.8 as vulnerable. + This workspace-level ignore is global for the vulnerability ID; keep it + limited to this known false positive and scope or remove it once artifact + scoped suppressions are available here. environmentManifest: - name: "go" command: ["sh", "-c", "go version | sed s/arm/amd/"] diff --git a/components/image-builder-bob/leeway.Dockerfile b/components/image-builder-bob/leeway.Dockerfile index 2356f8136263e5..b1e20f5f767aca 100644 --- a/components/image-builder-bob/leeway.Dockerfile +++ b/components/image-builder-bob/leeway.Dockerfile @@ -5,7 +5,8 @@ FROM ghcr.io/gitpod-io/buildkit:v0.20.1-gitpod.8 USER root -RUN apk --no-cache add sudo bash \ +RUN apk upgrade --no-cache \ + && apk --no-cache add sudo bash \ && addgroup -g 33333 gitpod \ && adduser -D -h /home/gitpod -s /bin/sh -u 33333 -G gitpod gitpod \ && echo "gitpod ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/gitpod \ diff --git a/components/proxy/Dockerfile b/components/proxy/Dockerfile index d403413832e816..0d5107fcdd9750 100644 --- a/components/proxy/Dockerfile +++ b/components/proxy/Dockerfile @@ -2,14 +2,14 @@ # Licensed under the GNU Affero General Public License (AGPL). # See License.AGPL.txt in the project root for license information. -FROM caddy:builder AS builder +FROM caddy:2.11.4-builder AS builder WORKDIR /plugins COPY plugins /plugins # build caddy — pin smallstep/certificates to v0.30.1 (fixes GHSA-q4r8-xm5f-56gw) -RUN xcaddy build v2.11.2 \ +RUN xcaddy build v2.11.4 \ --output /caddy \ --replace github.com/smallstep/certificates=github.com/smallstep/certificates@v0.30.1 \ --with github.com/gitpod-io/gitpod/proxy/plugins/corsorigin=/plugins/corsorigin \ @@ -23,7 +23,7 @@ RUN xcaddy build v2.11.2 \ --with github.com/gitpod-io/gitpod/proxy/plugins/sshtunnel=/plugins/sshtunnel \ --with github.com/gitpod-io/gitpod/proxy/plugins/frontend_dev=/plugins/frontend_dev -FROM caddy/caddy:2.11.2-alpine +FROM caddy/caddy:2.11.4-alpine # Ensure latest packages are present, like security updates. RUN apk upgrade --no-cache \