From 70cc843a49294e5704945c90440783fca3ba7404 Mon Sep 17 00:00:00 2001 From: Xun Jiang Date: Fri, 14 Apr 2023 16:22:29 +0800 Subject: [PATCH] Replace busybox with internal copy binary and fix CVEs. Replace the busybox image. Bump Golang version to v1.20. Signed-off-by: Xun Jiang --- .github/workflows/pr.yaml | 2 +- .github/workflows/push.yml | 2 +- Dockerfile | 11 ++++--- changelogs/unreleased/137-blackpiglet | 1 + hack/cp-plugin/main.go | 42 +++++++++++++++++++++++++++ 5 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 changelogs/unreleased/137-blackpiglet create mode 100644 hack/cp-plugin/main.go diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 00ddeca..eb9e513 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -10,7 +10,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' id: go - name: Check out the code diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 435775b..22c850d 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -18,7 +18,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' id: go - name: Check out code into the Go module directory diff --git a/Dockerfile b/Dockerfile index 206af44..ece24d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.19-bullseye AS build +FROM --platform=$BUILDPLATFORM golang:1.20-bullseye AS build ARG TARGETOS ARG TARGETARCH @@ -27,12 +27,11 @@ ENV GOOS=${TARGETOS} \ COPY . /go/src/velero-plugin-for-gcp WORKDIR /go/src/velero-plugin-for-gcp RUN export GOARM=$( echo "${GOARM}" | cut -c2-) && \ - CGO_ENABLED=0 go build -v -o /go/bin/velero-plugin-for-gcp ./velero-plugin-for-gcp - -FROM busybox:1.36.0-uclibc AS busybox + CGO_ENABLED=0 go build -v -o /go/bin/velero-plugin-for-gcp ./velero-plugin-for-gcp && \ + CGO_ENABLED=0 go build -v -o /go/bin/cp-plugin ./hack/cp-plugin FROM scratch COPY --from=build /go/bin/velero-plugin-for-gcp /plugins/ -COPY --from=busybox /bin/cp /bin/cp +COPY --from=build /go/bin/cp-plugin /bin/cp-plugin USER 65532:65532 -ENTRYPOINT ["cp", "/plugins/velero-plugin-for-gcp", "/target/."] +ENTRYPOINT ["cp-plugin", "/plugins/velero-plugin-for-gcp", "/target/velero-plugin-for-gcp"] diff --git a/changelogs/unreleased/137-blackpiglet b/changelogs/unreleased/137-blackpiglet new file mode 100644 index 0000000..1376371 --- /dev/null +++ b/changelogs/unreleased/137-blackpiglet @@ -0,0 +1 @@ +Replace busybox with internal copy binary and fix CVEs. \ No newline at end of file diff --git a/hack/cp-plugin/main.go b/hack/cp-plugin/main.go new file mode 100644 index 0000000..3f86487 --- /dev/null +++ b/hack/cp-plugin/main.go @@ -0,0 +1,42 @@ +package main + +import ( + "errors" + "fmt" + "io" + "os" +) + +func main() { + if len(os.Args) != 3 { + fmt.Println( + `Error: This command requires two arguments. +Usage: cp-plugin src dst`) + os.Exit(1) + } + src, dst := os.Args[1], os.Args[2] + fmt.Printf("Copying %s to %s ... ", src, dst) + srcFile, err := os.Open(src) + if err != nil { + panic(err) + } + defer srcFile.Close() + if _, err := os.Stat(dst); errors.Is(err, os.ErrNotExist) { + _, err = os.Create(dst) + if err != nil { + panic(err) + } + } + dstFile, err := os.OpenFile(dst, os.O_WRONLY, 0755) + if err != nil { + panic(err) + } + defer dstFile.Close() + buf := make([]byte, 1024*128) + _, err = io.CopyBuffer(dstFile, srcFile, buf) + if err != nil { + panic(err) + } + os.Chmod(dst, 0755) + fmt.Println("done.") +}