Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Ruby image and tools (Debian) #343

Merged
merged 2 commits into from
Nov 4, 2024
Merged

Upgrade Ruby image and tools (Debian) #343

merged 2 commits into from
Nov 4, 2024

Conversation

ZoogieZork
Copy link
Contributor

@ZoogieZork ZoogieZork commented Nov 4, 2024
edited
Loading

Description

This upgrades the Ruby base image to use Ruby 3.3. To support this version of Ruby, the tools have been upgraded as well:

  • Brakeman upgraded to 6.2.2
  • Bundler-Audit upgraded to 0.9.2

Additionally:

  • Removed the separate step to upgrade security updates, which is unnecessary since we upgrade all packages anyway.
  • The linux-libc-dev package and dependencies are removed as they are not needed in the final image, and they result in hundreds of false-positives in container scanning.

Note

This is the Debian version of this solution.
The Debian base image has more detected vulnerabilities than the Chainguard version, but lets us select the specific Ruby version version which should result in fewer surprises from incompatibilities.

Motivation and Context

Upgrades the base image to resolve detected vulnerabilities.

How Has This Been Tested?

Tested in non-prod environment.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation change

Checklist

  • My code follows conforms to the coding standards.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@ZoogieZork
Upgrade Ruby, Brakeman, and Bundler-Audit.
aa34df7 
- Ruby upgraded to 3.3, with Debian Bookworm.
- Brakeman upgraded to 6.2.2.
- Bundler-Audit upgraded to 0.9.2.

Also removed the separate install of security updates, since we already
upgrade all packages which includes security updates.
@ZoogieZork ZoogieZork mentioned this pull request Nov 4, 2024
Closed
9 tasks
@ZoogieZork
Remove linux-libc-dev to avoid false-positives.
bc2020c 
Container scans generate hundreds of findings on linux-libc-dev, even
though the package only contains headers. These headers aren't needed
anyway, so we remove them to eliminate the false-positives.
@ZoogieZork ZoogieZork marked this pull request as ready for review November 4, 2024 21:22
@ZoogieZork ZoogieZork requested a review from a team as a code owner November 4, 2024 21:22
@ZoogieZork ZoogieZork added this pull request to the merge queue Nov 4, 2024
Merged via the queue into main with commit f3d0b19 Nov 4, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kamsiy Kamsiy Kamsiy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ZoogieZork @Kamsiy