common: fix code scanning alerts #6111
Conversation
osalyk
added
sprint goal
osalyk
force-pushed
the
pinned_depend
branch
from
a556b5b
to
3f50ea5
Compare
There was a problem hiding this comment.
Reviewed 10 of 10 files at r1, all commit messages.
Reviewable status: all files reviewed, 8 unresolved discussions (waiting on @osalyk)
utils/docker/images/Dockerfile.centos-7 line 10 at r1 (raw file):
# Pull base image FROM centos:7@sha256:8652b9f0cb4c0599575e5a003f5906876e10c1ceb2ab9fe1786712dac14a50cf
I'm not sure what the requirements are but if we want to narrow down what will be used by adding a hash I think adding the exact repository is worth a while as well, isn't it?
Suggestion:
quay.io/centos/centos:7@sha256:8652b9f0cb4c0599575e5a003f5906876e10c1ceb2ab9fe1786712dac14a50cf
utils/docker/images/Dockerfile.debian-11 line 10 at r1 (raw file):
# Pull base image FROM debian:11@sha256:34662f5448c46bb16e56edc0a8224cc0c0fb0a6bc4713061857761e8684ff388
.
Suggestion:
docker.io/library/debian:11@sha256:34662f5448c46bb16e56edc0a8224cc0c0fb0a6bc4713061857761e8684ff388
utils/docker/images/Dockerfile.fedora-31 line 10 at r1 (raw file):
# Pull base image FROM fedora:31@sha256:a7a37f74ff864eec55891b64ad360d07020827486e30a92ea81d16459645b26a
.
Suggestion:
registry.fedoraproject.org/fedora:31@sha256:a7a37f74ff864eec55891b64ad360d07020827486e30a92ea81d16459645b26a
utils/docker/images/Dockerfile.fedora-37 line 10 at r1 (raw file):
# Pull base image FROM fedora:37@sha256:4105b568d464732d3ea6a3ce9a0095f334fa7aa86fdd1129f288d2687801d87d
Suggestion:
registry.fedoraproject.org/fedora:37@sha256:4105b568d464732d3ea6a3ce9a0095f334fa7aa86fdd1129f288d2687801d87d
utils/docker/images/Dockerfile.opensuse-leap-15 line 10 at r1 (raw file):
# Pull base image FROM opensuse/leap:15@sha256:2a8c959e6b77beb76401943d01735a4fe55f2deb9eb5cba8dc659f354bdb2a23
Suggestion:
registry.opensuse.org/opensuse/leap:15@sha256:2a8c959e6b77beb76401943d01735a4fe55f2deb9eb5cba8dc659f354bdb2a23
utils/docker/images/Dockerfile.rockylinux-8 line 10 at r1 (raw file):
# Pull base image FROM rockylinux/rockylinux:8@sha256:fcc573d8a467898553374348812a0c93d900161b7b97cf71c76476db5e41c7b3
Suggestion:
docker.io/rockylinux/rockylinux:8@sha256:fcc573d8a467898553374348812a0c93d900161b7b97cf71c76476db5e41c7b3
utils/docker/images/Dockerfile.rockylinux-9 line 10 at r1 (raw file):
# Pull base image FROM rockylinux/rockylinux:9@sha256:3c8f8ff398c0125ad595e3cfbc9e592e9c184e278e29ae3b8d70fbbd147e5989
Suggestion:
docker.io/rockylinux/rockylinux:9@sha256:3c8f8ff398c0125ad595e3cfbc9e592e9c184e278e29ae3b8d70fbbd147e5989
utils/docker/images/Dockerfile.ubuntu-22.04 line 10 at r1 (raw file):
# Pull base image FROM ubuntu:22.04@sha256:adbb90115a21969d2fe6fa7f9af4253e16d45f8d4c1e930182610c4731962658
docker pull... worked for me. So you might like to paste in my sha256 instead. @grom72 you may care to check this one especially.
Suggestion:
docker.io/library/ubuntu:22.04@sha256:53a843653cbcd9e10be207e951d907dc2481d9c222de57d24cfcac32e5165188
There was a problem hiding this comment.
I propose to remove obsolete Fedora and Centos Docker files and there is no line of code/test/CI that uses them.
Fedora is officially removed from validation in the release 2.0.0
Reviewable status: all files reviewed, 8 unresolved discussions (waiting on @osalyk)
osalyk
force-pushed
the
pinned_depend
branch
from
3f50ea5
to
cff1706
Compare
There was a problem hiding this comment.
Done.
Reviewable status: 2 of 10 files reviewed, 1 unresolved discussion (waiting on @grom72 and @janekmi)
utils/docker/images/Dockerfile.ubuntu-22.04 line 10 at r1 (raw file):
Previously, janekmi (Jan Michalski) wrote…
docker pull...worked for me. So you might like to paste in my sha256 instead. @grom72 you may care to check this one especially.
Done.
There was a problem hiding this comment.
Reviewed 4 of 8 files at r2.
Reviewable status: 6 of 10 files reviewed, all discussions resolved (waiting on @osalyk)
osalyk
force-pushed
the
pinned_depend
branch
from
cff1706
to
7e376fd
Compare
There was a problem hiding this comment.
Reviewed 2 of 10 files at r1, 3 of 8 files at r2, 1 of 5 files at r4, 4 of 4 files at r5, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @osalyk)
There was a problem hiding this comment.
Reviewed 1 of 5 files at r4, 4 of 4 files at r5, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @osalyk)
a discussion (no related file):
It would be nice to remove unsupported images from our Docker images repository as well.
Just to make sure we won't use a stale one by mistake.
utils/docker/images/Dockerfile.centos-stream line 1 at r5 (raw file):
# SPDX-License-Identifier: BSD-3-Clause
We don't have this one in the docker_rebuild.yml as well. I suggest removing it.
utils/docker/images/Dockerfile.ubuntu-22.04 line 10 at r5 (raw file):
# Pull base image FROM docker.io/library/ubuntu:22.04@sha256:adbb90115a21969d2fe6fa7f9af4253e16d45f8d4c1e930182610c4731962658
Is this one updated daily or what? 😆
For me now it is "97271d29cb7956f0908cfb1449610a2cd9cb46b004ac8af25f0255663eb364ba".
osalyk
force-pushed
the
pinned_depend
branch
from
7e376fd
to
ab15d5e
Compare
There was a problem hiding this comment.
Reviewed 2 of 10 files at r1, 3 of 8 files at r2, 1 of 5 files at r4, 4 of 4 files at r5.
Reviewable status: 9 of 10 files reviewed, 3 unresolved discussions (waiting on @grom72 and @janekmi)
a discussion (no related file):
Previously, janekmi (Jan Michalski) wrote…
It would be nice to remove unsupported images from our Docker images repository as well.
Just to make sure we won't use a stale one by mistake.
Done.
utils/docker/images/Dockerfile.centos-stream line 1 at r5 (raw file):
Previously, janekmi (Jan Michalski) wrote…
We don't have this one in the
docker_rebuild.ymlas well. I suggest removing it.
Done.
utils/docker/images/Dockerfile.ubuntu-22.04 line 10 at r5 (raw file):
Previously, janekmi (Jan Michalski) wrote…
Is this one updated daily or what? 😆
For me now it is "97271d29cb7956f0908cfb1449610a2cd9cb46b004ac8af25f0255663eb364ba".
I don't know, I took the hash from the suggestion.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r6, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @osalyk)
utils/docker/images/Dockerfile.ubuntu-22.04 line 10 at r5 (raw file):
Previously, osalyk (Oksana Sałyk) wrote…
I don't know, I took the hash from the suggestion.
I guess you made a mistake. The suggestion was: "53a843653cbcd9e10be207e951d907dc2481d9c222de57d24cfcac32e5165188".
Let's settle on using "97271d29cb7956f0908cfb1449610a2cd9cb46b004ac8af25f0255663eb364ba" for now.
There was a problem hiding this comment.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @janekmi)
utils/docker/images/Dockerfile.ubuntu-22.04 line 10 at r5 (raw file):
Previously, janekmi (Jan Michalski) wrote…
I guess you made a mistake. The suggestion was: "53a843653cbcd9e10be207e951d907dc2481d9c222de57d24cfcac32e5165188".
Let's settle on using "97271d29cb7956f0908cfb1449610a2cd9cb46b004ac8af25f0255663eb364ba" for now.
I used the suggestion from https://github.com/pmem/pmdk/security/code-scanning/69 . I would stay with it because it is the only hash that works.
There was a problem hiding this comment.
Reviewable status:
There was a problem hiding this comment.
Reviewed 1 of 1 files at r6, all commit messages.
Reviewable status:
There was a problem hiding this comment.
Reviewable status:
This change is