Skip to content

security: CVE scan (dependencies clean) + pin alpine build base image#10

Closed
BenElferink wants to merge 1 commit into
mainfrom
cursor/cve-scan-base-image-pin-7280
Closed

security: CVE scan (dependencies clean) + pin alpine build base image#10
BenElferink wants to merge 1 commit into
mainfrom
cursor/cve-scan-base-image-pin-7280

Conversation

@BenElferink

Copy link
Copy Markdown
Collaborator

Summary

Performed a comprehensive CVE scan of the repository and addressed the one actionable supply-chain finding. No vulnerable Ruby dependencies were found in the shipped gem bundle (the trace-collection artifact), so no gem versions were changed — eliminating any risk to trace collection.

CVE scan results

The pinned Ruby gems (all 8 */{amd64,arm64}/Gemfile.lock files and the vendored bundle/) were scanned with four independent, current sources:

Source Result
Trivy (DB updated 2026-06-25) 0 vulnerabilities across all 8 lockfiles
OSV.dev (osv-scanner 2.4.0) "No issues found"
ruby-advisory-db (rubysec, fresh clone) No applicable advisories — google-protobuf 4.33.5, rake 13.3.1, bundler 4.0.6 are all far newer than any advisory range
Published image public.ecr.aws/odigos/agents/ruby-community:latest 0 vulnerabilities (the live shipped artifact)

The gem set (OpenTelemetry SDK/API/instrumentations, google-protobuf, googleapis-common-protos-types, bigdecimal, rake) is already up to date and free of known CVEs.

What this PR changes

The only actionable security finding came from Trivy's Dockerfile config scan: release.Dockerfile used a floating alpine (implicit :latest) base image (DS-0001). This PR pins it to an immutable digest:

FROM --platform=$BUILDPLATFORM alpine:3.24@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b

This prevents the build from silently pulling a future, potentially vulnerable base image. The stage only assembles files into the final scratch image, so no shipped gem is touched and trace collection is unaffected.

The remaining config-scan items (DS-0002 non-root USER, DS-0026 HEALTHCHECK) are not applicable to a scratch filesystem-only image — the build stages must run as root to write under /, and there is no runtime process to health-check.

Verifying trace collection

The e2e CI (tests.yaml, runs on pull_request) exercises end-to-end trace collection across Ruby 3.1–3.4 against an OpenTelemetry Collector. Because this PR does not modify the gem bundle or index.rb, a green run confirms trace collection remains intact.

Open in Web Open in Cursor 

The release build stage used a floating `alpine` (implicit :latest) tag,
flagged by Trivy config scan (DS-0001). Pin it to alpine:3.24.1 by digest
so the build cannot silently pull a future, potentially vulnerable base
image. This stage only assembles files into the final scratch image, so it
does not change any shipped gem and cannot affect trace collection.

Co-authored-by: Ben <BenElferink@users.noreply.github.com>
@BenElferink BenElferink deleted the cursor/cve-scan-base-image-pin-7280 branch June 28, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants