From f68be9a69d58fd1d4751fb840b21427def86a4c0 Mon Sep 17 00:00:00 2001 From: Ashir Amin Date: Tue, 19 May 2026 10:17:37 -0500 Subject: [PATCH 1/3] Add APT_CACHE_BUST ARG so the apt layer can be refreshed without pinning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the scheduled Trivy scan flags OS-package CVEs on :main, the underlying cause is that buildx's layer cache for the apt RUN hashes only on the Dockerfile text — same text → same cached layer → `apt-get update` never re-fetches from the archive even though the RUN explicitly calls it. PRs #99 and #102 worked around this by pinning specific transitive packages (libngtcp2, libnghttp2). The pin invalidated the cache as a side effect of changing Dockerfile text, but locks the build to a single archive version that ages out. PR #99 deferred a cleaner fix; this is that fix. ARG APT_CACHE_BUST is declared right before the apt RUN and referenced inside it. Buildx folds the ARG value into the layer's cache key, so bumping the value (a one-line PR) invalidates only this layer — other layers (Go build, npm install, snyk-broker clone) keep hitting cache as before. Today's value (2026-05-19) also fixes today's failing :main scan: merging this PR is itself an ARG bump, so the apt layer rebuilds, fresh packages land, the next Trivy scan passes. --- docker/Dockerfile | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 603cce9..37afad8 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -21,12 +21,20 @@ RUN cd /build && go build -o /agent/cortex-axon-agent FROM debian:stable-slim WORKDIR /agent -# Install dependencies. libngtcp2-16, libngtcp2-crypto-gnutls8, and libnghttp2-14 -# are pinned to patched Debian versions to address CVE-2026-40170 and -# CVE-2026-27135; they're pulled transitively via wget -> libcurl3-gnutls. Bump -# these pins if Debian ships a newer fix or the current version ages out of the -# archive. -RUN apt-get update && apt-get upgrade -y && apt-get install -y \ +# APT_CACHE_BUST participates in buildx's layer cache key for the RUN below. +# Bump its value (a one-line PR is enough) to invalidate the cached layer and +# force `apt-get update && upgrade` to re-fetch from Debian's archive. Use this +# when the scheduled Trivy scan flags OS-package CVEs whose fixes are already +# in the archive — the cache is just serving a stale layer. Leaves the rest of +# the build (Go, npm, snyk-broker clone) hitting cache as normal. +# +# libngtcp2-16, libngtcp2-crypto-gnutls8, and libnghttp2-14 are pinned to +# patched Debian versions for CVE-2026-40170 and CVE-2026-27135; pulled +# transitively via wget -> libcurl3-gnutls. Bump if Debian ships a newer fix +# or the current version ages out of the archive. +ARG APT_CACHE_BUST=2026-05-19 +RUN echo "apt cache bust: $APT_CACHE_BUST" \ + && apt-get update && apt-get upgrade -y && apt-get install -y \ protobuf-compiler git python3 python3-venv wget build-essential openssl jq \ libngtcp2-16=1.11.0-1+deb13u1 \ libngtcp2-crypto-gnutls8=1.11.0-1+deb13u1 \ From c2a994f5421ad4f7a99ff301c85897cfe1bafe04 Mon Sep 17 00:00:00 2001 From: Ashir Amin Date: Tue, 19 May 2026 18:03:07 -0500 Subject: [PATCH 2/3] Bump SNYK_BROKER_VERSION to v1.0.14-axon for ws CVE-2026-45736 cortexapps/snyk-broker#23 promoted the `engine.io-client.ws` scoped override to a top-level `ws` override so both engine.io and engine.io-client resolve to the patched 8.20.1. The tag v1.0.14-axon carries that change. Verified pre-merge by building a minimal node:20-slim image with the local package files: ws resolves to 8.20.1 in node_modules; trivy image scan no longer reports CVE-2026-45736. Combined with the APT_CACHE_BUST in the prior commit, this clears every finding from today's failing :main Trivy scan (11 OS packages + ws). --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 37afad8..7528cf2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -43,7 +43,7 @@ RUN echo "apt cache bust: $APT_CACHE_BUST" \ # Install NodeJS and Snyk Broker ENV NODE_VERSION=20 -ARG SNYK_BROKER_VERSION=v1.0.13-axon +ARG SNYK_BROKER_VERSION=v1.0.14-axon RUN wget -q -O - https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && apt-get install -y nodejs RUN npm install --global npm@latest typescript@4.9.3 RUN git clone https://github.com/cortexapps/snyk-broker.git /tmp/snyk-broker && \ From e77bc5f860182030ffb9a44c37552ba41b2f89ef Mon Sep 17 00:00:00 2001 From: Ashir Amin Date: Thu, 21 May 2026 16:37:51 -0500 Subject: [PATCH 3/3] Remove libngtcp2/libnghttp2 hard pins now that APT_CACHE_BUST is in place MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pins were added in #99/#102 because the buildx cache was serving stale apt layers — explicit versions invalidated the cache as a side effect and guaranteed the patched packages landed. With APT_CACHE_BUST now driving cache invalidation explicitly, `apt-get upgrade -y` pulls the current patched versions transitively via wget → libcurl3-gnutls, no pin required. Keeping the pins past this point has a cost: they prevent apt from picking up future Debian point releases (e.g. a hypothetical libnghttp2 deb13u2 patch), and they break the build if the pinned version ages out of the archive. Now that the cache mechanism is the actual fix, the pins are redundant belt-on-belt. Validated by the trivy-pr scan on this PR — if removal regresses CVE-2026-40170 or CVE-2026-27135, trivy-pr will flag it before merge. --- docker/Dockerfile | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 7528cf2..208c94b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -27,18 +27,10 @@ WORKDIR /agent # when the scheduled Trivy scan flags OS-package CVEs whose fixes are already # in the archive — the cache is just serving a stale layer. Leaves the rest of # the build (Go, npm, snyk-broker clone) hitting cache as normal. -# -# libngtcp2-16, libngtcp2-crypto-gnutls8, and libnghttp2-14 are pinned to -# patched Debian versions for CVE-2026-40170 and CVE-2026-27135; pulled -# transitively via wget -> libcurl3-gnutls. Bump if Debian ships a newer fix -# or the current version ages out of the archive. ARG APT_CACHE_BUST=2026-05-19 RUN echo "apt cache bust: $APT_CACHE_BUST" \ && apt-get update && apt-get upgrade -y && apt-get install -y \ - protobuf-compiler git python3 python3-venv wget build-essential openssl jq \ - libngtcp2-16=1.11.0-1+deb13u1 \ - libngtcp2-crypto-gnutls8=1.11.0-1+deb13u1 \ - libnghttp2-14=1.64.0-1.1+deb13u1 + protobuf-compiler git python3 python3-venv wget build-essential openssl jq # Install NodeJS and Snyk Broker ENV NODE_VERSION=20