lerko
32982228b0
## Summary - Upgrade `golang.org/x/net` v0.54.0 → v0.55.0 — patches 6 CVEs including critical CVE-2026-41589 (CVSS 9.6) - Remove `openssh-client` from Docker image — unused (uptop uses pure Go SSH), eliminates 4 CVEs - Add `apk upgrade` to Dockerfile for remaining Alpine package CVEs ## CVEs Resolved | CVE | Severity | Package | Fix | |-----|----------|---------|-----| | CVE-2026-41589 | 9.6 Critical | golang.org/x/net | upgraded to v0.55.0 | | CVE-2025-60876 | 6.5 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-42502 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-42506 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-25681 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-35414 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-25680 | 7.5 High | alpine/openssh | removed openssh-client | | CVE-2026-35386 | 3.6 Low | alpine/openssh | removed openssh-client | | CVE-2026-35387 | 3.1 Low | alpine/openssh | removed openssh-client | | CVE-2026-35388 | 2.5 Low | alpine/openssh | removed openssh-client | | CVE-2026-27136 | 6.5 Medium | alpine/busybox | apk upgrade | ## Not Addressed (not exploitable) CVE-2026-35385 (charmbracelet/wish v1.4.7, CVSS 9.6) — path traversal in wish's SCP middleware. uptop does not use the SCP middleware, only wish core + bubbletea middleware. Vulnerable code path is never loaded. Migration to wish v2 tracked in #42. ## Test Plan - [x] `go build ./...` passes - [x] `go test ./...` passes - [ ] Rebuild Docker image, re-scan with Docker Scout Reviewed-on: #41
34 lines
985 B
Docker
34 lines
985 B
Docker
# --- Stage 1: Builder ---
|
|
FROM golang:1.26-alpine3.23 AS builder
|
|
RUN apk add --no-cache gcc musl-dev
|
|
WORKDIR /app
|
|
COPY go.mod go.sum ./
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
|
go mod download
|
|
COPY . .
|
|
ENV CGO_ENABLED=1
|
|
ARG VERSION=dev
|
|
ARG COMMIT=none
|
|
ARG BUILD_DATE=unknown
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
|
--mount=type=cache,target=/root/.cache/go-build \
|
|
go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop/main.go
|
|
|
|
# --- Stage 2: Runner ---
|
|
FROM alpine:3.23
|
|
WORKDIR /app
|
|
RUN apk add --no-cache ca-certificates && apk upgrade --no-cache
|
|
RUN mkdir /data
|
|
|
|
COPY --from=builder /app/uptop .
|
|
|
|
# Set Default Configuration via ENV
|
|
# Docker users can override these in docker-compose.yml
|
|
ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true
|
|
ENV UPTOP_DB_TYPE=sqlite
|
|
ENV UPTOP_DB_DSN=/data/uptop.db
|
|
ENV UPTOP_KEYS=/data/authorized_keys
|
|
ENV UPTOP_PORT=23234
|
|
|
|
EXPOSE 23234
|
|
CMD ["./uptop"] |