Skip to content

Clear Trivy: APT_CACHE_BUST + snyk-broker v1.0.14-axon + drop hard pins#104

Open
ashiramin wants to merge 3 commits into
mainfrom
aa/fix-vulns-20260518-221951
Open

Clear Trivy: APT_CACHE_BUST + snyk-broker v1.0.14-axon + drop hard pins#104
ashiramin wants to merge 3 commits into
mainfrom
aa/fix-vulns-20260518-221951

Conversation

@ashiramin
Copy link
Copy Markdown
Contributor

@ashiramin ashiramin commented May 19, 2026
edited
Loading

Clears every finding from the May 18 `:main` Trivy scan — 11 OS-package CVEs + 1 Node-package CVE — removes the cache-staleness root cause that's been recurring since #99, and retires the per-CVE hard pins as redundant.

Changes

  1. docker/Dockerfile: add ARG APT_CACHE_BUST=2026-05-19 referenced inside the apt RUN. Buildx folds ARG values into the layer cache key, so bumping this value (a one-line PR) invalidates only the apt layer — Go build, npm install, snyk-broker clone keep hitting cache. Future Trivy failures from stale OS packages become a one-line refresh PR.

  2. docker/Dockerfile: bump SNYK_BROKER_VERSION v1.0.13-axon → v1.0.14-axon to pull fix(deps): bump ws to ~8.20.1 (CVE-2026-45736) snyk-broker#23, which top-level-overrides `ws → ~8.20.1` to address CVE-2026-45736.

  3. docker/Dockerfile: remove libngtcp2-16, libngtcp2-crypto-gnutls8, libnghttp2-14 hard pins. With APT_CACHE_BUST driving cache invalidation explicitly, `apt-get upgrade -y` pulls the current patched versions transitively via wget → libcurl3-gnutls without needing explicit pins. Keeping the pins would also block apt from picking up future point releases and would eventually break the build when those specific versions age out of the archive. The trivy-pr scan on this PR validates that removing them doesn't regress CVE-2026-40170 or CVE-2026-27135.

Why this is the right shape (and what we ruled out)

Three approaches were considered for the OS-package side:

Approach Verdict
Hard-pin each flagged package Treadmill — #99/#102 already showed this recurs ~weekly. PR #99's own trade-off section flagged a cleaner fix as deferred work.
Empty-commit PR Tested in #105 — `build` log showed `#16 CACHED` on the apt RUN; trivy-pr still reported the same packages plus more. An unchanged Dockerfile does not bust the cache.
Remove buildx cache entirely Works (matches brain-backend/brain-app convention), but costs ~5 min per PR build.
APT_CACHE_BUST ARG (chosen) Surgical — only the apt layer invalidates on bump. Cache benefits preserved for everything else. Same effect Shawn proposed in slack ("increment a variable at a lower layer").

Local `docker buildx build --no-cache` (with the previous pinned variant) + `trivy image`: 0 HIGH/CRITICAL fixable findings. After this PR's pin removal, the same outcome is validated by the PR's `trivy-pr` job — see CI results.

Today's findings cleared

Finding Cleared by
python3.13, python3.13-minimal, python3.13-venv APT_CACHE_BUST
libpython3.13-stdlib, libpython3.13-minimal APT_CACHE_BUST
openssh-client APT_CACHE_BUST
libsystemd0, libudev1 APT_CACHE_BUST
jq, libjq1 APT_CACHE_BUST
libcap2 APT_CACHE_BUST
ws (snyk-broker node_modules) snyk-broker v1.0.14-axon

Future workflow

When the daily Trivy scan flags fresh OS-package CVEs:

  1. Open a one-line PR bumping `APT_CACHE_BUST` to today's date.
  2. PR's `build` job rebuilds the apt layer; `trivy-pr` validates the fresh image.
  3. Green `trivy-pr` ⇒ merge ⇒ post-merge `:main` build is also fresh ⇒ next scheduled scan passes.

Hard pins become a last-resort tool for the rare case where `apt-get upgrade` doesn't pull a patched version even with a fresh layer (none today).

Test plan

  • PR's `build` job log shows the apt RUN is not `CACHED` (contrast with test: empty commit to validate buildx cache behavior #105 where it was)
  • `trivy-pr` on this PR reports 0 HIGH/CRITICAL findings
  • After merge, daily `:main` scan passes
  • Cut a release tag from main HEAD; tag image is fresh

Related

🤖 Generated with Claude Code

@ashiramin ashiramin mentioned this pull request May 19, 2026
Closed
@ashiramin
Add APT_CACHE_BUST ARG so the apt layer can be refreshed without pinning
f68be9a 
When the scheduled Trivy scan flags OS-package CVEs on :main, the underlying
cause is that buildx's layer cache for the apt RUN hashes only on the
Dockerfile text — same text → same cached layer → `apt-get update` never
re-fetches from the archive even though the RUN explicitly calls it.

PRs #99 and #102 worked around this by pinning specific transitive packages
(libngtcp2, libnghttp2). The pin invalidated the cache as a side effect of
changing Dockerfile text, but locks the build to a single archive version
that ages out. PR #99 deferred a cleaner fix; this is that fix.

ARG APT_CACHE_BUST is declared right before the apt RUN and referenced
inside it. Buildx folds the ARG value into the layer's cache key, so bumping
the value (a one-line PR) invalidates only this layer — other layers (Go
build, npm install, snyk-broker clone) keep hitting cache as before.

Today's value (2026-05-19) also fixes today's failing :main scan: merging
this PR is itself an ARG bump, so the apt layer rebuilds, fresh packages
land, the next Trivy scan passes.
@ashiramin ashiramin force-pushed the aa/fix-vulns-20260518-221951 branch from 237498d to f68be9a Compare May 19, 2026 15:17
@ashiramin ashiramin changed the title Add refresh button to docker.yml so trivy scan failures are recoverable without pinning Add APT_CACHE_BUST ARG so apt layer can be refreshed without pinning May 19, 2026
@ashiramin ashiramin mentioned this pull request May 19, 2026
Merged
@ashiramin
Bump SNYK_BROKER_VERSION to v1.0.14-axon for ws CVE-2026-45736
c2a994f 
cortexapps/snyk-broker#23 promoted the `engine.io-client.ws` scoped override
to a top-level `ws` override so both engine.io and engine.io-client resolve
to the patched 8.20.1. The tag v1.0.14-axon carries that change.

Verified pre-merge by building a minimal node:20-slim image with the local
package files: ws resolves to 8.20.1 in node_modules; trivy image scan no
longer reports CVE-2026-45736.

Combined with the APT_CACHE_BUST in the prior commit, this clears every
finding from today's failing :main Trivy scan (11 OS packages + ws).
@ashiramin ashiramin changed the title Add APT_CACHE_BUST ARG so apt layer can be refreshed without pinning Clear today's Trivy scan: APT_CACHE_BUST + snyk-broker v1.0.14-axon May 19, 2026
@ashiramin ashiramin marked this pull request as ready for review May 20, 2026 17:51
@ashiramin ashiramin requested review from keithfz and shawnburke May 20, 2026 17:51
@ashiramin
Remove libngtcp2/libnghttp2 hard pins now that APT_CACHE_BUST is in p…
e77bc5f 
…lace

The pins were added in #99/#102 because the buildx cache was serving stale
apt layers — explicit versions invalidated the cache as a side effect and
guaranteed the patched packages landed. With APT_CACHE_BUST now driving cache
invalidation explicitly, `apt-get upgrade -y` pulls the current patched
versions transitively via wget → libcurl3-gnutls, no pin required.

Keeping the pins past this point has a cost: they prevent apt from picking up
future Debian point releases (e.g. a hypothetical libnghttp2 deb13u2 patch),
and they break the build if the pinned version ages out of the archive. Now
that the cache mechanism is the actual fix, the pins are redundant belt-on-belt.

Validated by the trivy-pr scan on this PR — if removal regresses
CVE-2026-40170 or CVE-2026-27135, trivy-pr will flag it before merge.
@ashiramin ashiramin changed the title Clear today's Trivy scan: APT_CACHE_BUST + snyk-broker v1.0.14-axon Clear Trivy: APT_CACHE_BUST + snyk-broker v1.0.14-axon + drop hard pins May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keithfz keithfz keithfz approved these changes

@shawnburke shawnburke Awaiting requested review from shawnburke

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashiramin @keithfz