chore(deps): bump nginx image from 1.27.0 to 1.27.2

navalBhagat commented 1 month ago

Description

This change upgrades the Dockerfile to use nginx:1.27.2-alpine.
RUN apk upgrade --no-cache was added to make sure all the patched packages used by alpine are pulled in.

Motivation and Context

This change upgrades the base nginx image since it uses the newer version of alpine with security vulnerability fixes. This was reported in issue #10151.

How Has This Been Tested?

I updated the workflow action: Security Scan for docker image to build the image in the CI pipeline and run trivy on this locally-built image. The failing build (see old screenshot below) was fixed with no vulnerabilities.

I undid the workflow changes. But here is the workflow I used to verify that this upgrades fixes the security vulnerability.

name: Security scan for docker image

on:
  workflow_dispatch:
  schedule:
    - cron:  '30 4 * * *'

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code 
        uses: actions/checkout@v4
      - name: Build docker image 
        run: docker build -t swagger-ui:unstable .
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'swagger-ui:unstable'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

The new screenshot below shows the fixed version of the security scan using this new image. (Upgrade to alpine 3.20)

Screenshots (if appropriate):

Old:

New:

Checklist

My PR contains...

[x] No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
[ ] Dependency changes (any modification to dependencies in package.json)
[ ] Bug fixes (non-breaking change which fixes an issue)
[ ] Improvements (misc. changes to existing features)
[ ] Features (non-breaking change which adds functionality)

My changes...

[ ] are breaking changes to a public API (config options, System API, major UI change, etc).
[ ] are breaking changes to a private API (Redux, component props, utility functions, etc.).
[ ] are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
[x] are not breaking changes.

Documentation

[x] My changes do not require a change to the project documentation.
[ ] My changes require a change to the project documentation.
[ ] If yes to above: I have updated the documentation accordingly.

Automated tests

[x] My changes can not or do not need to be tested.
[ ] My changes can and should be tested by unit and/or integration tests.
[ ] If yes to above: I have added tests to cover my changes.
[ ] If yes to above: I have taken care to cover edge cases in my tests.
[x] All new and existing tests passed.

sahilpatil2997 commented 1 month ago

Hey @navalBhagat, kind of confused because @swagger-bot merged this PR #10163, last week, but I couldn't find the newer image in the docker hub, is the newer image created and pushed to docker or the image is not pushed yet?

navalBhagat commented 3 weeks ago

Hi @sahilpatil2997
Sorry for the delay. I think it needs to be force upgraded, and I only think the issue will be fixed once the latest version of swagger's image is pushed to docker hub because the current check is done based on the image pulled from docker hub.

If you approve this, I'll merge it, but I'm not sure how the pushing of the image to Docker Hub works?

navalBhagat commented 2 weeks ago

I'm unable to merge. I still see this:

sahilpatil2997 commented 2 weeks ago

I'm unable to merge. I still see this:

I think one of the maintainer should approve this PR

char0n commented 2 weeks ago

Closing this in favor of https://github.com/swagger-api/swagger-ui/pull/10192.

The base image is already updated on master branch. Unfortunately we'll also not going to go for full apk upgrade --no-cache change. Adding apk upgrade is generally avoided for the sake of stability and reproducibility.

Thank you for your effort here!

sahilpatil2997 commented 2 weeks ago

Hey @char0n, I did pull the latest image from the docker hub but still the image is using an older version of NGINX image, can you please look into it?

char0n commented 2 weeks ago

@sahilpatil2997 https://hub.docker.com/layers/swaggerapi/swagger-ui/v5.18.1/images/sha256-ae37cdb99e6440c29c693a39770b6e87dffb6651c7766565f2922ef06b549e93?context=explore

swagger-api / swagger-ui