fix: remove pebble from image to eliminate Go 1.26.2 stdlib CVEs#36
Merged
Conversation
pebble (Canonical's container init system) is shipped in ubuntu:26.04 but is not used here — CMD is make all. Five newly-published HIGH CVEs in Go 1.26.2 stdlib (DNS, HTTP/2, email parsing; fixed in Go 1.26.3) are carried into the image solely via this binary. Removing pebble eliminates the vulnerability surface rather than suppressing it in .trivyignore.
apt-get remove fails with 'Unable to locate package pebble' because ubuntu:26.04 ships the pebble binary directly into the image layer rather than installing it via apt. Switch to a direct rm -f.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes pebble from the Docker image to eliminate five Go 1.26.2 stdlib CVEs detected by Trivy. Unblocks Dependabot PRs #34 and #35.
Motivation
Five HIGH-severity CVEs in Go stdlib (fixed in Go 1.26.3) were published this week. Trivy now detects them via
usr/bin/pebble— Canonical's container init system shipped inubuntu:26.04— causing the Trivy step to fail on every CI run, including the open Dependabot PRs.Pebble is not used in this image (
CMDismake all). Removing it eliminates the vulnerability surface entirely rather than suppressing CVEs in.trivyignore.CVEs resolved: CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499.
Changes
Dockerfile: addRUN apt-get remove -y --purge pebblelayer immediately after the apt-retry setup, before any other apt installsTest plan
make validatepasses locallymake buildproduces a valid PDFmake allcompletes without errorpre-commit run --all-filespassesmake docker-run)Notes for reviewers
After this merges, comment
@dependabot rebaseon PRs #34 and #35 to rebase them on the fixed master. Both PRs only bump GitHub Actions versions and will be clean once the Trivy step passes.