cves: bump busybox to 1.37.0-r31, golang.org/x/net to v0.53.0#254
Conversation
Add Alpine edge/main repository to install busybox>=1.37.0-r31 which contains the fix for CVE-2025-60876 (MEDIUM). The fix is not yet backported to alpine:3.23 stable, so we pin busybox from the edge repository. Note: golang.org/x/net was already bumped to v0.53.0 in PR #253, fixing CVE-2026-33814.
There was a problem hiding this comment.
Pull request overview
Updates the SkyWalking Satellite Docker image to remediate reported CVEs by sourcing a patched BusyBox build from Alpine edge while keeping the runtime base on Alpine 3.23.
Changes:
- Adds the Alpine
edge/mainrepository (tagged@edge) to enable installing a patched BusyBox. - Installs
busybox@edge>=1.37.0-r31(and related packages) in the final image to address CVE-2025-60876.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories && \ | ||
| apk update --no-cache && \ | ||
| apk upgrade --no-cache && \ |
| RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories && \ | ||
| apk update --no-cache && \ |
Address review feedback: - Use 'apk add --repository <edge>' instead of permanently adding edge to /etc/apk/repositories, keeping the runtime image closer to Alpine 3.23 stable - Install only targeted packages (ca-certificates, libssl3, libcrypto3, musl, busybox) instead of upgrading all packages via apk upgrade
kezhenxu94
left a comment
There was a problem hiding this comment.
Thank you for the review! Both points are well taken:
-
Transient edge repo: Replaced the permanent
/etc/apk/repositoriesappend withapk add --repository <edge-url>so the edge repository is only used for the targetedbusyboxinstallation and does not persist in the final image. -
No broad upgrade: Removed
apk upgradeentirely. Now only the specific packages needed are installed (ca-certificates,libssl3,libcrypto3,muslfrom stable Alpine 3.23, andbusybox/busybox-binsh/ssl_clientfrom edge).
Changes pushed in commit 111ffe0.
Summary
This PR fixes CVEs in the SkyWalking Satellite Docker image.
Changes
@edgeAlpine repository and explicitly installsbusybox>=1.37.0-r31from edge (the fix for CVE-2025-60876 is not yet backported to alpine:3.23 stable).Note:
CVE-2026-33814ingolang.org/x/netwas already fixed onmainby PR #253 which bumped to v0.53.0.CVE Scan Verification
Both CVEs were confirmed absent after the fix via trivy scan:
/cc @kezhenxu94