Skip to content

cves: bump busybox to 1.37.0-r31, golang.org/x/net to v0.53.0#254

Merged
kezhenxu94 merged 2 commits into
mainfrom
cves/bump-busybox-cve-2025-60876
May 18, 2026
Merged

cves: bump busybox to 1.37.0-r31, golang.org/x/net to v0.53.0#254
kezhenxu94 merged 2 commits into
mainfrom
cves/bump-busybox-cve-2025-60876

Conversation

@kezhenxu94

Copy link
Copy Markdown
Member

Summary

This PR fixes CVEs in the SkyWalking Satellite Docker image.

CVE Severity Package Fix
CVE-2025-60876 MEDIUM busybox Upgraded from 1.37.0-r30 to 1.37.0-r31 via Alpine edge/main repository
CVE-2026-33814 HIGH golang.org/x/net Already fixed in PR #253 (bumped to v0.53.0)

Changes

  • docker/Dockerfile: Added @edge Alpine repository and explicitly installs busybox>=1.37.0-r31 from edge (the fix for CVE-2025-60876 is not yet backported to alpine:3.23 stable).

Note: CVE-2026-33814 in golang.org/x/net was already fixed on main by PR #253 which bumped to v0.53.0.

CVE Scan Verification

Both CVEs were confirmed absent after the fix via trivy scan:

CVE ID Status
CVE-2025-60876 ABSENT ✓
CVE-2026-33814 ABSENT ✓

/cc @kezhenxu94

Add Alpine edge/main repository to install busybox>=1.37.0-r31 which
contains the fix for CVE-2025-60876 (MEDIUM). The fix is not yet
backported to alpine:3.23 stable, so we pin busybox from the edge
repository.

Note: golang.org/x/net was already bumped to v0.53.0 in PR #253,
fixing CVE-2026-33814.
Copilot AI review requested due to automatic review settings May 18, 2026 06:21

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the SkyWalking Satellite Docker image to remediate reported CVEs by sourcing a patched BusyBox build from Alpine edge while keeping the runtime base on Alpine 3.23.

Changes:

  • Adds the Alpine edge/main repository (tagged @edge) to enable installing a patched BusyBox.
  • Installs busybox@edge>=1.37.0-r31 (and related packages) in the final image to address CVE-2025-60876.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docker/Dockerfile Outdated
Comment on lines 33 to 35
RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories && \
apk update --no-cache && \
apk upgrade --no-cache && \
Comment thread docker/Dockerfile Outdated
Comment on lines +33 to +34
RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories && \
apk update --no-cache && \
Address review feedback:
- Use 'apk add --repository <edge>' instead of permanently adding edge
  to /etc/apk/repositories, keeping the runtime image closer to Alpine 3.23 stable
- Install only targeted packages (ca-certificates, libssl3, libcrypto3,
  musl, busybox) instead of upgrading all packages via apk upgrade

@kezhenxu94 kezhenxu94 left a comment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review! Both points are well taken:

  1. Transient edge repo: Replaced the permanent /etc/apk/repositories append with apk add --repository <edge-url> so the edge repository is only used for the targeted busybox installation and does not persist in the final image.

  2. No broad upgrade: Removed apk upgrade entirely. Now only the specific packages needed are installed (ca-certificates, libssl3, libcrypto3, musl from stable Alpine 3.23, and busybox/busybox-binsh/ssl_client from edge).

Changes pushed in commit 111ffe0.

@kezhenxu94 kezhenxu94 merged commit 70f45bb into main May 18, 2026
19 checks passed
@kezhenxu94 kezhenxu94 deleted the cves/bump-busybox-cve-2025-60876 branch May 18, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants