build: update base images, dependencies, and security patches for faster and safer builds#225
Merged
Merged
Conversation
…for security **Added:** - Added `aiohttp>=3.13.4` and `cryptography>=44.0.1` to base Python pip packages for all agents in Ansible role defaults and documentation - Added task to upgrade `pycryptodome` in the impacket virtualenv to `>=3.19.1` as a CVE fix (GHSA-j225-cvw7-qrx7) in credential access tools **Changed:** - Updated multiple dependencies in `Cargo.lock` to newer versions for security and compatibility, including but not limited to: - `cryptography` bumped from `>=42.0.0` to `>=44.0.1` - `pyopenssl` bumped from `>=24` to `>=26.0.0` - Various Rust crates including `aws-lc-rs`, `aws-lc-sys`, `bitflags`, `cc`, `hashbrown`, `hyper-rustls`, `indexmap`, `itertools`, `js-sys`, `libc`, `libredox`, `rand`, `redox_syscall`, `rustls`, `rustls-webpki`, `tokio`, `typenum`, `wasip2`, `wasm-bindgen`, `web-sys`, `webpki-root-certs`, and several `windows-*` crates - Updated dependency hashes to match the new versions - Updated Ansible role documentation to reflect new pip package requirements - Updated package installation and upgrade commands in the GPU cracker base image provisioner to include `apt-get upgrade -y` for improved security - Updated all Warpgate agent templates to pin Docker base images by digest (`@sha256:`) for reproducibility and supply chain security - Updated Kali Linux and NVIDIA CUDA base image references in agent templates to use pinned digests **Removed:** - Removed redundant or outdated references to previous dependency versions and image tags in templates and lock files
…ates **Changed:** - Updated mcp-grafana installation in all agent templates to download a specific release (v0.11.6) instead of using the 'latest' tag, ensuring consistent and reproducible builds across x86_64 and arm64 architectures
**Changed:** - Updated all Molecule scenario configurations to use the `geerlingguy/docker-ubuntu2404-ansible:latest` image for consistency with latest LTS Ubuntu release and to ensure up-to-date test environments - Modified pip upgrade task in base role to use `ansible.builtin.command` instead of `ansible.builtin.pip` for improved compatibility with newer pip versions and to address issues with system-managed Python environments - Adjusted pip install extra arguments to use `--ignore-installed` for all Debian-family distributions instead of only Kali or when break-system-packages is required, improving reliability across supported platforms - Updated base role README to reflect the use of `command` for pip upgrades instead of the deprecated `pip` module for this operation
dreadnode-renovate-bot
Bot
added
the
area/templates
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #225 +/- ##
==========================================
+ Coverage 51.05% 51.06% +0.01%
==========================================
Files 374 374
Lines 56688 56705 +17
==========================================
+ Hits 28941 28958 +17
Misses 27747 27747 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
docs: clarify operation completion modes and forest root requirements **Added:** - Documented the three orchestrator completion modes (default, stop on domain admin, stop on golden ticket) and how they interact in `docs/red.md` - Added detailed explanation on why child domain domination does not satisfy forest root requirements in both `docs/red.md` and `config/ares.yaml` - Introduced new test verifying that dominating a child domain does not cover the forest root, and a test for direct forest root domination **Changed:** - Updated orchestrator logic to only consider a forest root dominated if that specific root domain is compromised, not just a child domain - `completion.rs` - Improved comments in `completion.rs` explaining the forest root dominance rule and its security rationale - Enhanced configuration comments in `ares.yaml` to clarify mutual exclusivity and behavior of completion flags, with usage examples and documentation references - Revised existing test to clarify intent and renamed it for accuracy regarding forest root domination semantics **Removed:** - Removed ambiguous comments in `ares.yaml` related to previous completion logic, consolidating all behavior under new clarified documentation ```
dreadnode-renovate-bot
Bot
added
the
area/docs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
dev-deployRust profile for faster iterative builds with optimized defaultsAdded:
[profile.dev-deploy]section inCargo.tomlfor rapid Rust builds,enabling faster compile times and incremental builds suitable for development
CVEs and ensure the newest Python package installer is present
net-imap,resolv,rexml,uri,zlib) in lateral movement tooling to mitigate recent vulnerabilitiespycryptodomein the Impacket virtual environment to fixCVE GHSA-j225-cvw7-qrx7 in credential access tools role
Changed:
deterministic builds, improved reproducibility, and security
mcp-grafanadownloadURLs to explicit version (
v0.11.6) instead oflatestfor consistencycompatibility with newer base systems
aiohttp,cryptography,requests) tosecure minimum versions in the base role
cryptography,pyopenssl)in coercion tools for improved security and compatibility
Cargo.lockto latest patch versions foraws-lc-rs,aws-lc-sys,bitflags,cc,hashbrown,hyper-rustls,indexmap,itertools,js-sys,libc,libredox,rand,redox_syscall,rustls,rustls-webpki,tokio,typenum,wasip2,wasm-bindgen*,webpki-root-certs,windows-sys, and related Windows target cratesCross.toml) now installsmoldlinker for fasterlinking, improving Rust build times in CI and local development
and auto-stripping for deploys; prefers
dev-deployprofile for developmentcompilation, improving speed for both local and remote builds
Removed:
latest) in any build ordeployment context—ensuring all images are immutable and auditable