fix: fixes docker build and trivy scan

There is a transitiv dependency on frozenlist, which updated their package for python 3.11, but didn't add the package to pypi wheels. Thus, building on python >= 3.11 fails the whole docker building process ([issue](aio-libs/frozenlist#342)). Switching to python 3.10. Secondly, there are two more vulnerabilities due to cosign, which cannot be fixed on our side. Ignore listing them until cosign publishes a new version.
sse-secure-systems · Nov 3, 2022 · 3551bf4 · 3551bf4
1 parent da020e7
commit 3551bf4
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 9 deletions.
diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml
@@ -67,7 +67,7 @@ jobs:
   pylint:
     runs-on: ubuntu-latest
     container:
-      image: python:alpine
+      image: python:3.10-alpine
     steps:
       - uses: actions/checkout@v3
       - name: Install packages
@@ -79,7 +79,7 @@ jobs:
   pytest:
     runs-on: ubuntu-latest
     container:
-      image: python:slim
+      image: python:3.10-slim
     steps:
       - uses: actions/checkout@v3
       - name: Install packages
@@ -116,7 +116,7 @@ jobs:
   safety:
     runs-on: ubuntu-latest
     container:
-      image: python:slim
+      image: python:3.10-slim
     env:
       YARL_NO_EXTENSIONS: 1
       MULTIDICT_NO_EXTENSIONS: 1

diff --git a/.trivyignore b/.trivyignore
@@ -1,3 +1,2 @@
-CVE-2022-23628
-CVE-2022-28946
-CVE-2022-28948
+CVE-2022-32149
+GHSA-69ch-w2m2-3vjp
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3-alpine as base
+FROM python:3.10-alpine as base
 
 # Build dependencies
 FROM base as builder

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -3,7 +3,7 @@ name: connaisseur
 description: Helm chart for Connaisseur - a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster.
 type: application
 version: 1.4.4
-appVersion: 2.6.4
+appVersion: 2.6.5
 keywords:
   - container image
   - signature

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -1,7 +1,7 @@
 # configure Connaisseur deployment
 deployment:
   replicasCount: 3
-  image: securesystemsengineering/connaisseur:v2.6.4
+  image: securesystemsengineering/connaisseur:v2.6.5
   imagePullPolicy: IfNotPresent
   # imagePullSecrets contains an optional list of Kubernetes Secrets, in Connaisseur namespace,
   # that are needed to access the registry containing Connaisseur image.