From c93d34746a359e25ea146229e4f0a45859aeb014 Mon Sep 17 00:00:00 2001 From: jeremypetit-grtgaz <56118973+jeremypetit-grtgaz@users.noreply.github.com> Date: Tue, 5 Sep 2023 13:04:08 +0200 Subject: [PATCH 1/2] fix(security): Critical CVEs in terraform and terraform-provider-azurerm fixes CRITICAL CVEs identified with trivy: in root/.terraform.d/plugins/linux_amd64/terraform-provider-azurerm_v2.95.0_x5 - CVE-2022-26945 (github.com/hashicorp/go-getter) in usr/bin/terraform: - CVE-2021-4238 (github.com/Masterminds/goutils) - CVE-2022-26945 (github.com/hashicorp/go-getter) --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index c63a80ed6dc..ce15d04637d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,16 +44,16 @@ Run apk update --no-cache \ git~=2.40 # Install Terraform and Terraform plugins -RUN wget https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip \ - && unzip terraform_1.3.9_linux_amd64.zip && rm terraform_1.3.9_linux_amd64.zip \ +RUN wget https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip \ + && unzip terraform_1.5.6_linux_amd64.zip && rm terraform_1.5.6_linux_amd64.zip \ && mv terraform /usr/bin/terraform \ - && wget https://releases.hashicorp.com/terraform-provider-azurerm/3.18.0/terraform-provider-azurerm_3.18.0_linux_amd64.zip \ + && wget https://releases.hashicorp.com/terraform-provider-azurerm/3.71.0/terraform-provider-azurerm_3.71.0_linux_amd64.zip \ && wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip \ && wget https://releases.hashicorp.com/terraform-provider-google/4.32.0/terraform-provider-google_4.32.0_linux_amd64.zip \ - && unzip terraform-provider-azurerm_3.18.0_linux_amd64.zip && rm terraform-provider-azurerm_3.18.0_linux_amd64.zip\ + && unzip terraform-provider-azurerm_3.71.0_linux_amd64.zip && rm terraform-provider-azurerm_3.71.0_linux_amd64.zip\ && unzip terraform-provider-google_4.32.0_linux_amd64.zip && rm terraform-provider-google_4.32.0_linux_amd64.zip \ && unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip \ - && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.18.0_x5 ~/.terraform.d/plugins/linux_amd64 + && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.71.0_x5 ~/.terraform.d/plugins/linux_amd64 # Install Terraformer RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.22/terraformer-all-linux-amd64 \ From 541375d33080b37de2581d2102ae1b9c2073bbb3 Mon Sep 17 00:00:00 2001 From: jeremypetit-grtgaz <56118973+jeremypetit-grtgaz@users.noreply.github.com> Date: Fri, 15 Sep 2023 18:02:30 +0200 Subject: [PATCH 2/2] fix: bump terraformer from 0.8.22 to 0.8.24 fixes critical vulnerabilities on terraformer --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ce15d04637d..b79e429be81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,7 @@ RUN wget https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_am && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.71.0_x5 ~/.terraform.d/plugins/linux_amd64 # Install Terraformer -RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.22/terraformer-all-linux-amd64 \ +RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.24/terraformer-all-linux-amd64 \ && chmod +x terraformer-all-linux-amd64 \ && mv terraformer-all-linux-amd64 /usr/bin/terraformer