Skip to content

Set Alpine base image tag to 3.23.0 #1010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mlim19 merged 4 commits into from
Dec 17, 2025
Merged

Set Alpine base image tag to 3.23.0 #1010

mlim19 merged 4 commits into from
Dec 17, 2025

Conversation

@mlim19
Copy link
Contributor

@mlim19 mlim19 commented Dec 16, 2025
edited
Loading

Update Alpine base image tag to 3.23.0 to address security vulnerabilities.
Set it explicitly to avoid old version being used from cache

Description

Related Issue

Motivation and Context

How Has This Been Tested?

Screenshots

Checklist:

  • I have read the CONTRIBUTING document.
  • I have updated the relevant documentation.
  • I have added tests for new logic.

@mlim19
Set Alpine base image tag to 3.23.0 to address security vulnerabilities
93b80a2 
Signed-off-by: Min Yeol Lim <min.yeol.lim@intel.com>
@mlim19 mlim19 requested a review from dkorlovs December 16, 2025 01:26
@mlim19
Revert it to see if the test errors still happen
5823722 
Signed-off-by: Min Yeol Lim <min.yeol.lim@intel.com>
@mlim19 mlim19 marked this pull request as draft December 16, 2025 04:09
@dkorlovs dkorlovs force-pushed the mlim19_alpine_3.23.0 branch from 97eda45 to c6d6761 Compare December 16, 2025 07:05
@mlim19
Add backports module to address test errors
5eceaf3 
Signed-off-by: Min Yeol Lim <min.yeol.lim@intel.com>
@dkorlovs dkorlovs force-pushed the mlim19_alpine_3.23.0 branch 3 times, most recently from a4aab41 to 7776308 Compare December 17, 2025 04:49
@mlim19
Clean up disk space to avoid disk error during tests
7db5027 
Signed-off-by: Min Yeol Lim <min.yeol.lim@intel.com>
@dkorlovs dkorlovs force-pushed the mlim19_alpine_3.23.0 branch from 7776308 to 7db5027 Compare December 17, 2025 06:20
@mlim19 mlim19 marked this pull request as ready for review December 17, 2025 18:20
@skamerintel skamerintel self-requested a review December 17, 2025 21:38
skamerintel
skamerintel requested changes Dec 17, 2025
View reviewed changes
Copy link

@skamerintel skamerintel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #1010 Review: Incomplete Alpine 3.23.0 Security Update

CRITICAL ISSUE

The PR only updates container.Dockerfile to Alpine 3.23.0 but misses the executable build process, leaving security vulnerabilities unaddressed in the build environment.

KEY FINDING

The executable build process uses SHA-pinned variables instead of version tags:

  • container.Dockerfile: FROM alpine:3.23.0 ✅ (Updated)
  • executable.Dockerfile: FROM alpine${AP_BUILDER_ALPINE} ❌ (Still uses Alpine 3.14.2)

The ${AP_BUILDER_ALPINE} variable contains a SHA256 hash that resolves to Alpine 3.14.2, not 3.23.0.

HOW THE CORRECT SHA WAS DETERMINED

docker pull alpine:3.23.0
docker inspect alpine:3.23.0 | grep -A 1 RepoDigests

Returns: sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375

REQUIRED FIXES

Update these SHA variables to Alpine 3.23.0 (sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375):

  1. scripts/build_x86_64_executable.sh line 47:
    OLD: AP_BUILDER_ALPINE=@sha256:69704ef328d05a9f806b6b8502915e6a0a4faa4d72018dc42343f511490daf8a
    NEW: AP_BUILDER_ALPINE=@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375

  2. scripts/build_aarch64_executable.sh line 39:
    OLD: ALPINE_VERSION=@sha256:b06a5cf61b2956088722c4f1b9a6f71dfe95f0b1fe285d44195452b8a1627de7
    NEW: ALPINE_VERSION=@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375

IMPACT

Without these changes:

  • Build environment remains vulnerable to Alpine 3.14.2 CVEs
  • Inconsistent Alpine versions between build (3.14.2) and runtime (3.23.0)
  • Security update is only partially effective

@mlim19
Copy link
Contributor Author

mlim19 commented Dec 17, 2025

PR #1010 Review: Incomplete Alpine 3.23.0 Security Update

CRITICAL ISSUE

The PR only updates container.Dockerfile to Alpine 3.23.0 but misses the executable build process, leaving security vulnerabilities unaddressed in the build environment.

KEY FINDING

The executable build process uses SHA-pinned variables instead of version tags:

  • container.Dockerfile: FROM alpine:3.23.0 ✅ (Updated)
  • executable.Dockerfile: FROM alpine${AP_BUILDER_ALPINE} ❌ (Still uses Alpine 3.14.2)

The ${AP_BUILDER_ALPINE} variable contains a SHA256 hash that resolves to Alpine 3.14.2, not 3.23.0.

HOW THE CORRECT SHA WAS DETERMINED

docker pull alpine:3.23.0 docker inspect alpine:3.23.0 | grep -A 1 RepoDigests

Returns: sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375

REQUIRED FIXES

Update these SHA variables to Alpine 3.23.0 (sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375):

  1. scripts/build_x86_64_executable.sh line 47:
    OLD: AP_BUILDER_ALPINE=@sha256:69704ef328d05a9f806b6b8502915e6a0a4faa4d72018dc42343f511490daf8a
    NEW: AP_BUILDER_ALPINE=@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375
  2. scripts/build_aarch64_executable.sh line 39:
    OLD: ALPINE_VERSION=@sha256:b06a5cf61b2956088722c4f1b9a6f71dfe95f0b1fe285d44195452b8a1627de7
    NEW: ALPINE_VERSION=@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375

IMPACT

Without these changes:

  • Build environment remains vulnerable to Alpine 3.14.2 CVEs
  • Inconsistent Alpine versions between build (3.14.2) and runtime (3.23.0)
  • Security update is only partially effective

I think this report is false positive because the alpine image used in executable.Dockerfile is only for internal build purpose which is not shipped when creating gprofiler docker image. So, The Alpine versions in executable.Dockerfile are irrelevant for runtime security scanning since they don't ship in the final image.

@skamerintel
Copy link

skamerintel commented Dec 17, 2025

agree that alpine 3.14 is only part of build chain and doesnt affect runtime security, but it could impact build security (supply chain attacks) lower pri to fix - ok to merge.

@mlim19 mlim19 merged commit e18bb60 into master Dec 17, 2025
65 of 67 checks passed
@mlim19 mlim19 deleted the mlim19_alpine_3.23.0 branch December 17, 2025 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skamerintel skamerintel skamerintel approved these changes

@dkorlovs dkorlovs Awaiting requested review from dkorlovs

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mlim19 @skamerintel