|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (12 fixed, 15 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (13 fixed, 14 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -788,6 +788,23 @@
|
|
|
`/internal/jobs/*`. Pin the base image digest and the apk versions
|
|
|
or build a real image.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed. Replaced the inline `image: alpine:3` + runtime
|
|
|
+ `apk add` with a real build context at `scheduler/`. The new
|
|
|
+ `scheduler/Dockerfile` pins `FROM alpine:3.21@sha256:48b0309c…`
|
|
|
+ and installs `curl=8.14.1-r2`, `tini=0.19.0-r3`,
|
|
|
+ `ca-certificates=20260413-r0` at build time; restarts now reuse
|
|
|
+ the locally-built image with no network fetch. The crontab
|
|
|
+ (`scheduler/scheduler.crontab`) is baked into the image, which
|
|
|
+ also removes the previously dangling `./docker/scheduler.crontab`
|
|
|
+ bind-mount path. The compose service runs `read_only: true` with
|
|
|
+ `no-new-privileges:true` and only `/run` + `/tmp` tmpfs mounts;
|
|
|
+ `cap_drop: [ALL]` was tested and rejected because busybox crond
|
|
|
+ calls `initgroups()` before each fork and dies with
|
|
|
+ "can't set groups" without `CAP_SETGID`. Verified end-to-end:
|
|
|
+ `docker compose -f docker-compose.yml -f compose.scheduler.yml
|
|
|
+ up -d` brings the sidecar up healthy and within one minute the
|
|
|
+ api responds `{"job":"tick","status":"success",...}` to the
|
|
|
+ scheduled curl.
|
|
|
|
|
|
### F23 — `jumbojett/openid-connect-php ^1.x` constraint pins a major with historical CVEs
|
|
|
- **File:** `ui/composer.json:19`
|
chiappa