Ubuntu packages in git-resource image outdated

[boergsen]

I recently did a static code scan of the final Concourse BOSH release for 7.7.0 and came across several findings related to the resource types which are packed as root file system archives into the final BOSH release.

The findings were mostly about outdated Ubuntu packages (e.g. GNU C compiler, OpenSSL, git, Perl, Python, ...). My understanding is, that these packages should be automatically updated to a more recent version during the Docker build:

git-resource/dockerfiles/ubuntu/Dockerfile

Line 5 in 6b4aba7

RUN apt update && apt upgrade -y -o Dpkg::Options::="--force-confdef"

By looking at the resource build pipeline for the git-resource, I see the pipeline was last triggered for release v1.14.5, last October. Although this pipeline is triggered daily, only development images are created and no final releases are published.

In order to have a more recent patch level of the underlying base images, it would make sense to more regularly publish a release for the git-resource image.

This issue goes into the direction of some of the Project cards you already have summarized here and here, but instead of pro-actively tracking vulnerabilities, my request would be to pro-actively update the used patch level regularly.

I open this issue in the git-resource repo because I guess it is the most widely used resource. However, the same applies for other resource types as well (essentially everything that is covered by the resource types CI pipeline).

[jsievers]

To clarify, when we say "findings" we mean CVEs