Replace busybox with internal copy binary and resolve CVEs.

Replace the busybox image. Bump Golang version to v1.20.3. Resolve CVEs. Signed-off-by: Xun Jiang <[email protected]>
vmware-tanzu · Apr 15, 2023 · d4ca602 · d4ca602
1 parent 2a00655
commit d4ca602
Show file tree

Hide file tree

Showing 7 changed files with 147 additions and 34 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -10,7 +10,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.18.10
+        go-version: 1.20.3
       id: go
 
     - name: Check out the code

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -18,7 +18,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.18.10
+        go-version: 1.20.3
       id: go
 
     - name: Check out code into the Go module directory

diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM golang:1.18.10-bullseye AS build
+FROM --platform=$BUILDPLATFORM golang:1.20.3-bullseye AS build
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -25,12 +25,11 @@ ENV GOOS=${TARGETOS} \
 COPY . /go/src/velero-plugin-for-gcp
 WORKDIR /go/src/velero-plugin-for-gcp
 RUN export GOARM=$( echo "${GOARM}" | cut -c2-) && \
-    CGO_ENABLED=0 go build -v -o /go/bin/velero-plugin-for-gcp ./velero-plugin-for-gcp
-
-FROM busybox@sha256:fcd85228d7a25feb59f101ac3a955d27c80df4ad824d65f5757a954831450185 AS busybox
+    CGO_ENABLED=0 go build -v -o /go/bin/velero-plugin-for-gcp ./velero-plugin-for-gcp && \
+    CGO_ENABLED=0 go build -v -o /go/bin/cp-plugin ./hack/cp-plugin
 
 FROM scratch
 COPY --from=build /go/bin/velero-plugin-for-gcp /plugins/
-COPY --from=busybox /bin/cp /bin/cp
+COPY --from=build /go/bin/cp-plugin /bin/cp-plugin
 USER 65532:65532
-ENTRYPOINT ["cp", "/plugins/velero-plugin-for-gcp", "/target/."]
+ENTRYPOINT ["cp-plugin", "/plugins/velero-plugin-for-gcp", "/target/velero-plugin-for-gcp"]
diff --git a/changelogs/unreleased/135-blackpiglet b/changelogs/unreleased/135-blackpiglet
@@ -0,0 +1 @@
+Replace busybox with internal copy binary.
diff --git a/go.mod b/go.mod
@@ -59,11 +59,11 @@ require (
 	github.com/spf13/cobra v1.2.1 // indirect
 	github.com/stretchr/objx v0.2.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
-	golang.org/x/sys v0.1.0 // indirect
-	golang.org/x/term v0.1.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/term v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -72,7 +72,7 @@ require (
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.22.2 // indirect
 	k8s.io/client-go v0.22.2 // indirect
 	k8s.io/klog/v2 v2.9.0 // indirect
@@ -82,9 +82,3 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
-
-replace (
-	golang.org/x/crypto => golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b
-	golang.org/x/net => golang.org/x/net v0.1.1-0.20221104162952-702349b0e862
-	golang.org/x/text => golang.org/x/text v0.3.8
-)
diff --git a/go.sum b/go.sum
diff --git a/hack/cp-plugin/main.go b/hack/cp-plugin/main.go
@@ -0,0 +1,42 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+)
+
+func main() {
+	if len(os.Args) != 3 {
+		fmt.Println(
+			`Error: This command requires two arguments.
+Usage: cp-plugin src dst`)
+		os.Exit(1)
+	}
+	src, dst := os.Args[1], os.Args[2]
+	fmt.Printf("Copying %s to %s ...  ", src, dst)
+	srcFile, err := os.Open(src)
+	if err != nil {
+		panic(err)
+	}
+	defer srcFile.Close()
+	if _, err := os.Stat(dst); errors.Is(err, os.ErrNotExist) {
+		_, err = os.Create(dst)
+		if err != nil {
+			panic(err)
+		}
+	}
+	dstFile, err := os.OpenFile(dst, os.O_WRONLY, 0755)
+	if err != nil {
+		panic(err)
+	}
+	defer dstFile.Close()
+	buf := make([]byte, 1024*128)
+	_, err = io.CopyBuffer(dstFile, srcFile, buf)
+	if err != nil {
+		panic(err)
+	}
+	os.Chmod(dst, 0755)
+	fmt.Println("done.")
+}