2022-03-17 05:37:08 -04:00
|
|
|
# syntax=docker/dockerfile:1
|
2021-03-03 02:03:02 -05:00
|
|
|
|
|
|
|
ARG BASE_VARIANT=alpine
|
update go to go1.20.5
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3b8d5da66b608e5458cd44c2b271dce38c323df2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 07:25:57 -04:00
|
|
|
ARG GO_VERSION=1.20.5
|
2023-06-14 07:30:40 -04:00
|
|
|
ARG ALPINE_VERSION=3.17
|
2022-06-05 10:10:12 -04:00
|
|
|
ARG XX_VERSION=1.1.1
|
2021-10-11 10:54:09 -04:00
|
|
|
ARG GOVERSIONINFO_VERSION=v1.3.0
|
2023-06-14 14:57:02 -04:00
|
|
|
ARG GOTESTSUM_VERSION=v1.10.0
|
2023-06-20 06:37:47 -04:00
|
|
|
ARG BUILDX_VERSION=0.11.0
|
2021-03-03 02:03:02 -05:00
|
|
|
|
2021-09-15 06:47:50 -04:00
|
|
|
FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
|
2021-03-03 02:03:02 -05:00
|
|
|
|
2022-12-04 08:01:30 -05:00
|
|
|
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
|
2021-03-03 02:03:02 -05:00
|
|
|
COPY --from=xx / /
|
2021-11-17 11:18:15 -05:00
|
|
|
RUN apk add --no-cache bash clang lld llvm file git
|
2021-03-03 02:03:02 -05:00
|
|
|
WORKDIR /go/src/github.com/docker/cli
|
|
|
|
|
|
|
|
FROM build-base-alpine AS build-alpine
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
# gcc is installed for libgcc only
|
|
|
|
RUN xx-apk add --no-cache musl-dev gcc
|
|
|
|
|
2021-12-09 11:16:50 -05:00
|
|
|
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bullseye AS build-base-bullseye
|
2021-03-03 02:03:02 -05:00
|
|
|
COPY --from=xx / /
|
2022-07-28 16:49:02 -04:00
|
|
|
RUN apt-get update && apt-get install --no-install-recommends -y bash clang lld llvm file
|
2021-03-03 02:03:02 -05:00
|
|
|
WORKDIR /go/src/github.com/docker/cli
|
|
|
|
|
2021-12-09 11:16:50 -05:00
|
|
|
FROM build-base-bullseye AS build-bullseye
|
2021-03-03 02:03:02 -05:00
|
|
|
ARG TARGETPLATFORM
|
2021-12-09 11:16:50 -05:00
|
|
|
RUN xx-apt-get install --no-install-recommends -y libc6-dev libgcc-10-dev
|
2022-07-28 16:49:02 -04:00
|
|
|
# workaround for issue with llvm 11 for darwin/amd64 platform:
|
|
|
|
# # github.com/docker/cli/cmd/docker
|
|
|
|
# /usr/local/go/pkg/tool/linux_amd64/link: /usr/local/go/pkg/tool/linux_amd64/link: running strip failed: exit status 1
|
|
|
|
# llvm-strip: error: unsupported load command (cmd=0x5)
|
|
|
|
# more info: https://github.com/docker/cli/pull/3717
|
|
|
|
# FIXME: remove once llvm 12 available on debian
|
|
|
|
RUN [ "$TARGETPLATFORM" != "darwin/amd64" ] || ln -sfnT /bin/true /usr/bin/llvm-strip
|
2021-03-03 02:03:02 -05:00
|
|
|
|
2021-12-07 08:50:16 -05:00
|
|
|
FROM build-base-${BASE_VARIANT} AS goversioninfo
|
|
|
|
ARG GOVERSIONINFO_VERSION
|
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
GOBIN=/out GO111MODULE=on go install "github.com/josephspurrier/goversioninfo/cmd/goversioninfo@${GOVERSIONINFO_VERSION}"
|
|
|
|
|
|
|
|
FROM build-base-${BASE_VARIANT} AS gotestsum
|
|
|
|
ARG GOTESTSUM_VERSION
|
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
GOBIN=/out GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
|
|
|
|
&& /out/gotestsum --version
|
|
|
|
|
2021-03-03 02:03:02 -05:00
|
|
|
FROM build-${BASE_VARIANT} AS build
|
|
|
|
# GO_LINKMODE defines if static or dynamic binary should be produced
|
|
|
|
ARG GO_LINKMODE=static
|
|
|
|
# GO_BUILDTAGS defines additional build tags
|
|
|
|
ARG GO_BUILDTAGS
|
|
|
|
# GO_STRIP strips debugging symbols if set
|
|
|
|
ARG GO_STRIP
|
|
|
|
# CGO_ENABLED manually sets if cgo is used
|
|
|
|
ARG CGO_ENABLED
|
|
|
|
# VERSION sets the version for the produced binary
|
|
|
|
ARG VERSION
|
2022-03-27 04:09:50 -04:00
|
|
|
# PACKAGER_NAME sets the company that produced the windows binary
|
|
|
|
ARG PACKAGER_NAME
|
2021-12-07 08:50:16 -05:00
|
|
|
COPY --from=goversioninfo /out/goversioninfo /usr/bin/goversioninfo
|
2022-03-27 19:52:53 -04:00
|
|
|
# in bullseye arm64 target does not link with lld so configure it to use ld instead
|
|
|
|
RUN [ ! -f /etc/alpine-release ] && xx-info is-cross && [ "$(xx-info arch)" = "arm64" ] && XX_CC_PREFER_LINKER=ld xx-clang --setup-target-triple || true
|
2021-10-11 10:54:09 -04:00
|
|
|
RUN --mount=type=bind,target=.,ro \
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2021-03-03 02:03:02 -05:00
|
|
|
--mount=from=dockercore/golang-cross:xx-sdk-extras,target=/xx-sdk,src=/xx-sdk \
|
2021-03-05 03:56:55 -05:00
|
|
|
--mount=type=tmpfs,target=cli/winresources \
|
2021-10-11 10:54:09 -04:00
|
|
|
# override the default behavior of go with xx-go
|
2021-03-03 02:03:02 -05:00
|
|
|
xx-go --wrap && \
|
|
|
|
# export GOCACHE=$(go env GOCACHE)/$(xx-info)$([ -f /etc/alpine-release ] && echo "alpine") && \
|
|
|
|
TARGET=/out ./scripts/build/binary && \
|
|
|
|
xx-verify $([ "$GO_LINKMODE" = "static" ] && echo "--static") /out/docker
|
|
|
|
|
2021-12-07 08:50:16 -05:00
|
|
|
FROM build-${BASE_VARIANT} AS test
|
|
|
|
COPY --from=gotestsum /out/gotestsum /usr/bin/gotestsum
|
|
|
|
ENV GO111MODULE=auto
|
|
|
|
RUN --mount=type=bind,target=.,rw \
|
2022-03-27 19:52:53 -04:00
|
|
|
--mount=type=cache,target=/root/.cache \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
gotestsum -- -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/')
|
2021-12-07 08:50:16 -05:00
|
|
|
|
|
|
|
FROM scratch AS test-coverage
|
|
|
|
COPY --from=test /tmp/coverage.txt /coverage.txt
|
|
|
|
|
2021-11-17 11:18:15 -05:00
|
|
|
FROM build-${BASE_VARIANT} AS build-plugins
|
|
|
|
ARG GO_LINKMODE=static
|
|
|
|
ARG GO_BUILDTAGS
|
|
|
|
ARG GO_STRIP
|
|
|
|
ARG CGO_ENABLED
|
|
|
|
ARG VERSION
|
|
|
|
RUN --mount=ro --mount=type=cache,target=/root/.cache \
|
|
|
|
--mount=from=dockercore/golang-cross:xx-sdk-extras,target=/xx-sdk,src=/xx-sdk \
|
|
|
|
xx-go --wrap && \
|
|
|
|
TARGET=/out ./scripts/build/plugins e2e/cli-plugins/plugins/*
|
|
|
|
|
|
|
|
FROM build-base-alpine AS e2e-base-alpine
|
|
|
|
RUN apk add --no-cache build-base curl docker-compose openssl openssh-client
|
|
|
|
|
2021-12-09 11:16:50 -05:00
|
|
|
FROM build-base-bullseye AS e2e-base-bullseye
|
2021-11-17 11:18:15 -05:00
|
|
|
RUN apt-get update && apt-get install -y build-essential curl openssl openssh-client
|
|
|
|
ARG COMPOSE_VERSION=1.29.2
|
|
|
|
RUN curl -fsSL https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose && \
|
|
|
|
chmod +x /usr/local/bin/docker-compose
|
|
|
|
|
2022-02-03 04:37:55 -05:00
|
|
|
FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
|
|
|
|
|
2021-11-17 11:18:15 -05:00
|
|
|
FROM e2e-base-${BASE_VARIANT} AS e2e
|
|
|
|
ARG NOTARY_VERSION=v0.6.1
|
|
|
|
ADD --chmod=0755 https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 /usr/local/bin/notary
|
|
|
|
COPY e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
|
|
|
|
RUN echo 'notary.cert' >> /etc/ca-certificates.conf && update-ca-certificates
|
|
|
|
COPY --from=gotestsum /out/gotestsum /usr/bin/gotestsum
|
|
|
|
COPY --from=build /out ./build/
|
|
|
|
COPY --from=build-plugins /out ./build/
|
2022-02-03 04:37:55 -05:00
|
|
|
COPY --from=buildx /buildx /usr/libexec/docker/cli-plugins/docker-buildx
|
2021-11-17 11:18:15 -05:00
|
|
|
COPY . .
|
|
|
|
ENV DOCKER_BUILDKIT=1
|
|
|
|
ENV PATH=/go/src/github.com/docker/cli/build:$PATH
|
|
|
|
CMD ./scripts/test/e2e/entry
|
|
|
|
|
|
|
|
FROM build-base-${BASE_VARIANT} AS dev
|
2021-03-05 03:56:55 -05:00
|
|
|
COPY . .
|
2021-03-03 02:03:02 -05:00
|
|
|
|
2021-11-17 11:18:15 -05:00
|
|
|
FROM scratch AS plugins
|
|
|
|
COPY --from=build-plugins /out .
|
2023-03-24 16:14:29 -04:00
|
|
|
|
|
|
|
FROM scratch AS binary
|
|
|
|
COPY --from=build /out .
|