Skip to content

Commit bf32048

Browse files
asalan316asalan316
committed
fix for security-vulnerability->disable redirect in wget and curl
1 parent ac9e13b commit bf32048

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed

ci/dockerfiles/autoscaler-tools/Dockerfile

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@ RUN apt-get update && \
77
apt-get -qqy install --fix-missing gnupg apt-transport-https wget && \
88
apt-get clean
99

10-
RUN wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | apt-key add - && \
10+
RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | apt-key add - && \
1111
echo "deb https://packages.cloudfoundry.org/debian stable main" | tee /etc/apt/sources.list.d/cloudfoundry-cli.list && \
12-
wget -q -O - https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
12+
wget --secure-protocol=TLSv1_2 --max-redirect=0 -q -O - https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
1313
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null
1414

1515
RUN apt-get update && \
@@ -41,15 +41,15 @@ RUN apt-get update && \
4141
mysql-client && \
4242
apt-get clean
4343

44-
RUN wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O- | apt-key add -
44+
RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O- | apt-key add -
4545
RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/postgresql.list
4646

4747
# install golang
4848
# renovate: datasource=golang-version depName=golang
4949
ARG GO_VERSION=1.22.3
5050
ENV GOPATH $HOME/go
5151
ENV PATH $HOME/go/bin:/usr/local/go/bin:$PATH
52-
RUN wget -q https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz -P /tmp &&\
52+
RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 -q https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz -P /tmp &&\
5353
tar xzvf /tmp/go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local &&\
5454
mkdir $GOPATH &&\
5555
rm -rf /tmp/* &&\
@@ -64,22 +64,22 @@ RUN apt-get update && \
6464
# Install bosh_cli
6565
# renovate: datasource=github-releases depName=bosh-cli lookupName=cloudfoundry/bosh-cli
6666
ARG BOSH_VERSION=7.5.7
67-
RUN wget -q https://github.com/cloudfoundry/bosh-cli/releases/download/v${BOSH_VERSION}/bosh-cli-${BOSH_VERSION}-linux-amd64 && \
67+
RUN curl --proto "=https" -sL -q https://github.com/cloudfoundry/bosh-cli/releases/download/v${BOSH_VERSION}/bosh-cli-${BOSH_VERSION}-linux-amd64 && \
6868
mv bosh-cli-* /usr/local/bin/bosh && \
6969
chmod +x /usr/local/bin/bosh
7070

7171
# Install bbl
7272
# renovate: datasource=github-releases depName=bosh-bootloader lookupName=cloudfoundry/bosh-bootloader
7373
ARG BBL_VERSION=v9.0.21
74-
RUN wget -q https://github.com/cloudfoundry/bosh-bootloader/releases/download/${BBL_VERSION}/bbl-${BBL_VERSION}_linux_amd64 && \
74+
RUN curl --proto "=https" -sL -q https://github.com/cloudfoundry/bosh-bootloader/releases/download/${BBL_VERSION}/bbl-${BBL_VERSION}_linux_amd64 && \
7575
mv bbl-* /usr/local/bin/bbl &&\
7676
chmod +x /usr/local/bin/bbl &&\
7777
bbl --version
7878

7979
# Install credhub
8080
# renovate: datasource=github-releases depName=credhub-cli lookupName=cloudfoundry/credhub-cli
8181
ARG CREDHUB_VERSION=2.9.31
82-
RUN wget -q https://github.com/cloudfoundry/credhub-cli/releases/download/${CREDHUB_VERSION}/credhub-linux-amd64-${CREDHUB_VERSION}.tgz && \
82+
RUN curl --proto "=https" -sL -q https://github.com/cloudfoundry/credhub-cli/releases/download/${CREDHUB_VERSION}/credhub-linux-amd64-${CREDHUB_VERSION}.tgz && \
8383
tar xvfz credhub-linux-amd64-${CREDHUB_VERSION}.tgz && \
8484
mv credhub /usr/local/bin/credhub &&\
8585
rm credhub-linux-amd64-${CREDHUB_VERSION}.tgz &&\
@@ -92,23 +92,23 @@ RUN gem install cf-uaac &&\
9292
# Install jq as a nice to have on container debugging
9393
# renovate: datasource=github-releases depName=jq lookupName=stedolan/jq
9494
ARG JQ_VERSION=jq-1.6
95-
RUN wget -q https://github.com/stedolan/jq/releases/download/${JQ_VERSION}/jq-linux64 && \
95+
RUN curl --proto "=https" -sL -q https://github.com/stedolan/jq/releases/download/${JQ_VERSION}/jq-linux64 && \
9696
mv jq-linux64 /usr/local/bin/jq && \
9797
chmod +x /usr/local/bin/jq &&\
9898
jq --version
9999

100100
# install yq
101101
# renovate: datasource=github-releases depName=yq lookupName=mikefarah/yq
102102
ARG YQ_VERSION=v4.43.1
103-
RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 && \
103+
RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 && \
104104
chmod a+x /usr/local/bin/yq && \
105105
yq --version
106106

107107
# get maven
108108
# renovate: datasource=maven depName=org.apache.maven:maven-core
109109
ARG MAVEN_VERSION=3.9.7
110110
ENV MAVEN_HOME /opt/maven
111-
RUN wget --no-verbose -O /tmp/apache-maven-${MAVEN_VERSION}.tar.gz http://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz && \
111+
RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 --no-verbose -O /tmp/apache-maven-${MAVEN_VERSION}.tar.gz https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz && \
112112
tar xzf /tmp/apache-maven-${MAVEN_VERSION}.tar.gz -C /opt/ && \
113113
ln -s /opt/apache-maven-${MAVEN_VERSION} /opt/maven && \
114114
ln -s /opt/maven/bin/mvn /usr/local/bin && \
@@ -123,7 +123,7 @@ RUN sed -i 's/peer/trust/' ${PGCONFIG}/pg_hba.conf \
123123

124124
# Install gcloud
125125
RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
126-
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
126+
curl --proto "=https" https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
127127
apt-get update -y && \
128128
apt-get install google-cloud-cli -y && \
129129
apt-get clean && \
@@ -135,7 +135,7 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@${GINKGO_VERSION} && \
135135
ginkgo version
136136

137137
ARG NODE_VERSION=18
138-
RUN curl -sL "https://deb.nodesource.com/setup_${NODE_VERSION}.x" | bash - \
138+
RUN curl --proto "=https" -sL "https://deb.nodesource.com/setup_${NODE_VERSION}.x" | bash - \
139139
&& apt-get update -y \
140140
&& apt install nodejs -y \
141141
&& apt-get clean \

0 commit comments

Comments
 (0)