Open Bug 2053117 Opened 2 days ago Updated 2 days ago

Upgrade WebRender CI Docker base image to debian:11.11 to mitigate vulnerabilities

Categories

(Core :: Graphics: WebRender, enhancement)

enhancement

Tracking

()

ASSIGNED

People

(Reporter: github, Assigned: github)

Details

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36

Steps to reproduce:

While auditing the supply-chain security of the Firefox repository, I analyzed the Docker configuration used for WebRender continuous integration in gfx/wr/ci-scripts/docker-image/Dockerfile.

The current manifest pins the base image to an outdated version: debian:bullseye-20221205.

Actual results:

A security scan via Snyk reveals that the pinned debian:bullseye-20221205 base image contains 198 known vulnerabilities, including 7 Critical and 37 High severity issues (such as outdated packages in glibc, systemd, and krb5).

This introduces unnecessary supply-chain risks into the CI/CD compilation and testing environment.

Expected results:

The Dockerfile base image should be bumped to a patched, stable release within the same release stream to mitigate these vulnerabilities.

Upgrading the base image to debian:11.11 drops the total vulnerability count from 198 down to 89 (reducing Critical vulnerabilities to 3). I have verified on a local fork that this minor upgrade resolves the security issues without breaking the existing environment or build scripts.

I have a patch ready to submit via Phabricator.

Assignee: nobody → github
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: