Upgrade WebRender CI Docker base image to debian:11.11 to mitigate vulnerabilities
Categories
(Core :: Graphics: WebRender, enhancement)
Tracking
()
People
(Reporter: github, Assigned: github)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36
Steps to reproduce:
While auditing the supply-chain security of the Firefox repository, I analyzed the Docker configuration used for WebRender continuous integration in gfx/wr/ci-scripts/docker-image/Dockerfile.
The current manifest pins the base image to an outdated version: debian:bullseye-20221205.
Actual results:
A security scan via Snyk reveals that the pinned debian:bullseye-20221205 base image contains 198 known vulnerabilities, including 7 Critical and 37 High severity issues (such as outdated packages in glibc, systemd, and krb5).
This introduces unnecessary supply-chain risks into the CI/CD compilation and testing environment.
Expected results:
The Dockerfile base image should be bumped to a patched, stable release within the same release stream to mitigate these vulnerabilities.
Upgrading the base image to debian:11.11 drops the total vulnerability count from 198 down to 89 (reducing Critical vulnerabilities to 3). I have verified on a local fork that this minor upgrade resolves the security issues without breaking the existing environment or build scripts.
I have a patch ready to submit via Phabricator.
Updated•2 days ago
|
Comment 3•2 days ago
|
||
Description
•