starlingx/audit-armada-app
Code Issues Proposed changes

Update packages for CVE fix

Browse Source 
This commit addresses multiple vulnerabilities in the stx-audit
image by upgrading python packages `setuptools` and `wheel` to
secure versions:

- Upgraded setuptools from 52.0.0 ➝ 78.1.1
  - Fixes:
    * CVE-2025-47273: Path traversal in PackageIndex (RCE)
    * CVE-2024-6345: Remote code execution via unsafe URL handling
    * CVE-2022-40897: ReDoS in package_index.py via crafted HTML

- Upgraded wheel from 0.34.2 ➝ 0.38.1
  - Fixes:
    * CVE-2022-40898: DoS via crafted input to wheel CLI
    * PRISMA-2022-0404: ReDoS via regex in wheelfile.py

Changes were made in the Dockerfile to explicitly install the
upgraded versions using pip:

Test Plan:
PASS: Dockerfile is built properly with updated packages
      (setuptools==78.1.1, wheel==0.38.1) to address known CVEs.
PASS: Built image pushed to registry and retagged as
      registry.local:9001/docker.io/starlingx/stx-audit:stx.10.0-v1.0.5
PASS: audit-armada-app app deployed successfully using the updated
      image.
PASS: Pod state verified as Running after deployment
      (`kubectl get pods -n kube-system -o wide | grep auditd`).
PASS: Check auditd auditable events by generating a test event
     (e.g., `echo "#test" >> /etc/passwd`) and validating via
      `ausearch -k passwd_changes`.
PASS: Check auditd override settings were applied confirmed using
      `auditctl -l`.
PASS: Check audit logrotate functionality.
PASS: Application lifecycle validated
      (upload, apply, update, remove, delete).

Story: 2011405
Task: 52475

Change-Id: Ia309ff874472fe68d449f3909973fa4b74b36ab8
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
This commit is contained in:
Rahul Roshan Kachchap
2025-07-08 02:54:45 -04:00
parent 29f03325a6
commit a1aa989cdc
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
stx-audit-helm/debian/docker/stx-audit/Dockerfile
View File

@@ -4,7 +4,11 @@ FROM ${BASE} AS stx
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get -y update && \
apt-get -y install auditd
apt-get -y install auditd python3-pip && \
pip3 install --upgrade pip && \
pip3 install --no-cache-dir --upgrade \
setuptools==78.1.1 \
wheel==0.38.1
COPY startAuditd.sh .