Skip to content

[WIP] Update Dockerfiles #3160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

[WIP] Update Dockerfiles #3160

wants to merge 10 commits into from
+343 −458

Conversation

@mathieu-benoit
Copy link
Contributor

@mathieu-benoit mathieu-benoit commented Nov 29, 2025
edited
Loading

[WIP] Update Dockerfiles to fix CVEs

Summary:

  • cartservice --> 6 CVEs fixed
  • checkoutservice --> 20 CVEs fixed + 12.5MB saved

You can expand the sections below to get more insights.

cartservice - .NET 9 --> 10

.NET 10 was announced on Nov 11th 2025: https://devblogs.microsoft.com/dotnet/announcing-dotnet-10/.

Container images size locally on disk:

  • cartservice:before: 61.7MB
  • cartservice:after: 62.1MB (+0.4MB)

Fixing:

docker scout compare --to cartservice:before cartservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  cartservice:after                                   │  cartservice:before                                    
      digest          │  ca9a7528b5b6                                        │  69eceebdedd2                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  18f3b732934abd656dc013bac7327a95c762b21c            │  18f3b732934abd656dc013bac7327a95c762b21c             
      vulnerabilities │    0C     0H     0M     1L                           │    0C     0H     4M     3L                            
                      │                  -4     -2                           │                                                       
      size            │ 18 MB (+153 kB)                                      │ 18 MB                                                 
      packages        │ 9                                                    │ 9                                                     
                      │                                                      │                                                       
  
  ## Packages and Vulnerabilities

    ⎌    4 packages changed (↑ 4 upgraded, ↓ 0 downgraded)  
         5 packages unchanged
  
    - 6 vulnerabilities removed
  
  
     Package          Type  Version                Compared Version       
  
  ↑  base-files       deb   13ubuntu10.3           13ubuntu10.1           
     ca-certificates  deb   20240203               20240203               
     gcc-14           deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
     gcc-14-base      deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
  ↑  libc6            deb   2.39-0ubuntu8.6        2.39-0ubuntu8.3        
     │   +  Dockerfile (33:33)  
     │   +  FROM mcr.microsoft.com/dotnet/runtime-deps:10.0.0-noble-chiseled@sha256:b857c8cb8d929183cfe4c6dd9994abba92a2639dd2dbaf06005379f815991604           
     │   -  Dockerfile (33:33)  
     │   -  FROM mcr.microsoft.com/dotnet/runtime-deps:9.0.1-noble-chiseled@sha256:6f7466eda39e24efaf7eab2325e15d776a685d13cc93b4ea0cde9ee4f7982210            
     │   
     ├─  -  MEDIUM       CVE-2025-8058   [https://scout.docker.com/v/CVE-2025-8058]        
     │                   0.0    
     ├─  -  MEDIUM       CVE-2025-5702   [https://scout.docker.com/v/CVE-2025-5702]        
     │                   0.0    
     └─  -  MEDIUM       CVE-2025-0395   [https://scout.docker.com/v/CVE-2025-0395]        
                         0.0    
  
     libgcc-s1        deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
  ↑  libssl3t64       deb   3.0.13-0ubuntu3.6      3.0.13-0ubuntu3.4      
     libstdc++6       deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
  ↑  openssl          deb   3.0.13-0ubuntu3.6      3.0.13-0ubuntu3.4      
     │   +  Dockerfile (33:33)  
     │   +  FROM mcr.microsoft.com/dotnet/runtime-deps:10.0.0-noble-chiseled@sha256:b857c8cb8d929183cfe4c6dd9994abba92a2639dd2dbaf06005379f815991604           
     │   -  Dockerfile (33:33)  
     │   -  FROM mcr.microsoft.com/dotnet/runtime-deps:9.0.1-noble-chiseled@sha256:6f7466eda39e24efaf7eab2325e15d776a685d13cc93b4ea0cde9ee4f7982210            
     │   
     ├─  -  MEDIUM       CVE-2025-9230   [https://scout.docker.com/v/CVE-2025-9230]    
     │                   0.0    
     ├─  -  LOW          CVE-2024-9143   [https://scout.docker.com/v/CVE-2024-9143]    
     │                   0.0    
     └─  -  LOW          CVE-2024-13176  [https://scout.docker.com/v/CVE-2024-13176]  
                         0.0
checkoutservice - Golang 1.23 --> 1.25

Golang 1.25 was announced on Aug 12th 2025: https://go.dev/blog/go1.25.

cd src/checkoutservice
go get -t -u ./...

Container images size locally on disk:

  • checkoutservice:before: 35.5MB
  • checkoutservice:after: 23MB (-12.5MB) --> thanks to -ldflags="-s -w"

Fixing:

docker scout compare --to checkoutservice:before checkoutservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  checkoutservice:after                               │  checkoutservice:init                                 
      digest          │  248fafb64df1                                        │  6fdc28ee810e                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  f4bf5fa2af7b9ae83772865e0b0ca2efd5fd355f            │  ebbb0ebcfd96a1956aa01e9064d6c83b664f11be             
      vulnerabilities │    0C     0H     0M     0L                           │    1C     5H    14M     0L                            
                      │    -1     -5    -14                                  │                                                       
      size            │ 12 MB (+80 kB)                                       │ 12 MB                                                 
      packages        │ 40 (-2)                                              │ 42                                                    
                      │                                                      │                                                       
  
  ## Environment Variables
  
      GOTRACEBACK=single
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  
  ## Packages and Vulnerabilities
  
    -    2 packages removed  
    ⎌   26 packages changed (↑ 26 upgraded, ↓ 0 downgraded)  
        11 packages unchanged
  
    - 20 vulnerabilities removed
  
     Package                                                                      Type    Version                            Compared Version                   
  
  ↑  cloud.google.com/go                                                          golang  0.121.2                            0.116.0                            
  ↑  cloud.google.com/go/auth/oauth2adapt                                         golang  0.2.8                              0.2.6                              
  ↑  cloud.google.com/go/compute/metadata                                         golang  0.9.0                              0.6.0                              
     cloud.google.com/go/profiler                                                 golang  0.4.2                              0.4.2                              
     github.com/cenkalti/backoff/v4                                               golang  4.3.0                              4.3.0                              
  ↑  github.com/go-logr/logr                                                      golang  1.4.3                              1.4.2                              
     github.com/go-logr/stdr                                                      golang  1.2.2                              1.2.2                              
  -  github.com/golang/groupcache                                                 golang                                     0.0.0-20210331224755-41bb18bfe9da  
  ↑  github.com/google/pprof                                                      golang  0.0.0-20251114195745-4902fdda35c8  0.0.0-20240903155634-a8630aee4ab9  
  ↑  github.com/google/s2a-go                                                     golang  0.1.9                              0.1.8                              
     github.com/google/uuid                                                       golang  1.6.0                              1.6.0                              
  ↑  github.com/googleapis/enterprise-certificate-proxy                           golang  0.3.7                              0.3.4                              
  ↑  github.com/googleapis/gax-go/v2                                              golang  2.14.2                             2.14.0                             
     github.com/googlecloudplatform/microservices-demo/src/checkoutservice        golang  UNKNOWN                            UNKNOWN                            
  ↑  github.com/grpc-ecosystem/grpc-gateway/v2                                    golang  2.27.1                             2.26.1                             
     github.com/pkg/errors                                                        golang  0.9.1                              0.9.1                              
     github.com/sirupsen/logrus                                                   golang  1.9.3                              1.9.3                              
  -  go.opencensus.io                                                             golang                                     0.24.0                             
     go.opentelemetry.io/auto/sdk                                                 golang  1.1.0                              1.1.0                              
     go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  golang  0.60.0                             0.60.0                             
  ↑  go.opentelemetry.io/otel                                                     golang  1.38.0                             1.35.0                             
     go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc              golang  1.35.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/metric                                              golang  1.38.0                             1.35.0                             
     go.opentelemetry.io/otel/sdk                                                 golang  1.35.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/trace                                               golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/proto/otlp                                               golang  1.7.0                              1.5.0                              
  ↑  golang.org/x/crypto                                                          golang  0.45.0                             0.36.0                             
     │   +  Dockerfile (33:33)  
     │   +  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   -  Dockerfile (33:33)  
     │   -  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   
     ├─  -  HIGH         CVE-2025-47913  [https://scout.docker.com/v/CVE-2025-47913]  
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-58181  [https://scout.docker.com/v/CVE-2025-58181]  
     │                   5.3  Allocation of Resources Without Limits or Throttling  
     └─  -  MEDIUM       CVE-2025-47914  [https://scout.docker.com/v/CVE-2025-47914]  
                         5.3  Out-of-bounds Read                                    
  
  ↑  golang.org/x/net                                                             golang  0.47.0                             0.38.0                             
  ↑  golang.org/x/oauth2                                                          golang  0.33.0                             0.27.0                             
  ↑  golang.org/x/sync                                                            golang  0.18.0                             0.12.0                             
  ↑  golang.org/x/sys                                                             golang  0.38.0                             0.31.0                             
  ↑  golang.org/x/text                                                            golang  0.31.0                             0.23.0                             
  ↑  golang.org/x/time                                                            golang  0.14.0                             0.8.0                              
  ↑  google.golang.org/api                                                        golang  0.236.0                            0.210.0                            
  ↑  google.golang.org/genproto                                                   golang  0.0.0-20250603155806-513f23925822  0.0.0-20241118233622-e639e219e697  
  ↑  google.golang.org/genproto/googleapis/rpc                                    golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20250218202821-56aae31c358a  
  ↑  google.golang.org/grpc                                                       golang  1.74.0-dev                         1.71.0                             
  ↑  google.golang.org/protobuf                                                   golang  1.36.10                            1.36.6                             
  ↑  stdlib                                                                       golang  1.25.4                             1.23.4                             
     │   +  Dockerfile (33:33)  
     │   +  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   -  Dockerfile (33:33)  
     │   -  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   
     ├─  -  CRITICAL     CVE-2025-22871  [https://scout.docker.com/v/CVE-2025-22871]                    
     │                   9.1                                                        
     ├─  -  HIGH         CVE-2025-61725  [https://scout.docker.com/v/CVE-2025-61725]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-61723  [https://scout.docker.com/v/CVE-2025-61723]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58188  [https://scout.docker.com/v/CVE-2025-58188]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58187  [https://scout.docker.com/v/CVE-2025-58187]                    
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-4673   [https://scout.docker.com/v/CVE-2025-4673]                     
     │                   6.8                                                        
     ├─  -  MEDIUM       CVE-2025-47906  [https://scout.docker.com/v/CVE-2025-47906]                   
     │                   6.5                                                        
     ├─  -  MEDIUM       CVE-2024-45341  [https://scout.docker.com/v/CVE-2024-45341]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2024-45336  [https://scout.docker.com/v/CVE-2024-45336]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2025-0913   [https://scout.docker.com/v/CVE-2025-0913]                     
     │                   5.5                                                        
     ├─  -  MEDIUM       CVE-2025-61724  [https://scout.docker.com/v/CVE-2025-61724]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58189  [https://scout.docker.com/v/CVE-2025-58189]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58186  [https://scout.docker.com/v/CVE-2025-58186]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58185  [https://scout.docker.com/v/CVE-2025-58185]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-47912  [https://scout.docker.com/v/CVE-2025-47912]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58183  [https://scout.docker.com/v/CVE-2025-58183]                    
     │                   4.3                                                        
     └─  -  MEDIUM       CVE-2025-22866  [https://scout.docker.com/v/CVE-2025-22866]   
                         4.0

@mathieu-benoit
cartservice - update to .NET 10
a5df223 
Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
@mathieu-benoit mathieu-benoit marked this pull request as draft November 29, 2025 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoshi-approver yoshi-approver Awaiting requested review from yoshi-approver yoshi-approver is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathieu-benoit