Merge branch 'main' into wolfictl-c96cbc83-bacd-4ddc-9b00-315f6f8c73d1

wolfi-dev · Dec 4, 2024 · 3913554 · 3913554
2 parents e53663a + 451ae44
commit 3913554
Show file tree

Hide file tree

Showing 417 changed files with 4,277 additions and 1,415 deletions.
diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml
@@ -6,7 +6,7 @@ inputs:
     required: true
   image:
     description: "The image to use"
-    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:77da1186e7c2d9796bcaf4fb035e8675cd822d67a1d8a530cc0f1ceb5df80110"
+    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:98d8669d2eb9c8d23984fa2f55a272b67a04b4bfd132c714682c4fd716a3d7be"
     required: false
   workdir:
     description: "The images working directory"

diff --git a/.github/chainguard/lifecycle-cve-dashboard.sts.yaml b/.github/chainguard/lifecycle-cve-dashboard.sts.yaml
@@ -0,0 +1,8 @@
+issuer: https://accounts.google.com
+
+# have more than one service account
+# lc-cve-dashboard-bot@staging-enforce-cd1e.iam.gserviceaccount.com
+subject_pattern: "(107513915972546566458)"
+
+permissions:
+  contents: read
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:77da1186e7c2d9796bcaf4fb035e8675cd822d67a1d8a530cc0f1ceb5df80110
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:98d8669d2eb9c8d23984fa2f55a272b67a04b4bfd132c714682c4fd716a3d7be
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -175,7 +175,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:77da1186e7c2d9796bcaf4fb035e8675cd822d67a1d8a530cc0f1ceb5df80110
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:98d8669d2eb9c8d23984fa2f55a272b67a04b4bfd132c714682c4fd716a3d7be
 
     steps:
       - name: Harden Runner
@@ -303,7 +303,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:77da1186e7c2d9796bcaf4fb035e8675cd822d67a1d8a530cc0f1ceb5df80110
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:98d8669d2eb9c8d23984fa2f55a272b67a04b4bfd132c714682c4fd716a3d7be
 
     steps:
       - name: Harden Runner

diff --git a/Makefile b/Makefile
@@ -167,7 +167,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:77da1186e7c2d9796bcaf4fb035e8675cd822d67a1d8a530cc0f1ceb5df80110
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:98d8669d2eb9c8d23984fa2f55a272b67a04b4bfd132c714682c4fd716a3d7be
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 # This target spins up a docker container that is helpful for testing local
@@ -235,6 +235,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOS_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:77da1186e7c2d9796bcaf4fb035e8675cd822d67a1d8a530cc0f1ceb5df80110
+		ghcr.io/wolfi-dev/sdk:latest@sha256:98d8669d2eb9c8d23984fa2f55a272b67a04b4bfd132c714682c4fd716a3d7be
 	@rm "$(TMP_REPOS_FILE)"
 	@rmdir "$(TMP_REPOS_DIR)"
diff --git a/apache-arrow.yaml b/apache-arrow.yaml
@@ -1,6 +1,6 @@
 package:
   name: apache-arrow
-  version: 18.0.0
+  version: 18.1.0
   epoch: 0
   description: "multi-language toolbox for accelerated data interchange and in-memory processing"
   copyright:
@@ -74,7 +74,7 @@ pipeline:
     with:
       repository: https://github.com/apache/arrow
       tag: apache-arrow-${{package.version}}
-      expected-commit: 9105a4109a80a1c01eabb24ee4b9f7c94ee942cb
+      expected-commit: 6a0414bd9a91e890ec6a45369bf61f405180628c
 
   - working-directory: /home/build/apache-arrow/cpp
     uses: cmake/configure

diff --git a/apache2.yaml b/apache2.yaml
@@ -1,13 +1,14 @@
 package:
   name: apache2
   version: 2.4.62
-  epoch: 4
+  epoch: 5
   description: "Apache HTTP Server"
   copyright:
     - license: Apache-2.0
   dependencies:
     runtime:
       - libgcc
+      - lua5.4
 
 environment:
   contents:
@@ -45,6 +46,7 @@ pipeline:
       opts: |
         --prefix=/ \
         --enable-layout=Debian \
+        --sysconfdir=/etc/apache2 \
         --enable-so \
         --enable-suexec \
         --with-suexec-caller=www-data \
@@ -152,15 +154,15 @@ subpackages:
           mkdir -p "${{targets.subpkgdir}}"/usr/local/apache2/logs
 
           # Install necessary config files
-          mkdir -p "${{targets.subpkgdir}}"/etc/
-          cp "${{targets.destdir}}"/etc/original/httpd.conf "${{targets.subpkgdir}}"/etc/
-          cp -r "${{targets.destdir}}"/etc/original/extra/ "${{targets.subpkgdir}}"/etc/
+          mkdir -p "${{targets.subpkgdir}}"/etc/apache2
+          cp "${{targets.destdir}}"/etc/apache2/original/httpd.conf "${{targets.subpkgdir}}"/etc/apache2
+          cp -r "${{targets.destdir}}"/etc/apache2/original/extra/ "${{targets.subpkgdir}}"/etc/apache2
 
           # Create symlinks
-          ln -s /etc/httpd.conf "${{targets.subpkgdir}}"/usr/local/apache2/conf/
-          ln -s /etc/extra "${{targets.subpkgdir}}"/usr/local/apache2/conf/
-          ln -s /etc/mime.types "${{targets.subpkgdir}}"/usr/local/apache2/conf/
-          ln -s /etc/magic "${{targets.subpkgdir}}"/usr/local/apache2/conf/
+          ln -s /etc/apache2/httpd.conf "${{targets.subpkgdir}}"/usr/local/apache2/conf/
+          ln -s /etc/apache2/extra "${{targets.subpkgdir}}"/usr/local/apache2/conf/
+          ln -s /etc/apache2/mime.types "${{targets.subpkgdir}}"/usr/local/apache2/conf/
+          ln -s /etc/apache2/magic "${{targets.subpkgdir}}"/usr/local/apache2/conf/
           ln -s /usr/lib/apache2/modules/ "${{targets.subpkgdir}}"/usr/local/apache2/
           ln -s /usr/share/apache2/default-site/htdocs "${{targets.subpkgdir}}"/usr/local/apache2/
           ln -s /usr/lib/cgi-bin/ "${{targets.subpkgdir}}"/usr/local/apache2/
@@ -169,39 +171,39 @@ subpackages:
           sed -ri \
             -e 's!^(\s*User)\s+daemon\s*$!\1 www-data!g' \
             -e 's!^(\s*Group)\s+daemon\s*$!\1 www-data!g' \
-            "${{targets.subpkgdir}}"/etc/httpd.conf
+            "${{targets.subpkgdir}}"/etc/apache2/httpd.conf
 
           # Modify CustomLog/ErrorLog and verify changes are applied
           sed -ri \
             -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \
             -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \
             -e 's!^(\s*TransferLog)\s+\S+!\1 /proc/self/fd/1!g' \
-            "${{targets.subpkgdir}}"/etc/httpd.conf \
-            "${{targets.subpkgdir}}"/etc/extra/httpd-ssl.conf;
+            "${{targets.subpkgdir}}"/etc/apache2/httpd.conf \
+            "${{targets.subpkgdir}}"/etc/apache2/extra/httpd-ssl.conf;
 
           # Modify module config to match upstream docker
           sed -ri \
              -e '/LoadModule mpm_prefork_module/s/^/#/g' \
              -e '/LoadModule mpm_event_module/s/^#//g' \
-             "${{targets.subpkgdir}}"/etc/httpd.conf
+             "${{targets.subpkgdir}}"/etc/apache2/httpd.conf
 
           ### Modify other paths to match upstream default config
           sed -ri \
             -e 's!^(\s*ServerRoot)\s+\S+!\1 "/usr/local/apache2"!g' \
             -e 's|usr/lib/apache2/modules|modules|g' \
-            -e 's|etc/mime.types|conf/mime.types|g' \
+            -e 's|etc/apache2/mime.types|conf/mime.types|g' \
             -e 's|usr/share/apache2/default-site/htdocs|usr/local/apache2/htdocs|g' \
             -e 's|usr/lib/cgi-bin|usr/local/apache2/cgi-bin|g' \
-            -e 's|etc/extra|conf/extra|g' \
-            -e 's|etc/magic|conf/magic|g' \
-            "${{targets.subpkgdir}}"/etc/httpd.conf \
-            "${{targets.subpkgdir}}"/etc/extra/httpd-ssl.conf;
+            -e 's|etc/apache2/extra|conf/extra|g' \
+            -e 's|etc/apache2/magic|conf/magic|g' \
+            "${{targets.subpkgdir}}"/etc/apache2/httpd.conf \
+            "${{targets.subpkgdir}}"/etc/apache2/extra/httpd-ssl.conf;
 
           ### Modify other paths
           sed -ri \
             -e 's|etc/|usr/local/apache2/conf/|g' \
             -e 's|/var/run/apache2/|usr/local/apache2/logs/|g' \
-            "${{targets.subpkgdir}}"/etc/extra/httpd-ssl.conf;
+            "${{targets.subpkgdir}}"/etc/apache2/extra/httpd-ssl.conf;
     test:
       environment:
         contents:

diff --git a/apicurio-registry.yaml b/apicurio-registry.yaml
@@ -0,0 +1,119 @@
+package:
+  name: apicurio-registry
+  version: 3.0.4
+  epoch: 0
+  description: An API/Schema registry - stores APIs and Schemas
+  copyright:
+    - license: Apache-2.0
+  target-architecture:
+    - x86_64 # Currently, we can't build for aarch64: https://github.com/Apicurio/apicurio-registry/issues/5633
+
+environment:
+  contents:
+    packages:
+      - bash
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - curl
+      - go
+      - icu
+      - maven
+      - nodejs-20
+      - npm
+      - openjdk-17
+      - openjdk-17-default-jvm
+      - openssf-compiler-options
+  environment:
+    JAVA_HOME: /usr/lib/jvm/java-17-openjdk
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/Apicurio/apicurio-registry
+      tag: v${{package.version}}
+      expected-commit: f417d2192cdef84dc7587842d98ed721dc3901e3
+
+  - uses: patch
+    with:
+      patches: CVE-2024-31141.patch
+
+  - name: Build
+    runs: |
+      ./mvnw clean install \
+        -Pprod \
+        -DskipTests \
+        -T$(nproc)C \
+        --no-snapshot-updates \
+        --no-transfer-progress \
+        --fail-fast
+
+  - name: Install
+    runs: |
+      dest="${{targets.contextdir}}/usr/share/java/${{package.name}}"
+      mkdir -p "$dest"
+
+      install -Dm644 ./LICENSE "${dest}/LICENSE"
+      install -Dm644 ./README.md "${dest}/README.md"
+
+      tar -zxf ./app/target/apicurio-registry-app-${{package.version}}-all.tar.gz -C "$dest"
+      find . -type f -path "*/target/*-${{package.version}}.jar" -exec cp {} "$dest" \;
+      find . -type f -path "*/target/*-${{package.version}}-runner.jar" -exec cp {} "$dest" \;
+
+  - uses: strip
+
+subpackages:
+  - name: ${{package.name}}-ui
+    description: Web UI for Apicurio Registry (apicurio-registry-ui)
+    dependencies:
+      runtime:
+        - nodejs-20
+    pipeline:
+      - working-directory: ui
+        runs: |
+          npm install
+          npm audit fix --package-lock-only --legacy-peer-deps || true
+          npm run build
+
+          mkdir -p ${{targets.contextdir}}/opt/app-root/src
+          cp -r ui-app/dist/* ${{targets.contextdir}}/opt/app-root/src/
+
+update:
+  enabled: true
+  github:
+    identifier: Apicurio/apicurio-registry
+    use-tag: true
+    strip-prefix: v
+    tag-filter: v
+
+test:
+  environment:
+    contents:
+      packages:
+        - openjdk-17
+        - openjdk-17-default-jvm
+        - bash
+        - busybox
+        - curl
+        - jq
+    environment:
+      JAVA_HOME: /usr/lib/jvm/java-17-openjdk
+      DEST: /usr/share/java/apicurio-registry
+  pipeline:
+    - name: Validate essential JARs
+      runs: |
+        stat "$DEST/apicurio-registry-app-${{package.version}}.jar"
+        stat "$DEST/apicurio-registry-common-${{package.version}}.jar"
+        stat "$DEST/apicurio-registry-utils-tools-${{package.version}}.jar"
+    - name: Ensure lib dir
+      runs: stat "$DEST/lib"
+    - name: "Test runner"
+      uses: test/daemon-check-output
+      with:
+        start: "java -jar $DEST/apicurio-registry-app-${{package.version}}-runner.jar --server.port=8080"
+        timeout: 60
+        expected_output: |
+          constructed successfully
+          Initializing the Apicurio Registry
+        post: |
+          curl -s http://localhost:8080/apis/registry/v2 | grep -qi "Core Registry API"
diff --git a/apicurio-registry/CVE-2024-31141.patch b/apicurio-registry/CVE-2024-31141.patch
@@ -0,0 +1,26 @@
+From 496964795e4c1d2ec92c477dd5d1fe8f5dd59259 Mon Sep 17 00:00:00 2001
+From: Dentrax <furkan.turkal@chainguard.dev>
+Date: Sun, 1 Dec 2024 18:43:37 +0300
+Subject: [PATCH] CVE-2024-31141
+
+Signed-off-by: Dentrax <furkan.turkal@chainguard.dev>
+---
+ pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index d520217..aa5bda7 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -215,7 +215,7 @@
+     <jboss-slf4j.version>1.2.1.Final</jboss-slf4j.version>
+     <httpclient.version>4.5.14</httpclient.version>
+     <apicurio-common-rest-client.version>0.1.18.Final</apicurio-common-rest-client.version>
+-    <kafka-clients.version>3.6.0</kafka-clients.version>
++    <kafka-clients.version>3.7.1</kafka-clients.version>
+     <debezium.version>2.6.2.Final</debezium.version>
+     <pulsar-clients.version>3.3.1</pulsar-clients.version>
+     <commons-beanutils.version>1.9.4</commons-beanutils.version>
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/argo-events.yaml b/argo-events.yaml
@@ -1,21 +1,21 @@
 package:
   name: argo-events
-  version: 1.9.2
-  epoch: 2
+  version: 1.9.3
+  epoch: 0
   description: Event-driven Automation Framework for Kubernetes.
   copyright:
     - license: Apache-2.0
 
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 8dd63f1305746e6503269a7675288b1f65e53df5
+      expected-commit: 9c8bda9ad1d46bf75e91b851d2265acbf704efbc
       repository: https://github.com/argoproj/argo-events
       tag: v${{package.version}}
 
   - uses: go/bump
     with:
-      deps: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/golang-jwt/jwt/v4@v4.5.1
+      deps: github.com/hamba/avro/v2@v2.13.0
       replaces: github.com/whilp/git-urls=github.com/chainguard-dev/git-urls@v1.0.2 github.com/hamba/avro=github.com/hamba/avro/v2@v2.13.0
 
   - uses: go/build

diff --git a/argo-workflows.yaml b/argo-workflows.yaml
@@ -1,7 +1,7 @@
 package:
   name: argo-workflows
-  version: 3.6.0
-  epoch: 1
+  version: 3.6.2
+  epoch: 0
   description: Workflow engine for Kubernetes.
   copyright:
     - license: Apache-2.0
@@ -21,14 +21,10 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: b26ed4aa4dee395844531efa4a76a022183bec22
+      expected-commit: 741ab0ef7b6432925e49882cb4294adccf5912ec
       repository: https://github.com/argoproj/argo-workflows
       tag: v${{package.version}}
 
-  - uses: go/bump
-    with:
-      deps: github.com/golang-jwt/jwt/v4@v4.5.1
-
   - uses: patch
     with:
       patches: CVE-GHSA-grv7-fg5c-xmjg-ui-upgrade-braces-to-3.0.3.patch

diff --git a/aws-c-common.yaml b/aws-c-common.yaml
@@ -1,6 +1,6 @@
 package:
   name: aws-c-common
-  version: 0.10.3
+  version: 0.10.5
   epoch: 0
   description: Core c99 package for AWS SDK for C including cross-platform primitives, configuration, data structures, and error handling
   copyright:
@@ -20,7 +20,7 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 63187b976a482309e23296c5f967fc19c4131746
+      expected-commit: fadfef492042ae53387d4369a6de652c930a5be4
       repository: https://github.com/awslabs/aws-c-common
       tag: v${{package.version}}