Skip to content

ci(rds): rebuild gosu + strip mysqlsh to clear Trivy CVE findings#823

Merged
vieiralucas merged 3 commits intomainfrom
worktree-trivy-gosu-rebuild
Apr 28, 2026
Merged

ci(rds): rebuild gosu + strip mysqlsh to clear Trivy CVE findings#823
vieiralucas merged 3 commits intomainfrom
worktree-trivy-gosu-rebuild

Conversation

@vieiralucas
Copy link
Copy Markdown
Member

@vieiralucas vieiralucas commented Apr 28, 2026
edited by cubic-dev-ai Bot
Loading

Summary

  • Validation workflow_dispatch against the supply-chain pipeline (run 25058211125) confirmed builds + manifest merge + cosign signing all work end-to-end. Trivy scan caught two classes of upstream-base-image CVEs that would block any future v* tag publish:
    • gosu in postgres/mysql/mariadb statically linked against go1.24.6 stdlib (8 HIGH + 1 CRITICAL).
    • mysqlsh's vendored Python in mysql:8.0 ships pyOpenSSL 25.3.0 (1 HIGH).
  • Fix: add a tiny golang:1.25-bookworm builder stage that compiles gosu@v1.17 fresh and copies it over the upstream binary; remove the unused mysql-shell package + /usr/lib/mysqlsh from the mysql image (we drive the server over the wire from mysql_async, mysqlsh is never invoked).

Test plan

  • CI green on PR (paths-filtered dry-run build for all 8 engine×version × 2 arch combos)
  • Cubic clean
  • After merge: re-run workflow_dispatch on RDS support images, confirm Trivy scan exits 0 and cosign signing still succeeds
  • Then proceed to v0.13.2 release tag

Summary by cubic

Rebuilds gosu from source, removes mysql-shell, and fixes Dockerfile ARG scoping to clear Trivy CVEs in Postgres/MySQL/MariaDB images and unblock release builds.

  • Bug Fixes
    • Rebuilt gosu in a golang:1.25-bookworm stage and overwrote /usr/local/bin/gosu in all engines; hoisted version ARGs above the first FROM; pinned gosu via a Go module pseudo-version for the 1.19 commit to avoid tag resolution issues.
    • Removed mysql-shell and /usr/lib/mysqlsh from the MySQL image to drop vulnerable pyOpenSSL; mysqlsh is not used by our runtime.

Written for commit 82de3fe. Summary will update on new commits. Review in cubic

@vieiralucas
ci(rds): rebuild gosu + strip mysqlsh to clear Trivy CVE findings
038faa4 
The first workflow_dispatch validation of the supply-chain pipeline
caught two real classes of upstream-base-image CVEs that block any
v* release:

1. /usr/local/bin/gosu in postgres/mysql/mariadb is statically linked
   against go1.24.6 stdlib — Trivy flags 8 HIGH + 1 CRITICAL CVEs
   (TLS, net/url, archive/zip, crypto/x509). gosu upstream is rarely
   re-released, so we cannot wait for the chain to refresh.

2. mysql:8.0 ships /usr/lib/mysqlsh/lib/python3.13/site-packages/
   with pyOpenSSL 25.3.0 (CVE-2026-27459, fixed in 26.0.0). mysqlsh
   itself is never invoked by our runtime — we drive over the wire
   from `mysql_async`.

Fix:
- Add a `golang:1.25-bookworm` builder stage to each engine Dockerfile,
  build gosu@v1.17 from source with current Go, and overwrite the
  upstream binary at `/usr/local/bin/gosu`.
- Remove `mysql-shell` package + `/usr/lib/mysqlsh` from the mysql
  image. The runtime never uses it.

Verified locally that the new Dockerfiles still build for both arches
via the workflow's PR-path dry run; full validation will land via a
follow-up `workflow_dispatch` once merged.
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@vieiralucas
fix(rds): hoist version ARG above first FROM for stage substitution
2dd4cc2 
Multi-stage Dockerfiles need their version ARG declared before any
FROM directive so the substitution is available across all stages.
Putting ARG between two FROM lines scopes it to the preceding stage
only — the second FROM saw an empty value and buildx errored with
'failed to parse stage name postgres:'.
@vieiralucas
fix(rds): pin gosu via pseudo-version, tags lack v-prefix
82de3fe 
gosu releases are tagged `1.17`/`1.19` etc — no `v` prefix —
so go modules resolves `@v1.17` to nothing. Use the proxy-blessed
pseudo-version for the 1.19 release commit instead.
@vieiralucas vieiralucas merged commit df00f0f into main Apr 28, 2026
91 of 98 checks passed
@vieiralucas vieiralucas deleted the worktree-trivy-gosu-rebuild branch April 28, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vieiralucas