From 2c78144302ec66a23df5852d7a25c0b88d3e89ad Mon Sep 17 00:00:00 2001
From: Lucas Vieira <vieiralucas4@gmail.com>
Date: Tue, 28 Apr 2026 13:46:53 -0300
Subject: [PATCH] fix(rds): apt-get upgrade base image packages to clear stale
 CVE patches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The first post-fix supply-chain validation showed only postgres:13
flagged 35 (HIGH+CRITICAL) Trivy findings — openssl 3.5.1, glibc
2.41-12, dirmngr — all of which already have patched versions on
the same Debian 13 release. The upstream `postgres:<major>` tags
sometimes lag by a security DB cycle, so we run `apt-get upgrade`
during image build to pull the patched packages directly.

Apply the same to mysql + mariadb so future stale upstream releases
do not block the next supply-chain validation.
---
 crates/fakecloud-rds/assets/mariadb/Dockerfile  | 1 +
 crates/fakecloud-rds/assets/mysql/Dockerfile    | 1 +
 crates/fakecloud-rds/assets/postgres/Dockerfile | 6 ++++++
 3 files changed, 8 insertions(+)

diff --git a/crates/fakecloud-rds/assets/mariadb/Dockerfile b/crates/fakecloud-rds/assets/mariadb/Dockerfile
index 2d0d68b1..ece2c0f8 100644
--- a/crates/fakecloud-rds/assets/mariadb/Dockerfile
+++ b/crates/fakecloud-rds/assets/mariadb/Dockerfile
@@ -26,6 +26,7 @@ RUN chmod 0755 /usr/local/bin/gosu
 # symmetric with the mysql Dockerfile means a single source of truth
 # for the build rule.
 RUN apt-get update \
+    && apt-get upgrade -y --no-install-recommends \
     && apt-get install -y --no-install-recommends \
         gcc make libcurl4-openssl-dev libc6-dev ca-certificates curl \
     && rm -rf /var/lib/apt/lists/*
diff --git a/crates/fakecloud-rds/assets/mysql/Dockerfile b/crates/fakecloud-rds/assets/mysql/Dockerfile
index 3ff17e12..87d8fa6e 100644
--- a/crates/fakecloud-rds/assets/mysql/Dockerfile
+++ b/crates/fakecloud-rds/assets/mysql/Dockerfile
@@ -52,6 +52,7 @@ RUN set -eux; \
         microdnf clean all; \
     elif command -v apt-get >/dev/null 2>&1; then \
         apt-get update; \
+        apt-get upgrade -y --no-install-recommends; \
         apt-get install -y --no-install-recommends \
             gcc make libcurl4-openssl-dev libc6-dev ca-certificates; \
         rm -rf /var/lib/apt/lists/*; \
diff --git a/crates/fakecloud-rds/assets/postgres/Dockerfile b/crates/fakecloud-rds/assets/postgres/Dockerfile
index bf9286dd..8be82a81 100644
--- a/crates/fakecloud-rds/assets/postgres/Dockerfile
+++ b/crates/fakecloud-rds/assets/postgres/Dockerfile
@@ -24,7 +24,13 @@ ARG PG_VERSION
 COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
 RUN chmod 0755 /usr/local/bin/gosu
 
+# `apt-get upgrade` pulls in patched OS packages (openssl, glibc, dirmngr…)
+# which sometimes lag behind on the upstream `postgres:<major>` tag —
+# Trivy flags those as HIGH/CRITICAL even when fixes are available in
+# the same Debian release. Running upgrade keeps the published image
+# clean against the latest debian13 security DB at build time.
 RUN apt-get update \
+    && apt-get upgrade -y --no-install-recommends \
     && apt-get install -y --no-install-recommends \
         postgresql-plpython3-${PG_VERSION} \
         ca-certificates \