From 62b74ac72ed16d7d1d8b3fa1564b432828e28be2 Mon Sep 17 00:00:00 2001 From: Adam Daw Date: Tue, 12 May 2026 20:13:07 -0400 Subject: [PATCH 1/2] fix: remove pebble from image to eliminate Go 1.26.2 stdlib CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pebble (Canonical's container init system) is shipped in ubuntu:26.04 but is not used here — CMD is make all. Five newly-published HIGH CVEs in Go 1.26.2 stdlib (DNS, HTTP/2, email parsing; fixed in Go 1.26.3) are carried into the image solely via this binary. Removing pebble eliminates the vulnerability surface rather than suppressing it in .trivyignore. --- Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index 0ff4eee..20a6b68 100644 --- a/Dockerfile +++ b/Dockerfile @@ -57,6 +57,13 @@ exit 1 EOF RUN chmod +x /usr/local/bin/apt-retry +# pebble is Canonical's container init system shipped in the ubuntu base image. +# It is not used here (CMD is make all). Remove it to eliminate Go stdlib CVEs +# it would otherwise carry into the image (the vulnerable DNS, HTTP/2, and email +# parsing code paths are never reached by this build pipeline). +RUN apt-get remove -y --purge pebble \ + && rm -rf /var/lib/apt/lists/* + # Base utilities — curl used throughout (not wget) for consistency; -fsSL flags enforce # error detection (-f: fail on HTTP error), silent output, and redirect following. # --no-install-recommends: excludes optional packages not required at runtime, reducing From a10d6c04b2268f2f19c0d2cb35acb60811712578 Mon Sep 17 00:00:00 2001 From: Adam Daw Date: Tue, 12 May 2026 20:21:30 -0400 Subject: [PATCH 2/2] fix: use rm -f to remove pebble (not tracked by dpkg in ubuntu:26.04) apt-get remove fails with 'Unable to locate package pebble' because ubuntu:26.04 ships the pebble binary directly into the image layer rather than installing it via apt. Switch to a direct rm -f. --- Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 20a6b68..a6cfded 100644 --- a/Dockerfile +++ b/Dockerfile @@ -57,12 +57,12 @@ exit 1 EOF RUN chmod +x /usr/local/bin/apt-retry -# pebble is Canonical's container init system shipped in the ubuntu base image. -# It is not used here (CMD is make all). Remove it to eliminate Go stdlib CVEs -# it would otherwise carry into the image (the vulnerable DNS, HTTP/2, and email -# parsing code paths are never reached by this build pipeline). -RUN apt-get remove -y --purge pebble \ - && rm -rf /var/lib/apt/lists/* +# pebble is Canonical's container init system baked into the ubuntu base image +# as a raw binary (not tracked by dpkg, so apt-get remove fails). It is not +# used here (CMD is make all). Remove it to eliminate Go stdlib CVEs it would +# otherwise carry into the image (DNS, HTTP/2, and email parsing code paths +# that are never reached by this build pipeline). +RUN rm -f /usr/bin/pebble # Base utilities — curl used throughout (not wget) for consistency; -fsSL flags enforce # error detection (-f: fail on HTTP error), silent output, and redirect following.