My Dockerfile is pretty simple, code below. It is an Angular App. Once I merge the code to my main branch CodePipeline takes over, CodeBuild will build the image and push to ECR and CodeDeploy will use that image to deploy the ECS Fargate tasks. Everything works fine. But this image has 1 critical vulnerability. CVE-2021-22945 - curl
node14:14182alpine312 is basically built from
FROM node:14.18.2-alpine3.12,
nginx:latest is built from FROM nginx:latest.
FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/node14:14182alpine312 as builder
WORKDIR /app
COPY ./hello-world-web/ /app/
RUN apk add --no-cache git
RUN npm install
RUN npm run build
FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/nginx:latest
COPY --from=builder /app/dist/hello-world-web /usr/share/nginx/html
COPY --from=builder /app/nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80
The tool that scans ECR Repo mentions the vulnerability is in Layer 0. Can I run any script while building the image that would fix this. Individually the node and nginx image does not have this critical vulnerability. It seems like it could be introduced when npm install is run. Any help to remediate this is much appreciated.
I see that libcurl is pulled in by apk add git (click "depends"): https://pkgs.alpinelinux.org/package/edge/main/x86/git
But on alpine 3.12 the libcurl version is 7.79.1 which is not affected by the CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-22945
Maybe run apk update before apk add and see if it pulls in the right version?