[TT-9987] [4-lts] Fix plugin compiler cves (#5578)

https://tyktech.atlassian.net/browse/TT-9987 --------- Co-authored-by: Tit Petric <[email protected]>
TykTechnologies · Oct 5, 2023 · 77a1362 · 77a1362
1 parent 06fcdde
commit 77a1362
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 7 deletions.
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -0,0 +1,20 @@
+---
+version: "3"
+
+tasks:
+  plugin-compiler:
+    desc: "Build and test plugin compiler"
+    cmds:
+      - task: plugin-compiler:build
+      - task: plugin-compiler:test
+
+  plugin-compiler:build:
+    desc: "Build plugin compiler"
+    cmds:
+      - docker build --progress=plain --no-cache --build-arg GOLANG_CROSS=1.15-el7 -t internal/plugin-compiler-el7 -f ci/images/plugin-compiler/Dockerfile .
+      - docker build --progress=plain --no-cache --build-arg GOLANG_CROSS=1.15 -t internal/plugin-compiler -f ci/images/plugin-compiler/Dockerfile .
+
+  plugin-compiler:test:
+    desc: "Test plugin compiler"
+    cmds:
+      - echo "Not implemented"
diff --git a/ci/goreleaser/goreleaser-el7.yml b/ci/goreleaser/goreleaser-el7.yml
@@ -156,8 +156,6 @@ dockers:
   goos: linux
   dockerfile: ci/images/plugin-compiler/Dockerfile
   extra_files:
-    - ci/images/plugin-compiler
-    - go.mod
     - apidef
     - certs
     - checkup
@@ -170,6 +168,7 @@ dockers:
     - gateway
     - goplugin
     - headers
+    - internal
     - log
     - regexp
     - request
@@ -182,7 +181,10 @@ dockers:
     - testdata
     - trace
     - user
-    - internal
+    - go.mod
+    - go.sum
+    - main.go
+    - ci/images/plugin-compiler
 
 checksum:
   disable: true

diff --git a/ci/goreleaser/goreleaser.yml b/ci/goreleaser/goreleaser.yml
@@ -190,8 +190,6 @@ dockers:
   goos: linux
   dockerfile: ci/images/plugin-compiler/Dockerfile
   extra_files:
-    - ci/images/plugin-compiler
-    - go.mod
     - apidef
     - certs
     - checkup
@@ -204,6 +202,7 @@ dockers:
     - gateway
     - goplugin
     - headers
+    - internal
     - log
     - regexp
     - request
@@ -216,7 +215,10 @@ dockers:
     - testdata
     - trace
     - user
-    - internal
+    - go.mod
+    - go.sum
+    - main.go
+    - ci/images/plugin-compiler
 
 docker_manifests:
   - name_template: tykio/tyk-gateway:{{ .Tag }}

diff --git a/ci/images/plugin-compiler/Dockerfile b/ci/images/plugin-compiler/Dockerfile
@@ -3,6 +3,9 @@ ARG GOLANG_CROSS=1.15
 FROM tykio/golang-cross:${GOLANG_CROSS}
 LABEL description="Image for plugin development"
 
+ARG GOLANG_CROSS=1.15
+ENV GOLANG_CROSS ${GOLANG_CROSS}
+
 ENV TYK_GW_PATH=/go/src/github.com/TykTechnologies/tyk
 
 ENV GO111MODULE=on
@@ -13,11 +16,23 @@ ENV PLUGIN_SOURCE_PATH=/plugin-source
 
 RUN mkdir -p  $TYK_GW_PATH $PLUGIN_SOURCE_PATH
 
+RUN apt-get purge --auto-remove -y mercurial ruby-dev 'python*' 'libpython*' openssh-client
+
+# Update sources list to point to archive.debian.org (EOL)
+# COPY ci/images/plugin-compiler /tmp/plugin-compiler
+# RUN bash -c "cp /tmp/plugin-compiler/sources.list/$(lsb_release -cs) /etc/apt/sources.list"
+
+RUN if [ "${GOLANG_CROSS}" = "1.15" ]; then apt-get update ; apt-get -y dist-upgrade; fi
+
+# Ensure git remains installed (required)
+RUN git --version
+
+RUN rm /usr/bin/passwd && rm /usr/sbin/adduser
+
 COPY ci/images/plugin-compiler/data/build.sh /build.sh
 RUN chmod +x /build.sh
 
 COPY . $TYK_GW_PATH
 RUN cd $TYK_GW_PATH && go mod vendor
 
 ENTRYPOINT ["/build.sh"]
-