Drone

Alpine:3.9 includes musl version vulnerable to CVE-2019-14697

The docker containers are based on the alpine:3.9 image, which includes a version of musl libc vulnerable to CVE-2019-14697. Suggest updating to recent version of the alpine image that includes an up to date version of musl.

Just a side note that Drone is statically compiled with gcc (not musl) and does not interact with any packages or binaries in the alpine container (Drone would happily run in an empty scratch container). The CVE in musl does not pose a threat to existing Drone installations.

GCC is a compiler, musl is a libc implementation, entirely different. In any case, AFAICT Drone is in fact compiled using the Go compiler, so GCC is not involved anywhere.

As such, and since drone is not compiled in a scratch container, unless Drone is compiled with CGO disabled (itโ€™s not according to the Taskfile), it is linked against libc, which is used in Go for name resolution, for example. That being the case, it may still not be possible to exercise this vuln in a Go application, but I canโ€™t be certain of that. A simple update of the base image in the Dockerfile(s) would remove any doubt though (and remove the flag from my container vuln scanner).

Drone uses cgo which under the hood uses gcc as the default C compiler, which is required because the project depends on libsqlite3. The binary does, however, use the pure Go DNS resolver as opposed to CGO for name resolution, nsswitch, etc. The binary is compiled on debian (glibc) and is statically linked. There is no build or runtime dependency on musl. This is more of an aside, but the Taskfile is not used to build the official binary.

I agree the Alpine image should be updated to prevent being flagged by scanners, even though the CVE should not impact Drone. My preference would be to take it one step further and switch to scratch instead of Alpine (which was used previously) to avoid any such issues going forward, but that is not my decision to make.

Time for a Github issue then?

I think next step is for someone to send a pull request to update the Alpine version, please.