Skip to content

Fix critical CVEs in image-builder-bob: bump buildkit base to v0.20.1-gitpod.7#21414

Merged
geropl merged 1 commit intomainfrom
ona/clc-2245-bump-buildkit-cves
Apr 26, 2026
Merged

Fix critical CVEs in image-builder-bob: bump buildkit base to v0.20.1-gitpod.7#21414
geropl merged 1 commit intomainfrom
ona/clc-2245-bump-buildkit-cves

Conversation

@geropl
Copy link
Copy Markdown
Member

@geropl geropl commented Apr 25, 2026

Description

Bumps the pinned buildkit base image used by components/image-builder-bob:docker from v0.20.1-gitpod.6 to v0.20.1-gitpod.7, which rebases on Alpine 3.23 and Go 1.26.2.

This clears the two critical CVEs that the daily scheduled Build workflow's Check for Critical Vulnerabilities step has been failing on:

CVE Package Installed (gitpod.6) Fixed (gitpod.7)
CVE-2026-31789 (Critical) Alpine libssl3 / libcrypto3 3.5.5-r0 rebased to Alpine 3.23
CVE-2025-68121 (Critical) Go stdlib (crypto/tls) go1.22.4 (in moby/buildkit) Go 1.26.2

Verified locally with grype: the new image has zero critical Alpine apk vulnerabilities. The remaining stdlib Critical findings (CVE-2025-22871, CVE-2026-27143, CVE-2025-68121) only show up in the legacy buildkit-cni-* plugin binaries, which Leeway's vulnerability rollup does not include in the failing-package count — i.e. the same scope as before, minus the two we set out to fix.

Related Issue(s)

Refs CLC-2245

How to test

Trigger the Build workflow with simulate_scheduled_run=true (or wait for the next nightly schedule) and confirm Check for Critical Vulnerabilities passes for components/image-builder-bob:docker.

Preview status

gitpod:summary

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
Preview Environment / Integration Tests
  • /werft with-local-preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
  • /werft preemptible
  • with-integration-tests=all
  • with-monitoring

@ona-agent
Fix critical CVEs in image-builder-bob: bump buildkit base to v0.20.1…
9938802 
…-gitpod.7

Upgrades the pinned buildkit base image to pull in:
- CVE-2026-31789 (Critical) — OpenSSL libssl3/libcrypto3 in Alpine
- CVE-2025-68121 (Critical) — Go crypto/tls session resumption

Both criticals were tripping the daily scheduled vulnerability gate in
`Build / Build Gitpod / Check for Critical Vulnerabilities` against
`components/image-builder-bob:docker`. The new tag rebases on Alpine
3.23 and Go 1.26.2 in upstream BuildKit.

Refs CLC-2245.

Co-authored-by: Ona <no-reply@ona.com>
@geropl geropl requested a review from a team as a code owner April 25, 2026 05:43
@geropl geropl deployed to branch-build April 25, 2026 05:44 — with GitHub Actions Active
@geropl geropl merged commit 3bae73a into main Apr 26, 2026
15 checks passed
@geropl geropl deleted the ona/clc-2245-bump-buildkit-cves branch April 26, 2026 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kylos101 kylos101 kylos101 approved these changes

Assignees

No one assigned

Labels

team: team-enterprise

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@geropl @kylos101 @ona-agent