Skip to content

feat(cves): add SD v1.35.0 scan and fix Copa patching issues#429

Merged
stefanoghinelli merged 10 commits into
mainfrom
feat/cves-add-1.35.0
Jul 9, 2026
Merged

feat(cves): add SD v1.35.0 scan and fix Copa patching issues#429
stefanoghinelli merged 10 commits into
mainfrom
feat/cves-add-1.35.0

Conversation

@stefanoghinelli

@stefanoghinelli stefanoghinelli commented Jun 26, 2026

Copy link
Copy Markdown
Member

This PR:

  • Covers SD v1.35.0 with kind EKSCluster to include AWS and module images; removes files for digests and versions no longer maintained
  • Changes the Copa helper base image from debian:12-slim to stable-slim to support SD v1.35.0 debian 13 images for fluent-bit:5.0.5
  • Adds Bookworm apt sources to Dockerfile.copacetic-helper so a single helper covers both Bookworm (SD v1.32–v1.34) and Trixie (SD v1.35+) targets, because Copa calls apt-get download with the exact version from Trivy
  • Updates the pinned digest in copacetic-source-policy.json to the new helper image
  • Fixes "error occurred:" to the acceptable Copa errors list in patch_images_with_copacetic.sh; the existing "errors occurred:" ( in plural) pattern never matched it
  • Updates the MAINTENANCE.md

Tests:

  • CVEs pipeline passes on this branch
  • fluent-bit:5.0.5 is patched successfully

@stefanoghinelli stefanoghinelli self-assigned this Jun 26, 2026
@stefanoghinelli stefanoghinelli marked this pull request as ready for review June 26, 2026 07:32
@stefanoghinelli stefanoghinelli changed the title feat(cves): add SD v1.34.1 for CVE patching feat(cves): add SD v1.35.0 for CVE patching Jun 26, 2026
The pinned Copa helper image (beb2a013...) was built in October 2025 from
ghcr.io/project-copacetic/copacetic/debian:12-slim, which predates the Debian
Bookworm t64 transition. Packages like libssl3t64, libcurl4t64, libssh2-1t64
were renamed in Bookworm but not available in the old helper's apt cache,
causing apt-get download to fail with "Unable to locate package".
…ebian release patching

Copa calls  with the exact version from Trivy, so
packages from different Debian releases are unambiguous with multiple sources configured.
The helper now covers both Bookworm (SD v1.32.0–v1.34.1) and Trixie (SD v1.35.0+)
targets with a single image. Updated pinned digest in copacetic-source-policy.json.
@stefanoghinelli stefanoghinelli changed the title feat(cves): add SD v1.35.0 for CVE patching feat(cves): add SD v1.35.0 scan and fix Copa patching issues Jul 9, 2026

@ralgozino ralgozino left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@stefanoghinelli stefanoghinelli merged commit 7c80ce0 into main Jul 9, 2026
289 of 292 checks passed
@stefanoghinelli stefanoghinelli deleted the feat/cves-add-1.35.0 branch July 9, 2026 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants