UNCLASSIFIED - NO CUI

Skip to content

CVE Check failed on master after passing on Development

Summary

CVE-check didn't find the OpenSSL related vuln on any runs prior to master. OpenSSL

Link to failed pipeline

https://repo1.dso.mil/dsop/coder-enterprise/coder-enterprise/coder-service/-/jobs/8853093#L53

What is the current bug behavior?

Pipeline finds a new CVE and fails.

What is the expected correct behavior?

I'd expect the merge from develop to master to only promote the already-scanned-and-approved image to harbor. By building again it could have a number of non-deterministic outcomes.

Possible fixes

  1. Figure out why the earlier pipelines didn't find this CVE
  2. Create a single build event that creates the artifact and then never change it again until, just update metadata and retag.

Definition of Done

  • Pipeline failure has been resolved

/cc @ironbank-notifications/pipelines

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI