Skip to content

feat: INFRA-5557 Cronos testnet image bump v1.5.0 #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Spich3000 merged 1 commit into from
Sep 16, 2025
Merged

feat: INFRA-5557 Cronos testnet image bump v1.5.0 #82

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ RUN adduser --disabled-password --gecos "" --no-create-home --uid 1000 cronos

RUN mkdir -p /home/cronos/data && mkdir -p /home/cronos/config
RUN apt-get update -y && apt-get install wget curl procps net-tools jq lz4 -y
RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0_Linux_x86_64.tar.gz \
&& rm cronos_1.5.0_Linux_x86_64.tar.gz && mv ./* /home/cronos/
RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0-testnet_Linux_x86_64.tar.gz \
&& rm cronos_1.5.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
Comment on lines +7 to +8
Copy link

@coderabbitai coderabbitai bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

Remove TLS bypass; verify artifact; extract safely to target dir (avoid mv ./*).

Using wget --no-check-certificate is a supply‑chain risk and flagged by Checkov (CKV2_DOCKER_3). Also, extracting into /tmp then mv ./* can move unintended files and may break the expected /home/cronos/bin/cronosd path. Switch to a validated download and extract directly into /home/cronos; add -z to tar.

Apply this diff to Lines 7‑8:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0-testnet_Linux_x86_64.tar.gz \
-     && rm cronos_1.5.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; \
+    cd /tmp; \
+    curl -fsSLo cronos_1.5.0-testnet_Linux_x86_64.tar.gz https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz; \
+    tar -xzf cronos_1.5.0-testnet_Linux_x86_64.tar.gz -C /home/cronos; \
+    rm -f cronos_1.5.0-testnet_Linux_x86_64.tar.gz

Additionally, ensure CA trust is present (update Line 6 accordingly) and trim apt lists:

RUN apt-get update -y && apt-get install -y --no-install-recommends wget curl procps net-tools jq lz4 ca-certificates && rm -rf /var/lib/apt/lists/*

Optional but recommended: verify integrity by checking a known SHA256 (set CRONOS_SHA256 from the release):

ARG CRONOS_SHA256=<paste_sha256_here>
RUN echo "${CRONOS_SHA256}  cronos_1.5.0-testnet_Linux_x86_64.tar.gz" | sha256sum -c -

Please confirm the archive layout exposes bin/cronosd at the archive root so /home/cronos/bin/cronosd remains valid after direct extraction. If not, add --strip-components=1 to the tar command.

🏁 Script executed:

#!/bin/bash
set -euxo pipefail

# find Dockerfile
DOCKER_PATH=$(find . -type f -iname Dockerfile | head -n1 || true)
if [ -z "$DOCKER_PATH" ]; then
  echo "No Dockerfile found"
  exit 0
fi
echo "Using Dockerfile: $DOCKER_PATH"

echo "=== Dockerfile (lines 1..120) ==="
nl -ba "$DOCKER_PATH" | sed -n '1,120p' || true

echo "=== Search for patterns: wget --no-check-certificate, mv ./* /home/cronos, tar -xvf, apt-get install ==="
grep -n -E "wget --no-check-certificate|--no-check-certificate|mv \.\*/ /home/cronos|mv \.\* /home/cronos|tar -xv|tar -xvf|apt-get install" "$DOCKER_PATH" || true

# extract URL to tar.gz from Dockerfile (first match)
URL=$(grep -oE 'https?://[^ ]+cronos[^ ]+\.tar\.gz' "$DOCKER_PATH" | head -n1 || true)
echo "Detected URL: $URL"

if [ -n "$URL" ]; then
  TMPDIR=$(mktemp -d)
  ARCH="$TMPDIR/cronos.tar.gz"
  echo "Downloading $URL -> $ARCH"
  curl -fsSL -o "$ARCH" "$URL"
  echo "Downloaded file info:"
  ls -lh "$ARCH" || true

  echo "=== Tarball top-level prefixes (count) ==="
  tar -tzf "$ARCH" | awk -F/ '{print $1}' | uniq -c | sort -rn || true

  echo "=== Sample tar listing (first 200 lines) ==="
  tar -tzf "$ARCH" | sed -n '1,200p' || true
fi

echo "=== Done ==="

Length of output: 2722

Remove TLS bypass; extract directly to /home/cronos; add CA and integrity check.

File: Dockerfile (lines ~6–8)

wget --no-check-certificate is a supply‑chain risk — replace with a verified download, extract directly into /home/cronos (avoid mv ./*), install CA trust, and validate the archive checksum.

Apply this diff to Lines 7‑8:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0-testnet_Linux_x86_64.tar.gz \
-     && rm cronos_1.5.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; \
+    cd /tmp; \
+    curl -fsSLo cronos_1.5.0-testnet_Linux_x86_64.tar.gz https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz; \
+    tar -xzf cronos_1.5.0-testnet_Linux_x86_64.tar.gz -C /home/cronos; \
+    rm -f cronos_1.5.0-testnet_Linux_x86_64.tar.gz

Ensure CA trust is installed (update the apt line) and trim apt lists:

RUN apt-get update -y && apt-get install -y --no-install-recommends wget curl procps net-tools jq lz4 ca-certificates && rm -rf /var/lib/apt/lists/*

Optional but recommended: verify integrity with a known SHA256:

ARG CRONOS_SHA256=<paste_sha256_here>
RUN echo "${CRONOS_SHA256}  cronos_1.5.0-testnet_Linux_x86_64.tar.gz" | sha256sum -c -

Verified: the archive contains ./bin/cronosd at the archive root, so direct extraction into /home/cronos will produce /home/cronos/bin/cronosd — no --strip-components required. Address the above changes before merging.

🧰 Tools
🪛 Checkov (3.2.334)

[high] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents 
In Dockerfile around lines 7–8, remove the --no-check-certificate usage and
avoid moving files after extraction: update the apt-get install line to include
ca-certificates and use rm -rf /var/lib/apt/lists/* to trim caches; download the
cronos tarball without bypassing TLS (use wget/curl default), place a build ARG
for CRONOS_SHA256 and run a sha256sum -c check against the downloaded file, then
extract the archive directly into /home/cronos (so files land at
/home/cronos/bin/...) instead of extracting to /tmp and mv-ing; ensure the
commands fail on checksum mismatch and remove the downloaded archive after
verification.

RUN chown -R cronos:cronos /home/cronos && chmod 1777 /tmp

USER root
Expand Down