From f0311bfe17dcb384b878856871f13dd31f231a53 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Tue, 7 Dec 2021 15:20:25 +0100
Subject: [PATCH 1/2] Allow packages to be specified to address CVEs

This change allows the CVE_UPGRADES build arg to be set
to address CVEs in base images instead of requesting waivers.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 build/container/Dockerfile.centos | 9 ++++++++-
 build/container/Makefile          | 1 +
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/build/container/Dockerfile.centos b/build/container/Dockerfile.centos
index 26b6bf95..c6a5b46b 100644
--- a/build/container/Dockerfile.centos
+++ b/build/container/Dockerfile.centos
@@ -75,4 +75,11 @@ LABEL description="See summary"
 
 COPY ./LICENSE /licenses/LICENSE
 
-ENTRYPOINT ["/work/nvidia-toolkit"]
\ No newline at end of file
+# Install / upgrade packages here that are required to resolve CVEs
+ARG CVE_UPDATES
+RUN if [ -n "${CVE_UPDATES}" ]; then \
+        yum update -y ${CVE_UPDATES} && \
+        rm -rf /var/cache/yum/*; \
+    fi
+
+ENTRYPOINT ["/work/nvidia-toolkit"]
diff --git a/build/container/Makefile b/build/container/Makefile
index c62e5b58..100c22c1 100644
--- a/build/container/Makefile
+++ b/build/container/Makefile
@@ -75,6 +75,7 @@ $(BUILD_TARGETS): build-%: $(ARTIFACTS_ROOT)
 		--build-arg PACKAGE_VERSION="$(PACKAGE_VERSION)" \
 		--build-arg PACKAGE_ARCH="$(PACKAGE_ARCH)" \
 		--build-arg VERSION="$(VERSION)" \
+		--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
 		-f $(DOCKERFILE) \
 		$(CURDIR)
 

From afb260d82eed7e4832e6a6aa2306c0c5fd6554ca Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Tue, 7 Dec 2021 16:20:17 +0100
Subject: [PATCH 2/2] Update nss on centos7 to address CVEs

This addresses https://access.redhat.com/security/cve/CVE-2021-43527

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 .common-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.common-ci.yml b/.common-ci.yml
index bfd50503..dcb90282 100644
--- a/.common-ci.yml
+++ b/.common-ci.yml
@@ -46,6 +46,7 @@ stages:
 .dist-centos7:
   variables:
     DIST: centos7
+    CVE_UPDATES: "nss"
 
 .dist-centos8:
   variables: