Allow packages to be specified to address CVEs

This change allows the CVE_UPGRADES build arg to be set to address CVEs in base images instead of requesting waivers. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2024-11-22 08:18:32 +00:00 · 2021-12-07 15:20:25 +01:00 · 2021-12-07 15:20:25 +01:00 · f0311bfe17
commit f0311bfe17
parent 050c29b157
2 changed files with 9 additions and 1 deletions
--- a/build/container/Dockerfile.centos
+++ b/build/container/Dockerfile.centos
@ -75,4 +75,11 @@ LABEL description="See summary"

 COPY ./LICENSE /licenses/LICENSE

-ENTRYPOINT ["/work/nvidia-toolkit"]
+# Install / upgrade packages here that are required to resolve CVEs
+ARG CVE_UPDATES
+RUN if [ -n "${CVE_UPDATES}" ]; then \
+        yum update -y ${CVE_UPDATES} && \
+        rm -rf /var/cache/yum/*; \
+    fi
+
+ENTRYPOINT ["/work/nvidia-toolkit"]
--- a/build/container/Makefile
+++ b/build/container/Makefile
@ -75,6 +75,7 @@ $(BUILD_TARGETS): build-%: $(ARTIFACTS_ROOT)
 		--build-arg PACKAGE_VERSION="$(PACKAGE_VERSION)" \
 		--build-arg PACKAGE_ARCH="$(PACKAGE_ARCH)" \
 		--build-arg VERSION="$(VERSION)" \
+		--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
 		-f $(DOCKERFILE) \
 		$(CURDIR)