Open
Description
Context
When a new CVE comes up we tend to upgrade the package using apk upgrade --no-cache curl for instance.
Since our images are based on official ones, eventually they get the upgraded package which causes us to remove the patches from our Dockerfiles
Solution
- Embrace all CVE patches in blocks like:
###> CVE: 1234 ###
###< CVE: 1234 ###
- Write a script that removes them and tries to build the images and check for vulnerabilities, if it passes then automatically opens a PR with the CVEs removed