build(deps): bump library/alpine-3 from 698d5d3 to e17223d

[dependabot]

Bumps library/alpine-3 from 698d5d3 to e17223d.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[AlexanderYastrebov]

👍

[MustafaSaber]

👍

[botchniaque]

How do the sha256 digests for alpine-3 image map to release tags?

I am asking because there is an openssl vulnerability which is fixed in library/alpine-3:3-20230814, but the latest teapot/skipper:v0.17.10still contains the vulnerable version which indicates that it's not being based on the latestalpine-3`.

[AlexanderYastrebov]

It does not map really, you can check things by running the image:

~$ docker run --rm -it registry.opensource.zalan.do/library/alpine-3:latest@sha256:e17223daa3910c8590105db8fe94ec48499ddaa3fc3ad2f4a94f4e26d62473a6 sh -c "cat /etc/alpine-release"
3.18.3

~$ docker run --rm -it registry.opensource.zalan.do/library/alpine-3:latest@sha256:e17223daa3910c8590105db8fe94ec48499ddaa3fc3ad2f4a94f4e26d62473a6 sh -c "apk list | grep openssl"
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
libcrypto3-3.1.2-r0 x86_64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.2-r0 x86_64 {openssl} (Apache-2.0) [installed]

[botchniaque]

Here you can see the openssl3 version in the image is 3.1.1, and the vulnerability got fixed in 3.1.2

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.17.10 sh -c "apk list -i 'libssl3'"
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
libssl3-3.1.1-r1 x86_64 {openssl} (Apache-2.0) [installed]

[AlexanderYastrebov]

This is not the file from which we build release, we should look for https://github.com/zalando/skipper/blob/master/packaging/Dockerfile updates

[AlexanderYastrebov]

This is not the file from which we build release

I'll check why dependabot is not updating /packaging/Dockerfile