Merge pull request #580 from Azure/base_image_vuln_fixes

priyaananthasankar · web-flow · commit 7d19c8d22ceb · 2025-12-10T13:05:41.000-08:00
Fixed Go Vulns due to istioctl and rootless docker kit
diff --git a/linux/base.Dockerfile b/linux/base.Dockerfile
@@ -171,13 +171,15 @@ RUN chmod 755 /usr/local/bin/ansible* \
   && /opt/ansible/bin/python -m pip install -r /usr/share/ansible/collections/ansible_collections/azure/azcollection/requirements.txt
 
 
-# Install latest version of Istio
+# Install specific version of Istio from GitHub releases
+ENV ISTIO_VERSION=1.28.1
 RUN export TMP_DIR=$(mktemp -d) \
-  && pushd "${TMP_DIR}"  \
-  && curl -sSL https://git.io/getLatestIstio | sh - \
-  && mv ./istio*/bin/istioctl /usr/local/bin/istioctl \
+  && cd "${TMP_DIR}" \
+  && curl -L https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz -o istio.tar.gz \
+  && tar -xzf istio.tar.gz \
+  && mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl \
   && chmod 755 /usr/local/bin/istioctl \
-  && popd \
+  && cd / \
   && rm -rf "${TMP_DIR}"
 
 ENV GOROOT="/usr/lib/golang"
@@ -226,7 +228,7 @@ RUN curl -fsSL https://aka.ms/install-azd.sh | bash && \
   # Install rootless kit
   TMP_DIR=$(mktemp -d) && \
   pushd $TMP_DIR && \
-  ROOTLESSKIT_VERSION=$(curl https://api.github.com/repos/rootless-containers/rootlesskit/releases/latest | jq -r '.tag_name') && \
+  ROOTLESSKIT_VERSION=v2.3.5 && \
   curl -LO https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz && \
   curl -LO https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/SHA256SUMS && \
   sha256sum -c SHA256SUMS --ignore-missing && \
