Remzona54/compose
1
0
Fork 0
mirror of https://github.com/docker/compose.git synced 2026-06-28 04:03:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
compose/Dockerfile
Sebastiaan van Stijn a4ec1dcd89
Some checks are pending
ci / validate (lint) (push) Waiting to run
Details
ci / validate (validate-docs) (push) Waiting to run
Details
ci / validate (validate-go-mod) (push) Waiting to run
Details
ci / validate (validate-headers) (push) Waiting to run
Details
ci / binary (push) Waiting to run
Details
ci / binary-finalize (push) Blocked by required conditions
Details
ci / bin-image-test (push) Waiting to run
Details
ci / test (push) Waiting to run
Details
ci / e2e (plugin, oldstable) (push) Waiting to run
Details
ci / e2e (standalone, oldstable) (push) Waiting to run
Details
ci / e2e (plugin, stable) (push) Waiting to run
Details
ci / e2e (standalone, stable) (push) Waiting to run
Details
ci / coverage (push) Blocked by required conditions
Details
ci / release (push) Blocked by required conditions
Details
merge / bin-image-prepare (push) Waiting to run
Details
merge / bin-image (push) Blocked by required conditions
Details
merge / module-image (push) Waiting to run
Details
merge / desktop-edge-test (push) Blocked by required conditions
Details
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Details
update to go1.26.4 
This release include 3 security fixes following the security policy:

- mime: quadratic complexity in WordDecoder.DecodeHeader

    Decoding a maliciously-crafted MIME header containing many invalid
    encoded-words could consume excessive CPU.
    The MIME decoder now better handles this case.

    Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.

    This is CVE-2026-42504 and Go issue https://go.dev/issue/79217.

- net/textproto: arbitrary input are included in errors without any escaping

    When returning errors, functions in the net/textproto package would
    include its input as part of the error, without any escaping. Note that
    said input is often controlled by external parties when using this
    package naturally. For example, a net/http client uses ReadMIMEHeader
    when parsing the headers it receive from a server.

    As a result, an attacker could inject arbitrary content into the error.
    Practically, this can result in an attacker injecting misleading
    content, terminal control bytes, etc. into a victim's output or logs.

    This is CVE-2026-42507 and Go issue https://go.dev/issue/79346

- crypto/x509: split candidate hostname only once

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop
    over all DNS Subject Alternative Name (SAN) entries. This caused
    strings.Split(host, ".") to execute repeatedly on the same input hostname.

    With a large DNS SAN list, verification costs scaled quadratically based on the
    number of SAN entries multiplied by the hostname's label count. Because
    x509.Verify validates hostnames before building the certificate chain, this
    overhead occurred even for untrusted certificates.

    Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue.

    This is CVE-2026-27145 and https://go.dev/issue/79694.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.26.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-09 10:48:41 +02:00

210 lines
6.8 KiB
Docker
Raw Permalink Blame History

# syntax=docker/dockerfile:1
# Copyright 2020 Docker Compose CLI authors
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ARG GO_VERSION=1.26.4
ARG XX_VERSION=1.9.0
ARG GOLANGCI_LINT_VERSION=v2.11.3
ARG ADDLICENSE_VERSION=v1.0.0
ARG BUILD_TAGS="e2e"
ARG DOCS_FORMATS="md,yaml"
ARG LICENSE_FILES=".*\(Dockerfile\|Makefile\|\.go\|\.hcl\|\.sh\)"
# xx is a helper for cross-compilation
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:${XX_VERSION} AS xx
# osxcross contains the MacOSX cross toolchain for xx
FROM crazymax/osxcross:15.5-alpine AS osxcross
FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense
FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine3.22 AS base
COPY --from=xx / /
RUN apk add --no-cache \
clang \
docker \
file \
findutils \
git \
make \
protoc \
protobuf-dev
WORKDIR /src
ENV CGO_ENABLED=0
FROM base AS build-base
COPY go.* .
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
go mod download
FROM build-base AS vendored
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/go/pkg/mod \
go mod tidy && mkdir /out && cp go.mod go.sum /out
FROM scratch AS vendor-update
COPY --from=vendored /out /
FROM vendored AS vendor-validate
RUN --mount=type=bind,target=.,rw <<EOT
set -e
git add -A
cp -rf /out/* .
diff=$(git status --porcelain -- go.mod go.sum)
if [ -n "$diff" ]; then
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make go-mod-tidy"'
echo "$diff"
exit 1
fi
EOT
FROM build-base AS build
ARG BUILD_TAGS
ARG BUILD_FLAGS
ARG TARGETPLATFORM
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \
--mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
xx-go --wrap && \
if [ "$(xx-info os)" == "darwin" ]; then export CGO_ENABLED=1; export BUILD_TAGS=fsnotify,$BUILD_TAGS; fi && \
make build GO_BUILDTAGS="$BUILD_TAGS" DESTDIR=/out && \
xx-verify --static /out/docker-compose
FROM build-base AS lint
ARG BUILD_TAGS
ENV GOLANGCI_LINT_CACHE=/cache/golangci-lint
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \
--mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/cache/golangci-lint \
--mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
golangci-lint cache status && \
golangci-lint run --build-tags "$BUILD_TAGS" ./...
FROM build-base AS test
ARG CGO_ENABLED=0
ARG BUILD_TAGS
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \
--mount=type=cache,target=/go/pkg/mod \
rm -rf /tmp/coverage && \
mkdir -p /tmp/coverage && \
rm -rf /tmp/report && \
mkdir -p /tmp/report && \
go run gotest.tools/gotestsum@latest --format testname --junitfile "/tmp/report/report.xml" -- -tags "$BUILD_TAGS" -v -cover -covermode=atomic $(go list $(TAGS) ./... | grep -vE 'e2e') -args -test.gocoverdir="/tmp/coverage" && \
go tool covdata percent -i=/tmp/coverage
FROM scratch AS test-coverage
COPY --from=test --link /tmp/coverage /
COPY --from=test --link /tmp/report /
FROM base AS license-set
ARG LICENSE_FILES
RUN --mount=type=bind,target=.,rw \
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
find . -regex "${LICENSE_FILES}" | xargs addlicense -c 'Docker Compose CLI' -l apache && \
mkdir /out && \
find . -regex "${LICENSE_FILES}" | cpio -pdm /out
FROM scratch AS license-update
COPY --from=set /out /
FROM base AS license-validate
ARG LICENSE_FILES
RUN --mount=type=bind,target=. \
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
find . -regex "${LICENSE_FILES}" | xargs addlicense -check -c 'Docker Compose CLI' -l apache -ignore validate -ignore testdata -ignore resolvepath -v
FROM base AS docsgen
WORKDIR /src
RUN --mount=target=. \
--mount=target=/root/.cache,type=cache \
--mount=type=cache,target=/go/pkg/mod \
go build -o /out/docsgen ./docs/yaml/main/generate.go
FROM --platform=${BUILDPLATFORM} alpine AS docs-build
RUN apk add --no-cache rsync git
WORKDIR /src
COPY --from=docsgen /out/docsgen /usr/bin
ARG DOCS_FORMATS
RUN --mount=target=/context \
--mount=target=.,type=tmpfs <<EOT
set -e
rsync -a /context/. .
docsgen --formats "$DOCS_FORMATS" --source "docs/reference"
mkdir /out
cp -r docs/reference /out
EOT
FROM scratch AS docs-update
COPY --from=docs-build /out /out
FROM docs-build AS docs-validate
RUN --mount=target=/context \
--mount=target=.,type=tmpfs <<EOT
set -e
rsync -a /context/. .
git add -A
rm -rf docs/reference/*
cp -rf /out/* ./docs/
if [ -n "$(git status --porcelain -- docs/reference)" ]; then
echo >&2 'ERROR: Docs result differs. Please update with "make docs"'
git status --porcelain -- docs/reference
exit 1
fi
EOT
FROM scratch AS binary-unix
COPY --link --from=build /out/docker-compose /
FROM binary-unix AS binary-darwin
FROM binary-unix AS binary-linux
FROM scratch AS binary-windows
COPY --link --from=build /out/docker-compose /docker-compose.exe
FROM binary-$TARGETOS AS binary
# enable scanning for this stage
ARG BUILDKIT_SBOM_SCAN_STAGE=true
FROM --platform=$BUILDPLATFORM alpine AS releaser
WORKDIR /work
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
RUN --mount=from=binary \
mkdir -p /out && \
# TODO: should just use standard arch
TARGETARCH=$([ "$TARGETARCH" = "amd64" ] && echo "x86_64" || echo "$TARGETARCH"); \
TARGETARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "$TARGETARCH"); \
cp docker-compose* "/out/docker-compose-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}$(ls docker-compose* | sed -e 's/^docker-compose//')"
FROM scratch AS release
COPY --from=releaser /out/ /
FROM --platform=$BUILDPLATFORM alpine AS module-releaser
WORKDIR /work
ARG TARGETOS
RUN --mount=from=binary \
mkdir -p /cli-plugins/compose/$TARGETOS && \
cp docker-compose* "/cli-plugins/compose/$TARGETOS/docker-compose$(ls docker-compose* | sed -e 's/^docker-compose//')"
FROM scratch AS module
ARG TARGETOS
COPY --from=module-releaser /cli-plugins/compose/$TARGETOS /cli-plugins/compose/$TARGETOS
COPY ./desktop-module/module-metadata.json /
COPY LICENSE /
Reference in a new issue View git blame Copy permalink