Add CVE_UPDATES to resolve vuln in libarchive

Signed-off-by: Christopher Desiniotis <[email protected]>

Author: cdesiniotis

.github/workflows/image.yaml

@@ -61,6 +61,7 @@ jobs:
         env:
           IMAGE_NAME: ghcr.io/${LOWERCASE_REPO_OWNER}/k8s-device-plugin
           VERSION: ${COMMIT_SHORT_SHA}
+          CVE_UPDATES: "libarchive"
         run: |
           echo "${VERSION}"
           make -f deployments/container/Makefile build

deployments/container/Dockerfile

@@ -53,6 +53,13 @@ RUN rpm -qa | sort -u > /tmp/package-list.minimal
 # We define the following image as a base image and remove unneeded packages.
 FROM nvcr.io/nvidia/cuda:13.0.0-base-ubi9 AS base
 
+# Upgrade packages here that are required to resolve CVEs
+ARG CVE_UPDATES
+RUN if [ -n "${CVE_UPDATES}" ]; then \
+        yum update -y ${CVE_UPDATES} && \
+        rm -rf /var/cache/yum/*; \
+    fi
+
 WORKDIR /cleanup
 
 COPY --from=minimal /tmp/package-names.minimal package-names.minimal

deployments/container/Makefile

@@ -82,6 +82,7 @@ $(IMAGE_TARGETS): image-%:
 		--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
 		--build-arg VERSION="$(VERSION)" \
 		--build-arg GIT_COMMIT="$(GIT_COMMIT)" \
+		--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
 		$(if $(LABEL_IMAGE_SOURCE),--label "org.opencontainers.image.source=$(LABEL_IMAGE_SOURCE)",) \
 		-f $(DOCKERFILE) \
 		$(CURDIR)