[WIP] [security] Fix Erlang CVEs

[0xawaz]

Summary of changes

Issue

When scanning tpnode with Docker scout, we find 3 critical and 29 high severity CVEs, which is originated from Erlang 22 image.

Solution

To resolve the issue, we upgrade erlang from 22 to 22.3.4-slim.

Results

We succeed in security by fixing CVEs, but we gained in size from 146MB to 260MB, which we can fix in another PR is important.

Other information and links

The fix is based on the newest image of erlang that is free of critical CVEs.

Change checklist

• I have performed a self-review of my code.
• I have added tests that prove my fix is effective.
• I made sure the CHANGELOG is up-to-date (We need to create one).

[cleverfox]

Something looks wrong with this dockerfile. tpnode does not work on erlang-22, because we have migrated to erlang-24 few years ago.

I found a dockerfile at our buildhost, here it is

FROM --platform=linux/amd64 ubuntu:22.04

RUN apt-get update -yqq && \
    apt-get install -yqq cmake clang libtool gcc git curl libssl-dev build-essential automake autoconf libncurses5-dev elixir erlang-base erlang-public-key erlang-asn1 erlang-ssl erlang-dev erlang-inets erlang-eunit erlang-common-test rebar3 git iputils-ping && \
    cd /opt/ && \
    git clone -b {{ branch | default('master') }} https://github.com/thepower/tpnode.git && \
    cd /opt/tpnode && \
    rebar3 compile && \
    rebar3 release && \
    rebar3 tar

CMD cp /opt/tpnode/_build/default/rel/thepower/thepower-* /opt/tmp/ && cp /etc/hosts /opt/tmp/

It builds on top of ubuntu, probably building on top of erlang will be better, smaller image, but it requires testing.

[0xawaz]

I will update the Dockerfile based on this new one, I will try to do multistage builds.
I would like to understand a bit the entrypoint, why are you copying files in a CMD layer?
CMD cp /opt/tpnode/_build/default/rel/thepower/thepower-* /opt/tmp/ && cp /etc/hosts /opt/tmp/

I also checked the runtime container, it seems that the entrypoint is:
/opt/thepower/erts-12.2.1/bin/erlexec -noinput +Bd -boot /opt/thepower/releases/0.80.0-38-ga297a6b/start -mode embedded -boot_var SYSTEM_LIB_DIR /opt/thepower/lib -config /opt/thepower/releases/0.80.0-38-ga297a6b/sys.config -args_file /opt/thepower/releases/0.80.0-38-ga297a6b/vm.args -- foreground

Could you explain a bit this command? So, I can reproduce a suitable entrypoint?

[cleverfox]

I will update the Dockerfile based on this new one, I will try to do multistage builds. I would like to understand a bit the entrypoint, why are you copying files in a CMD layer? CMD cp /opt/tpnode/_build/default/rel/thepower/thepower-* /opt/tmp/ && cp /etc/hosts /opt/tmp/

It looks like something specific to the buildhost's installation. Looks like there must be something else there

I also checked the runtime container, it seems that the entrypoint is: /opt/thepower/erts-12.2.1/bin/erlexec -noinput +Bd -boot /opt/thepower/releases/0.80.0-38-ga297a6b/start -mode embedded -boot_var SYSTEM_LIB_DIR /opt/thepower/lib -config /opt/thepower/releases/0.80.0-38-ga297a6b/sys.config -args_file /opt/thepower/releases/0.80.0-38-ga297a6b/vm.args -- foreground

Could you explain a bit this command? So, I can reproduce a suitable entrypoint?
It is generated by release scripts. Script for starting applications is ./bin/thepower and foreground looks as valid argument