From ed513c985265c7faba7b98cefb2d4cd94672374c Mon Sep 17 00:00:00 2001
From: "rE-Bo0t.bx1" <54429050+r3bo0tbx1@users.noreply.github.com>
Date: Thu, 20 Nov 2025 23:22:24 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=20fix(security):=20resolve=20criti?=
 =?UTF-8?q?cal=20CVEs=20via=20multi-stage=20build=20and=20OS=20upgrade?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit addresses high-severity vulnerabilities detected by Docker Scout in both the Lyrebird binary and the Alpine base image.

Changes:
- Lyrebird: Implemented a multi-stage build using golang:1.24-alpine. This compiles Lyrebird from source to resolve "baked-in" Go runtime and dependency vulnerabilities (stdlib, crypto, pion) found in the upstream Alpine package.
- Base OS: Added apk upgrade --no-cache to force the installation of the latest system libraries, patching active CVEs in musl and openssl.

Resolves: CVE-2025-9230 (openssl), CVE-2025-26519 (musl), and multiple Go runtime CVEs.
---
 Dockerfile      | 2 +-
 Dockerfile.edge | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 65839a4..6eb52d9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -43,7 +43,7 @@ SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
 # Note: 'lyrebird' removed from apk add, copying it from builder instead
 RUN set -eux \
- && apk upgrade --no-cache
+ && apk upgrade --no-cache \
  && apk add --no-cache \
     tor \
     tini \
diff --git a/Dockerfile.edge b/Dockerfile.edge
index 96bd57b..ba873ae 100644
--- a/Dockerfile.edge
+++ b/Dockerfile.edge
@@ -46,9 +46,9 @@ LABEL maintainer="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
 
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
-# NOTE: 'lyrebird' removed from apk add list (copying it from builder instead)
+# NOTE: 'lyrebird' removed from apk add list (we copy it from builder instead)
 RUN set -eux \
- && apk upgrade --no-cache
+ && apk upgrade --no-cache \
  && apk add --no-cache \
     tor \
     tini \