Update Container images - All - Major, minor and patch#159
Update Container images - All - Major, minor and patch#159AlexSkrypnyk merged 1 commit intodevelopfrom
Conversation
AlexSkrypnyk
added
the
Dependencies
📝 WalkthroughWalkthroughDocker base image versions are updated across six Dockerfile configurations. Most uselagoon images are bumped from version 26.2.0 to 26.3.0, while the clamav-debian image is updated from 1.5.2-32 to 1.5.2-34. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.docker/clamav.dockerfile:
- Around line 13-15: The Dockerfile references a non-existent uselagoon image
tag "uselagoon/commons:26.3.0" (FROM uselagoon/commons:26.3.0 AS commons);
update that tag to a valid published release such as 26.1.0 or 26.2.0 to avoid
build failures, leaving the clamav base (FROM clamav/clamav-debian:1.5.2-34)
unchanged as it is the recommended, patched image. Ensure the FROM line for
uselagoon/commons is replaced with either "uselagoon/commons:26.1.0" or
"uselagoon/commons:26.2.0".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: fe1601da-e3b5-4bca-9351-99871bb9b1a1
📒 Files selected for processing (6)
.docker/clamav.dockerfile.docker/cli.dockerfile.docker/database.dockerfile.docker/nginx-drupal.dockerfile.docker/php.dockerfile.docker/solr.dockerfile
| FROM uselagoon/commons:26.3.0 AS commons | ||
|
|
||
| FROM clamav/clamav-debian:1.5.2-32 | ||
| FROM clamav/clamav-debian:1.5.2-34 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Docker image versions exist and check release information
echo "=== Verifying uselagoon/commons:26.3.0 ==="
docker manifest inspect uselagoon/commons:26.3.0 > /dev/null 2>&1 && echo "✓ Image exists" || echo "✗ Image not found"
echo -e "\n=== Verifying clamav/clamav-debian:1.5.2-34 ==="
docker manifest inspect clamav/clamav-debian:1.5.2-34 > /dev/null 2>&1 && echo "✓ Image exists" || echo "✗ Image not found"
echo -e "\n=== Checking for GitHub security advisories ==="
# Check ClamAV advisories
gh api graphql -f query='
{
securityVulnerabilities(first: 5, ecosystem: PIP, package: "clamav") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: drevops/website
Length of output: 396
🌐 Web query:
ClamAV 1.5.2 release notes and changelog
💡 Result:
ClamAV 1.5.2 is a security patch release published on March 4, 2026. It addresses several vulnerabilities and bugs. Key changes include: - CVE-2026-20031: Fixed an error handling bug in the HTML file parser that may crash the program and cause a denial-of-service (DoS) condition. This issue was introduced in version 1.1.0. - Fixed a possible crash caused by invalid pointer alignment on some platforms (courtesy of Hsuan-Ming Chen at Synology PSIRT). - Upgraded the Rust bytes dependency to resolve RUSTSEC-2026-0007 advisory. - Freshclam: Fixed CLD verification bug with PrivateMirror option. - The CVD verification process now ignores certificate files in the CVD certs directory when the user lacks read permissions. - Fixed a possible crash on Windows when scanning some files while using LeaveTemporaryFiles and TemporaryDirectory options. - Fixed a possible infinite loop when scanning some JPEG files by upgrading the affected ClamAV dependency (a Rust image library). Note: This requires a newer Rust compiler (minimum 1.87.0). Downloads are available on the official ClamAV downloads page, GitHub releases, and Docker Hub. This is a patch release on top of 1.5.0/1.5.1, focusing on security fixes shared with 1.4.4.
Citations:
- 1: https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html
- 2: https://github.com/Cisco-Talos/clamav/releases
- 3: https://blog.clamav.net/
🌐 Web query:
uselagoon/commons Docker image version 26.3.0 changelog
💡 Result:
No changelog found for uselagoon/commons Docker image version 26.3.0. The official GitHub releases page for uselagoon/lagoon-images (https://github.com/uselagoon/lagoon-images/releases) shows the latest release as 26.1.0 (January 21, 2025), which includes general changes like updating base images to Alpine 3.23 and various dependency updates. Docker Hub tags for uselagoon/commons list up to 26.1.0, with no mention of 26.3.0. Other Lagoon images like nginx-drupal and varnish-6 have tags up to 26.2.0. Version 26.3.0 may not exist or has not been publicly released as of 2026-03-26.
Citations:
- 1: https://github.com/uselagoon/lagoon-images/releases
- 2: https://hub.docker.com/r/uselagoon/commons/tags
- 3: https://github.com/uselagoon/lagoon-images
- 4: https://hub.docker.com/r/uselagoon/nginx-drupal/tags
- 5: https://hub.docker.com/r/uselagoon/varnish-6/tags
🌐 Web query:
clamav/clamav-debian Docker image 1.5.2-34 release
💡 Result:
The clamav/clamav-debian:1.5.2-34 Docker image is an official, multi-architecture (linux/amd64, linux/arm64, linux/ppc64le) Debian-based image for ClamAV version 1.5.2. It was last pushed about 12 hours ago (as of 2026-03-26) by clambotgen84202. The image size is approximately 184 MB for amd64, 181 MB for arm64, and 188 MB for ppc64le. It includes preloaded ClamAV signature databases. This tag follows the naming convention <ClamAV_version>-<build_revision>, where 1.5.2 is the recent security patch release (published March 2026, fixing CVE-2026-20031 in HTML parser, Rust dependency upgrades, freshclam fixes, and pointer alignment crashes), and -34 is the 34th build/revision of that version, likely incorporating Debian base image security updates or minor rebuilds. Images are built weekly for base OS security fixes. Pull command: docker pull clamav/clamav-debian:1.5.2-34 Documentation and usage: https://docs.clamav.net/manual/Installing/Docker.html. Mount /var/lib/clamav for persistent databases. clamd listens on TCP 3310. Equivalent tags: 1.5.2, latest, stable (point to this build).
Citations:
- 1: https://hub.docker.com/r/clamav/clamav-debian/tags
- 2: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/README-debian.md
- 3: https://docs.clamav.net/manual/Installing/Docker.html
- 4: http://www.mail-archive.com/clamav-users@lists.clamav.net/msg53695.html
- 5: https://blog.clamav.net/2026/03/
- 6: https://launchpad.net/debian/+source/clamav/+changelog
uselagoon/commons:26.3.0 does not exist—use 26.1.0 or 26.2.0 instead.
The uselagoon/commons version 26.3.0 specified on line 13 does not appear to exist. The latest official release from uselagoon/lagoon-images is 26.1.0 (published January 2025), with other Lagoon images having tags up to 26.2.0. This will cause build failures. Use an available version from the Docker Hub registry.
The clamav/clamav-debian:1.5.2-34 update on line 15 is valid and recommended—it includes the ClamAV 1.5.2 security patch released March 2026, which fixes CVE-2026-20031 in the HTML file parser and other critical vulnerabilities.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.docker/clamav.dockerfile around lines 13 - 15, The Dockerfile references a
non-existent uselagoon image tag "uselagoon/commons:26.3.0" (FROM
uselagoon/commons:26.3.0 AS commons); update that tag to a valid published
release such as 26.1.0 or 26.2.0 to avoid build failures, leaving the clamav
base (FROM clamav/clamav-debian:1.5.2-34) unchanged as it is the recommended,
patched image. Ensure the FROM line for uselagoon/commons is replaced with
either "uselagoon/commons:26.1.0" or "uselagoon/commons:26.2.0".
|
Code coverage (GitHub Actions) |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #159 +/- ##
========================================
Coverage 87.73% 87.73%
========================================
Files 11 11
Lines 163 163
========================================
Hits 143 143
Misses 20 20 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
2 participants
This PR contains the following updates:
1.5.2-32→1.5.2-3426.2.0→26.3.026.2.0→26.3.026.2.0→26.3.026.2.0→26.3.026.2.0→26.3.026.2.0→26.3.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
uselagoon/lagoon-images (uselagoon/commons)
v26.3.0Compare Source
Notes on this release
This release introduces a new Solr 10 image (non-Drupal) and addresses Makefile auto-detection issues for users on Apple Silicon. We have also streamlined our scanning scripts by removing the Trivy results display and updated a wide range of runtime, database, and DevOps dependencies.
New Images
Deprecated Images
No images were deprecated in this release.
Removed Images
No images were removed in this release.
General changes
Package Updates
PHP related
Foundations
Databases / Caches / Search
Web / Runtime bases
Devops
Configuration
📅 Schedule: Branch creation - "" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.
Summary by CodeRabbit