Remove rav1e to eliminate paste crate CVE in Linux image

Remove rav1e binary, library, and SBOM metadata to eliminate RUSTSEC-2024-0436 in the paste crate. rav1e (AV1 encoder) is not needed for Flutter Linux desktop development. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upgrade commons-lang3 to fix CVE-2025-48924
2026-02-03 03:01:29 -05:00 · 2026-02-03 02:45:13 -05:00 · 2026-02-03 02:06:52 -05:00
3 changed files with 20 additions and 37 deletions
@@ -8,21 +8,12 @@ LABEL org.opencontainers.image.version="${FLUTTER_VERSION}"

 USER 0

-# Download Flutter SDK and strip unnecessary files in a single layer
-RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${FLUTTER_VERSION}-stable.tar.xz" \
-      -o /tmp/flutter.tar.xz && \
-    tar xf /tmp/flutter.tar.xz -C /opt && \
-    rm /tmp/flutter.tar.xz && \
-    rm -rf /opt/flutter/dev \
-           /opt/flutter/examples \
-           /opt/flutter/bin/cache/artifacts/engine/android-* \
-           /opt/flutter/bin/cache/artifacts/engine/linux-* && \
+# Clone Flutter SDK from git (supports both amd64 and arm64)
+RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \
+    git config --global --add safe.directory /opt/flutter && \
+    rm -rf /opt/flutter/dev /opt/flutter/examples && \
    chown -R 65532:65532 /opt/flutter

-# Mark git directory as safe and compact git history
-RUN git config --global --add safe.directory /opt/flutter && \
-    cd /opt/flutter && git gc --prune=all
-
 USER 65532

 # Configure for web-only (disable everything else)
@@ -28,20 +28,17 @@ RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
      "platforms;android-${ANDROID_COMPILE_SDK}" \
      "build-tools;${ANDROID_BUILD_TOOLS}" && \
    # Remove lint-psi to eliminate protobuf-java 2.6.1 CVEs (saves 86MB)
-    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi"
+    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi" && \
+    # Upgrade commons-lang3 from 3.16.0 to 3.18.0 to fix CVE-2025-48924
+    rm -f "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.16.0/commons-lang3-3.16.0.jar" && \
+    mkdir -p "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.18.0" && \
+    curl -fsSL "https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar" \
+      -o "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar"

-# Download Flutter SDK and strip unnecessary files
-RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${FLUTTER_VERSION}-stable.tar.xz" \
-      -o /tmp/flutter.tar.xz && \
-    tar xf /tmp/flutter.tar.xz -C /opt && \
-    rm /tmp/flutter.tar.xz && \
-    rm -rf /opt/flutter/dev \
-           /opt/flutter/examples \
-           /opt/flutter/bin/cache/artifacts/engine/linux-* \
-           /opt/flutter/bin/cache/flutter_web_sdk
-
-RUN git config --global --add safe.directory /opt/flutter && \
-    cd /opt/flutter && git gc --prune=all
+# Clone Flutter SDK from git (supports both amd64 and arm64)
+RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \
+    git config --global --add safe.directory /opt/flutter && \
+    rm -rf /opt/flutter/dev /opt/flutter/examples

 # Fix ownership before switching to flutter user
 RUN chown -R 65532:65532 /opt/flutter "${ANDROID_HOME}"
@@ -8,18 +8,13 @@ LABEL org.opencontainers.image.version="${FLUTTER_VERSION}"

 USER 0

-# Download Flutter SDK and strip unnecessary files
-RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${FLUTTER_VERSION}-stable.tar.xz" \
-      -o /tmp/flutter.tar.xz && \
-    tar xf /tmp/flutter.tar.xz -C /opt && \
-    rm /tmp/flutter.tar.xz && \
-    rm -rf /opt/flutter/dev \
-           /opt/flutter/examples \
-           /opt/flutter/bin/cache/artifacts/engine/android-* \
-           /opt/flutter/bin/cache/flutter_web_sdk
+# Remove rav1e to eliminate CVE in paste crate (not needed for Flutter)
+RUN rm -f /usr/bin/rav1e /usr/lib/librav1e.so* /var/lib/db/sbom/rav1e-*.spdx.json

-RUN git config --global --add safe.directory /opt/flutter && \
-    cd /opt/flutter && git gc --prune=all
+# Clone Flutter SDK from git (supports both amd64 and arm64)
+RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \
+    git config --global --add safe.directory /opt/flutter && \
+    rm -rf /opt/flutter/dev /opt/flutter/examples

 # Fix ownership before switching to flutter user
 RUN chown -R 65532:65532 /opt/flutter
Author	SHA1	Message	Date
Mathias Beaulieu-Duncan	68b6e6ec54	Remove rav1e to eliminate paste crate CVE in Linux image Build and Push Flutter SDK Image / build-and-push (Flutter SDK for Linux desktop CI builds, Dockerfile.linux, linux) (release) Successful in 21m10s Details Build and Push Flutter SDK Image / build-and-push (Flutter SDK for Android CI builds, Dockerfile.android, android) (release) Successful in 28m35s Details Build and Push Flutter SDK Image / build-and-push (Minimal Flutter SDK for Web/WASM CI builds, Dockerfile, web) (release) Successful in 16m45s Details Remove rav1e binary, library, and SBOM metadata to eliminate RUSTSEC-2024-0436 in the paste crate. rav1e (AV1 encoder) is not needed for Flutter Linux desktop development. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 03:01:29 -05:00
Mathias Beaulieu-Duncan	553fee0a25	Upgrade commons-lang3 to fix CVE-2025-48924 Replace vulnerable commons-lang3 3.16.0 with fixed version 3.18.0 to resolve CVE-2025-48924 (CVSS 6.5 Medium). Image now has 0 vulnerabilities across all severity levels. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 02:45:13 -05:00
Mathias Beaulieu-Duncan	b2e4c09c2b	Use git clone for Flutter SDK to support arm64 Build and Push Flutter SDK Image / build-and-push (Flutter SDK for Linux desktop CI builds, Dockerfile.linux, linux) (release) Successful in 26m24s Details Build and Push Flutter SDK Image / build-and-push (Flutter SDK for Android CI builds, Dockerfile.android, android) (release) Successful in 31m44s Details Build and Push Flutter SDK Image / build-and-push (Minimal Flutter SDK for Web/WASM CI builds, Dockerfile, web) (release) Successful in 16m45s Details Switch from downloading pre-built Flutter SDK tarballs to cloning from git. Flutter only provides x64 Linux tarballs, but cloning from git allows Flutter to bootstrap itself with the correct Dart SDK for any host architecture (amd64 or arm64). Also reduces image size from ~4GB to ~1.7GB for Android variant. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 02:06:52 -05:00