Remove rav1e to eliminate paste crate CVE in Linux image

Remove rav1e binary, library, and SBOM metadata to eliminate RUSTSEC-2024-0436 in the paste crate. rav1e (AV1 encoder) is not needed for Flutter Linux desktop development. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upgrade commons-lang3 to fix CVE-2025-48924
2026-02-03 03:01:29 -05:00 · 2026-02-03 02:45:13 -05:00
2 changed files with 9 additions and 1 deletions
@@ -28,7 +28,12 @@ RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
      "platforms;android-${ANDROID_COMPILE_SDK}" \
      "build-tools;${ANDROID_BUILD_TOOLS}" && \
    # Remove lint-psi to eliminate protobuf-java 2.6.1 CVEs (saves 86MB)
-    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi"
+    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi" && \
+    # Upgrade commons-lang3 from 3.16.0 to 3.18.0 to fix CVE-2025-48924
+    rm -f "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.16.0/commons-lang3-3.16.0.jar" && \
+    mkdir -p "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.18.0" && \
+    curl -fsSL "https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar" \
+      -o "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar"

 # Clone Flutter SDK from git (supports both amd64 and arm64)
 RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \
@@ -8,6 +8,9 @@ LABEL org.opencontainers.image.version="${FLUTTER_VERSION}"

 USER 0

+# Remove rav1e to eliminate CVE in paste crate (not needed for Flutter)
+RUN rm -f /usr/bin/rav1e /usr/lib/librav1e.so* /var/lib/db/sbom/rav1e-*.spdx.json
+
 # Clone Flutter SDK from git (supports both amd64 and arm64)
 RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \
    git config --global --add safe.directory /opt/flutter && \
Author	SHA1	Message	Date
Mathias Beaulieu-Duncan	68b6e6ec54	Remove rav1e to eliminate paste crate CVE in Linux image Build and Push Flutter SDK Image / build-and-push (Flutter SDK for Linux desktop CI builds, Dockerfile.linux, linux) (release) Successful in 21m10s Details Build and Push Flutter SDK Image / build-and-push (Flutter SDK for Android CI builds, Dockerfile.android, android) (release) Successful in 28m35s Details Build and Push Flutter SDK Image / build-and-push (Minimal Flutter SDK for Web/WASM CI builds, Dockerfile, web) (release) Successful in 16m45s Details Remove rav1e binary, library, and SBOM metadata to eliminate RUSTSEC-2024-0436 in the paste crate. rav1e (AV1 encoder) is not needed for Flutter Linux desktop development. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 03:01:29 -05:00
Mathias Beaulieu-Duncan	553fee0a25	Upgrade commons-lang3 to fix CVE-2025-48924 Replace vulnerable commons-lang3 3.16.0 with fixed version 3.18.0 to resolve CVE-2025-48924 (CVSS 6.5 Medium). Image now has 0 vulnerabilities across all severity levels. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 02:45:13 -05:00