From d6fb00ac76033b003b08f4a65ebe488d95c4d54a Mon Sep 17 00:00:00 2001 From: curben Date: Wed, 31 Oct 2018 20:09:58 +1030 Subject: [PATCH] docs: Add 'Snyk failed to patch in Alpine docker' post --- source/_posts/snyk-patch-alpine-docker.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 source/_posts/snyk-patch-alpine-docker.md diff --git a/source/_posts/snyk-patch-alpine-docker.md b/source/_posts/snyk-patch-alpine-docker.md new file mode 100644 index 0000000..85f01bf --- /dev/null +++ b/source/_posts/snyk-patch-alpine-docker.md @@ -0,0 +1,18 @@ +--- +title: Snyk failed to patch in Alpine docker +date: 2018-10-31 00:00:00 +tags: +--- +Snyk initially runs fine on Alpine, until you try to `snyk protect` to patch the modules. Turns out Synk depends on GNU version of `patch` utility. + + + +Snyk is used to patch vulnerabilities of node_modules (read my [previous post]({% post_link secure-node-modules-with-snyk %}) for installation guide). I never had any issue with it running on Alpine docker image. That was because there was no modules to patch. + +That is until I install [renovate](https://github.com/renovatebot/renovate), which has [vulnerabilities](https://snyk.io/test/npm/renovate) that can be patched. + +Snyk only tells modules failed to patch, which is not helpful at all. I initially thought it was due to file permissions, which I now realise don't make sense. All commands are executed as root and files are owned by root. + +The issue was only pinpointed after I ran snyk with `--debug`, which I should've used it in the first place anyway. The issue is due to BusyBox's patch doesn't support `--backup` option. Sigh, [BusyBox versus GNU]({% post_link gnu-vs-busybox-unix-tools %}), back at it again. + +To install GNU's patch, simply add `apk add patch` before `npm install` in your CI config (e.g. `.gitlab-ci.yml`). The installation will automatically replace the BusyBox's patch symlink, so you don't need to. \ No newline at end of file