1.3 KiB
title | date | tags |
---|---|---|
Snyk failed to patch in Alpine docker | 2018-10-31 00:00:00 |
Snyk initially runs fine on Alpine, until you try to snyk protect
to patch the modules. Turns out Synk depends on GNU version of patch
utility.
Snyk is used to patch vulnerabilities of node_modules (read my {% post_link secure-node-modules-snyk 'previous post' %} for installation guide). I never had any issue with it running on Alpine docker image. That was because there was no modules to patch.
That is until I install renovate, which has vulnerabilities that can be patched.
Snyk only tells modules failed to patch, which is not helpful at all. I initially thought it was due to file permissions, which I now realise don't make sense. All commands are executed as root and files are owned by root.
The issue was only pinpointed after I ran snyk with --debug
, which I should've used it in the first place anyway. The issue is due to BusyBox's patch doesn't support --backup
option. Sigh, {% post_link gnu-vs-busybox-tools 'BusyBox versus GNU' %}, back at it again.
To install GNU's patch, simply add apk add patch
before npm install
in your CI config (e.g. .gitlab-ci.yml
). The installation will automatically replace the BusyBox's patch symlink, so you don't need to.