chore: compile a static binary in Docker to move from distroless/stat…

…ic-debian12 to distroless/base-nossl-debian12 to get fewer CVE alerts

Uses the technique described in https://www.arp242.net/static-go.html

.docker/Dockerfile-build

@@ -9,17 +9,16 @@ RUN apt-get update && apt-get upgrade -y &&\
 COPY go.mod go.sum ./
 COPY internal/httpclient/go.* ./internal/httpclient/
 
-ENV GO111MODULE on
-ENV CGO_ENABLED 1
+ENV CGO_ENABLED=1
 
 RUN go mod download
 
 COPY . .
-RUN go build -tags sqlite,json1 -o /usr/bin/hydra
+RUN go build -ldflags="-extldflags=-static" -tags sqlite,json1,sqlite_omit_load_extension -o /usr/bin/hydra
 
 #########################
 
-FROM gcr.io/distroless/base-nossl-debian12:nonroot AS runner
+FROM gcr.io/distroless/static-debian12:nonroot AS runner
 
 COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra

.github/workflows/ci.yaml

@@ -99,7 +99,7 @@ jobs:
       - name: Run go-acc (tests)
         run: |
           make .bin/go-acc
-          .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1
+          .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1,sqlite_omit_load_extension
       - name: Submit to Codecov
         run: |
           bash <(curl -s https://codecov.io/bash)

Makefile

@@ -53,7 +53,7 @@ lint: .bin/golangci-lint-$(GOLANGCI_LINT_VERSION)
 .PHONY: test
 test: .bin/go-acc
 	make test-resetdb
-	source scripts/test-env.sh && go-acc ./... -- -failfast -timeout=20m -tags sqlite,json1
+	source scripts/test-env.sh && go-acc ./... -- -failfast -timeout=20m -tags sqlite,json1,sqlite_omit_load_extension
 	docker rm -f hydra_test_database_mysql
 	docker rm -f hydra_test_database_postgres
 	docker rm -f hydra_test_database_cockroach
@@ -84,15 +84,15 @@ e2e: node_modules test-resetdb
 # Runs tests in short mode, without database adapters
 .PHONY: quicktest
 quicktest:
-	go test -failfast -short -tags sqlite,json1 ./...
+	go test -failfast -short -tags sqlite,json1,sqlite_omit_load_extension ./...
 
 .PHONY: quicktest-hsm
 quicktest-hsm:
 	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
 
 .PHONY: refresh
 refresh:
-	UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,json1 ./...
+	UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,json1,sqlite_omit_load_extension ./...
 
 authors:  # updates the AUTHORS file
 	curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash
@@ -177,15 +177,15 @@ $(MIGRATIONS_DST_DIR:%/=%-clean): $(MIGRATION_CLEAN_TARGETS)
 install-stable:
 	HYDRA_LATEST=$$(git describe --abbrev=0 --tags)
 	git checkout $$HYDRA_LATEST
-	GO111MODULE=on go install \
-		-tags sqlite,json1 \
+	go install \
+		-tags sqlite,json1,sqlite_omit_load_extension \
 		-ldflags "-X github.com/ory/hydra/v2/driver/config.Version=$$HYDRA_LATEST -X github.com/ory/hydra/v2/driver/config.Date=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/hydra/v2/driver/config.Commit=`git rev-parse HEAD`" \
 		.
 	git checkout master
 
 .PHONY: install
 install:
-	GO111MODULE=on go install -tags sqlite,json1 .
+	go install -tags sqlite,json1,sqlite_omit_load_extension .
 
 .PHONY: post-release
 post-release: .bin/yq

scripts/db-diff.sh

@@ -107,7 +107,7 @@ function dump_sqlite {
 	hydra::util::ensure-sqlite
 
 	rm "$SQLITE_PATH" > /dev/null 2>&1 || true
-	go run -tags sqlite,json1 . migrate sql "sqlite://$SQLITE_PATH?_fk=true" --yes > /dev/null 2>&1 || true
+	go run -tags sqlite,json1,sqlite_omit_load_extension . migrate sql "sqlite://$SQLITE_PATH?_fk=true" --yes > /dev/null 2>&1 || true
 	echo '.dump' | sqlite3 "$SQLITE_PATH"
 }