From 31c79b3b2bbe112228e572482ca84fd5926a6473 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 17 Jan 2026 09:41:31 +0000 Subject: [PATCH 1/2] fix: docker/util/Dockerfile to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-UBUNTU2404-GNUPG2-14849555 - https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905 - https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905 - https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905 - https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905 --- docker/util/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/util/Dockerfile b/docker/util/Dockerfile index ef7287a87..7bbdd83b4 100644 --- a/docker/util/Dockerfile +++ b/docker/util/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:noble-20250925 +FROM ubuntu:24.04 RUN apt-get update \ && apt-get upgrade -y \ From c6fc6cf31c9cb277c4e80f0411bd67959d47ca45 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 12:54:44 -0500 Subject: [PATCH 2/2] Bump util Docker image version for Ubuntu 24.04 base upgrade (#289) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Completes Snyk PR #288 which upgraded the util Dockerfile base image from `ubuntu:noble-20250925` to `ubuntu:24.04` (fixes CVE-2024-53055 and CVE-2024-53924). The Dockerfile change alone would fail CI validation - container version tags must match package.json and all WDL workflow references must use the current version. ## Changes - Bumped `docker/util/package.json` version: `3.0.1` → `3.0.2` - Updated 16 container references across 9 WDL files to use `ghcr.io/stjudecloud/util:3.0.2` ## Affected Files **Config:** - `docker/util/package.json` **Workflows using util container:** - `data_structures/flag_filter.wdl` - `data_structures/read_group.wdl` (3 references) - `tools/htseq.wdl` - `tools/md5sum.wdl` - `tools/util.wdl` (7 references) - `workflows/dnaseq/dnaseq-standard.wdl` - `workflows/qc/quality-check-standard.wdl` - `workflows/rnaseq/rnaseq-standard.wdl` Before submitting this PR, please make sure: - [x] You have added a few sentences describing the PR here. - [x] The code passes all CI tests without any errors or warnings. - [x] You have added tests (when appropriate). - [x] You have added an entry in any relevant CHANGELOGs (when appropriate). - [x] If you have made any changes to the `scripts/` or `docker/` directories, please ensure any image versions have been incremented accordingly! - [x] You have updated the README or other documentation to account for these changes (when appropriate).
Original prompt > Pull Request: https://github.com/stjudecloud/workflows/pull/288
--- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey). --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: adthrasher <1165729+adthrasher@users.noreply.github.com> --- data_structures/flag_filter.wdl | 2 +- data_structures/read_group.wdl | 6 +++--- docker/util/package.json | 2 +- tools/htseq.wdl | 2 +- tools/md5sum.wdl | 2 +- tools/util.wdl | 14 +++++++------- workflows/dnaseq/dnaseq-standard.wdl | 2 +- workflows/qc/quality-check-standard.wdl | 2 +- workflows/rnaseq/rnaseq-standard.wdl | 2 +- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/data_structures/flag_filter.wdl b/data_structures/flag_filter.wdl index 27d81a0be..42e1c8af7 100644 --- a/data_structures/flag_filter.wdl +++ b/data_structures/flag_filter.wdl @@ -107,7 +107,7 @@ task validate_string_is_12bit_int { >>> runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/data_structures/read_group.wdl b/data_structures/read_group.wdl index 151f58ac8..13238121c 100644 --- a/data_structures/read_group.wdl +++ b/data_structures/read_group.wdl @@ -138,7 +138,7 @@ task get_read_groups { runtime { disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -356,7 +356,7 @@ task validate_read_group { >>> runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -412,7 +412,7 @@ task inner_read_group_to_string { } runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/docker/util/package.json b/docker/util/package.json index 252cb57ef..a30115713 100644 --- a/docker/util/package.json +++ b/docker/util/package.json @@ -1,4 +1,4 @@ { "name": "util", - "version": "3.0.1" + "version": "3.0.2" } \ No newline at end of file diff --git a/tools/htseq.wdl b/tools/htseq.wdl index 95d604e02..c71d93260 100755 --- a/tools/htseq.wdl +++ b/tools/htseq.wdl @@ -190,7 +190,7 @@ task calc_tpm { runtime { memory: "4 GB" disks: "10 GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/tools/md5sum.wdl b/tools/md5sum.wdl index e967e55c3..b63752891 100755 --- a/tools/md5sum.wdl +++ b/tools/md5sum.wdl @@ -35,7 +35,7 @@ task compute_checksum { runtime { disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/tools/util.wdl b/tools/util.wdl index 3bb4c5963..db3b53cb3 100644 --- a/tools/util.wdl +++ b/tools/util.wdl @@ -41,7 +41,7 @@ task download { runtime { disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -80,7 +80,7 @@ task split_string { } runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -128,7 +128,7 @@ task calc_feature_lengths { runtime { memory: "16 GB" disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -247,7 +247,7 @@ task unpack_tarball { runtime { disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -351,7 +351,7 @@ task global_phred_scores { runtime { memory: "4 GB" disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -398,7 +398,7 @@ task check_fastq_and_rg_concordance { >>> runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } @@ -462,7 +462,7 @@ task split_fastq { cpu: ncpu memory: "4 GB" disks: "~{disk_size_gb} GB" - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/workflows/dnaseq/dnaseq-standard.wdl b/workflows/dnaseq/dnaseq-standard.wdl index 7b2e86154..149e95c5d 100644 --- a/workflows/dnaseq/dnaseq-standard.wdl +++ b/workflows/dnaseq/dnaseq-standard.wdl @@ -158,7 +158,7 @@ task parse_input { >>> runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/workflows/qc/quality-check-standard.wdl b/workflows/qc/quality-check-standard.wdl index 1587b7fda..9ae9d52f0 100644 --- a/workflows/qc/quality-check-standard.wdl +++ b/workflows/qc/quality-check-standard.wdl @@ -547,7 +547,7 @@ task parse_input { } runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } } diff --git a/workflows/rnaseq/rnaseq-standard.wdl b/workflows/rnaseq/rnaseq-standard.wdl index c7278a72a..f138d2704 100755 --- a/workflows/rnaseq/rnaseq-standard.wdl +++ b/workflows/rnaseq/rnaseq-standard.wdl @@ -181,7 +181,7 @@ task parse_input { >>> runtime { - container: "ghcr.io/stjudecloud/util:3.0.1" + container: "ghcr.io/stjudecloud/util:3.0.2" maxRetries: 1 } }