From b5e79ae24d3cfd33a2857453d856a80a62c71678 Mon Sep 17 00:00:00 2001
From: josh <josh@joshjacobs.net>
Date: Fri, 22 Sep 2023 20:49:29 +0000
Subject: [PATCH 1/3] Fix Grype Detected Security Problemos Fixes #20

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e072e52..00ca9df 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
-FROM debian:buster as stage
+FROM debian:bookworm as stage
 ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one
 ARG ARCH=amd64
 ARG VERSION=1.12.2
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
 RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
 
-FROM debian:buster
+FROM debian:bookworm
 RUN mkdir /app
 WORKDIR /app
 COPY --from=stage zerotier-one.deb .

From fed1c2860230d39aeb80178c79697c1c41fed23d Mon Sep 17 00:00:00 2001
From: josh <josh@joshjacobs.net>
Date: Fri, 22 Sep 2023 20:50:14 +0000
Subject: [PATCH 2/3] fix: pull correct deb package

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 00ca9df..e5e443a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 FROM debian:bookworm as stage
-ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one
+ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/bookworm/pool/main/z/zerotier-one
 ARG ARCH=amd64
 ARG VERSION=1.12.2
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl

From 977df48644e0a7112dc25f9f04afa6d84ce87db9 Mon Sep 17 00:00:00 2001
From: josh <josh@joshjacobs.net>
Date: Fri, 22 Sep 2023 20:54:49 +0000
Subject: [PATCH 3/3] fix: only alert on CVEs that have a fix

---
 .github/workflows/docker-build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 206925b..56ce360 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -50,7 +50,10 @@ jobs:
         id: scan
         with:
           sbom: sbom.spdx.json
+          severity-cutoff: high
           fail-build: false
+          only-fixed: true
+          by-cve: true
 
       - name: upload Anchore scan SARIF report
         uses: github/codeql-action/upload-sarif@v2