-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated several components of veracode image
- Loading branch information
1 parent
ffc843e
commit 9d98e6a
Showing
1 changed file
with
65 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,21 @@ | ||
| ############################################################################### | ||
| # Build stages | ||
| ############################################################################### | ||
| FROM python:3.9-bullseye as srcclr-builder | ||
| FROM python:3.9-bookworm as srcclr-builder | ||
|
|
||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| # Retrieve and install Veracode GPG signing key | ||
| # Add srcclr to the apt repo list | ||
| RUN apt-get update && \ | ||
| apt-get install software-properties-common -y --no-install-recommends && \ | ||
| apt-get -y --no-install-recommends install software-properties-common="0.99.30-4" && \ | ||
| curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | gpg --dearmor -o /etc/apt/trusted.gpg.d/veracode-sca-archive.gpg && \ | ||
| echo 'deb https://download.sourceclear.com/ubuntu stable/' >/etc/apt/sources.list.d/veracode-sca.list | ||
|
|
||
| FROM python:3.9-bullseye as golang-builder | ||
| FROM python:3.9-bookworm as golang-builder | ||
|
|
||
| ARG GOLANGVER=1.16.3 | ||
| ARG GOLANGSHA=951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2 | ||
| ARG GOLANGVER=1.20.6 | ||
| ARG GOLANGSHA=b945ae2bb5db01a0fb4786afde64e6fbab50b67f6fa0eb6cfa4924f16a7ff1eb | ||
|
|
||
| RUN mkdir -p /golang/go && \ | ||
| echo "$GOLANGSHA /golang/golang.tar.gz" > /golang_checksum.txt && \ | ||
|
|
@@ -24,10 +24,10 @@ RUN mkdir -p /golang/go && \ | |
| tar -xzvf /golang/golang.tar.gz -C /golang/go && \ | ||
| rm /golang/golang.tar.gz | ||
|
|
||
| FROM python:3.9-bullseye as gradle-builder | ||
| FROM python:3.9-bookworm as gradle-builder | ||
|
|
||
| ARG GRADLEVER=7.0 | ||
| ARG GRADLESHA=eb8b89184261025b0430f5b2233701ff1377f96da1ef5e278af6ae8bac5cc305 | ||
| ARG GRADLEVER=8.2.1 | ||
| ARG GRADLESHA=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1 | ||
|
|
||
| RUN mkdir -p /gradle && \ | ||
| echo "$GRADLESHA /gradle/gradle.zip" > /gradle_checksum.txt && \ | ||
|
|
@@ -37,10 +37,10 @@ RUN mkdir -p /gradle && \ | |
| mv /gradle/gradle-$GRADLEVER /gradle/gradle && \ | ||
| rm /gradle/gradle.zip | ||
|
|
||
| FROM python:3.9-bullseye as ant-builder | ||
| FROM python:3.9-bookworm as ant-builder | ||
|
|
||
| ARG ANTVER=1.10.12 | ||
| ARG ANTSHA=2287dc5cfc21043c14e5413f9afb1c87c9f266ec2a9ba2d3bf2285446f6e4ccb59b558bf2e5c57911a05dfa293c7d5c7ad60ac9f744ba11406f4e6f9a27b2403 | ||
| ARG ANTVER=1.10.13 | ||
| ARG ANTSHA=de4ac604629e39a86a306f0541adb3775596909ad92feb8b7de759b1b286417db24f557228737c8b902d6abf722d2ce5bb0c3baa3640cbeec3481e15ab1958c9 | ||
|
|
||
| RUN mkdir -p /ant && \ | ||
| echo "$ANTSHA /ant/ant.tar.gz" > /ant_checksum.txt && \ | ||
|
|
@@ -50,10 +50,10 @@ RUN mkdir -p /ant && \ | |
| mv /ant/apache-ant-$ANTVER /ant/ant && \ | ||
| rm /ant/ant.tar.gz | ||
|
|
||
| FROM python:3.9-bullseye as maven-builder | ||
| FROM python:3.9-bookworm as maven-builder | ||
|
|
||
| ARG MAVENVER=3.8.8 | ||
| ARG MAVENSHA=332088670d14fa9ff346e6858ca0acca304666596fec86eea89253bd496d3c90deae2be5091be199f48e09d46cec817c6419d5161fb4ee37871503f472765d00 | ||
| ARG MAVENVER=3.9.3 | ||
| ARG MAVENSHA=400fc5b6d000c158d5ee7937543faa06b6bda8408caa2444a9c947c21472fde0f0b64ac452b8cec8855d528c0335522ed5b6c8f77085811c7e29e1bedbb5daa2 | ||
|
|
||
| RUN mkdir -p /maven && \ | ||
| echo "$MAVENSHA /maven/maven.tar.gz" > /maven_checksum.txt && \ | ||
|
|
@@ -63,10 +63,10 @@ RUN mkdir -p /maven && \ | |
| mv /maven/apache-maven-$MAVENVER /maven/maven && \ | ||
| rm /maven/maven.tar.gz | ||
|
|
||
| FROM python:3.9-bullseye as node-builder | ||
| FROM python:3.9-bookworm as node-builder | ||
|
|
||
| ARG NODEVER=14.16.1 | ||
| ARG NODESHA=068400cb9f53d195444b9260fd106f7be83af62bb187932656b68166a2f87f44 | ||
| ARG NODEVER=18.17.0 | ||
| ARG NODESHA=5c4a7fd9262c0c47bafab3442de6c3fed1602be3d243cb8cf11309a201955e75 | ||
|
|
||
| RUN mkdir -p /node && \ | ||
| echo "$NODESHA /node/node.tar.gz" > /node_checksum.txt && \ | ||
|
|
@@ -76,28 +76,30 @@ RUN mkdir -p /node && \ | |
| mv /node/node-v$NODEVER-linux-x64 /node/node && \ | ||
| rm /node/node.tar.gz | ||
|
|
||
| FROM python:3.9-bullseye as ruby-builder | ||
| FROM php:8.2.8-cli-bookworm as php-builder | ||
|
|
||
| ARG RUBYVER=2.7.2 | ||
| ARG RUBYSHA=3f50b100fb52cdf315fa17f41ae2e2538bb0c45abd9a6c569fd70ac851d61b2a | ||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer | ||
|
|
||
| RUN mkdir -p /ruby && \ | ||
| echo "$RUBYSHA /ruby/ruby.tar.bz" > /ruby_checksum.txt && \ | ||
| curl https://rvm_io.global.ssl.fastly.net/binaries/debian/10/x86_64/ruby-$RUBYVER.tar.bz2 -L -o /ruby/ruby.tar.bz && \ | ||
| sha256sum -c /ruby_checksum.txt && \ | ||
| tar -xjvf /ruby/ruby.tar.bz -C /ruby && \ | ||
| mv /ruby/ruby-$RUBYVER /ruby/ruby && \ | ||
| rm /ruby/ruby.tar.bz | ||
| FROM python:3.9-bookworm as java-builder | ||
|
|
||
| FROM php:7.4.22-cli-bullseye as php-builder | ||
| ARG JAVAVER=17.0.8 | ||
| ARG JAVASHA=74b528a33bb2dfa02b4d74a0d66c9aff52e4f52924ce23a62d7f9eb1a6744657 | ||
|
|
||
| RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer | ||
| RUN mkdir -p /java && \ | ||
| echo "$JAVASHA java.tar.gz" >java_checksum.txt && \ | ||
| JAVAMAJOR=$(echo "${JAVAVER}" | cut -d . -f 1) && \ | ||
| curl "https://download.oracle.com/java/${JAVAMAJOR}/archive/jdk-${JAVAVER}_linux-x64_bin.tar.gz" -L -o java.tar.gz && \ | ||
| sha256sum -c java_checksum.txt && \ | ||
| tar -xzvf java.tar.gz --strip-components 1 -C /java | ||
|
|
||
| ############################################################################### | ||
| # App stage | ||
| ############################################################################### | ||
| FROM python:3.9-slim-bullseye as app | ||
| FROM python:3.9-slim-bookworm as app | ||
|
|
||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
| ARG MAINTAINER | ||
| LABEL maintainer=$MAINTAINER | ||
|
|
||
|
|
@@ -125,41 +127,50 @@ ENV PATH="$PATH:/usr/local/maven/bin" | |
| COPY --from=node-builder /node /usr/local | ||
| ENV PATH="$PATH:/usr/local/node/bin" | ||
|
|
||
| # Install Ruby | ||
| COPY --from=ruby-builder /ruby /usr/local | ||
| ENV PATH="$PATH:/usr/local/ruby/bin" | ||
|
|
||
| # Install PHP | ||
| COPY --from=php-builder /usr/local/bin/php /usr/local/bin/ | ||
| COPY --from=php-builder /usr/local/lib /usr/local | ||
| COPY --from=php-builder /usr/local/bin/composer /usr/local/bin/ | ||
|
|
||
| # Install Java | ||
| COPY --from=java-builder /java /usr/local/java | ||
| ENV PATH="$PATH:/usr/local/java/bin" | ||
|
|
||
| ################################################################################ | ||
| # Run all additional config in a single RUN to reduce the layers: | ||
| # - Apply security updates | ||
| # - Install: | ||
| # srcclr agent | ||
| # git | ||
| # OpenJDK | ||
| # Go tools | ||
| # libyaml (Ruby dep) | ||
| # PHP dependencies | ||
| # - srcclr agent | ||
| # - git | ||
| # - libyaml (Ruby dep) | ||
| # - PHP dependencies | ||
| # - Ruby | ||
| # - Install yarn and bower | ||
| # - Clean up apt cache | ||
| # - Upgrade pip and install boto3 for plugin utils | ||
| # hadolint ignore=DL3008 | ||
| ################################################################################ | ||
|
|
||
| # hadolint ignore=DL3005 | ||
| RUN apt-get update && \ | ||
| mkdir -p /usr/share/man/man1 && \ | ||
| grep security /etc/apt/sources.list > /etc/apt/security.sources.list && \ | ||
| apt-get upgrade -y && \ | ||
| apt-get upgrade -y -o Dir::Etc::Sourcelist=/etc/apt/security.sources.list && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| srcclr \ | ||
| git \ | ||
| openjdk-11-jre-headless \ | ||
| govendor \ | ||
| libyaml-0-2 -y \ | ||
| libargon2-1 libcurl4 libedit2 libonig5 libsodium23 libsqlite3-0 libssl1.1 libxml2 zlib1g libncurses6 && \ | ||
| npm install --global yarn bower && \ | ||
| apt-get install -y --no-install-recommends -o "dpkg::Options::=--refuse-downgrade" \ | ||
| "srcclr=3.8.36" \ | ||
| "git=1:2.39.2-1.1" \ | ||
| "libyaml-0-2=0.2.5-1" \ | ||
| "libargon2-1=0~20171227-0.3+deb12u1" \ | ||
| "libcurl4=7.88.1-10+deb12u1" \ | ||
| "libedit2=3.1-20221030-2" \ | ||
| "libonig5=6.9.8-1" \ | ||
| "libsodium23=1.0.18-1" \ | ||
| "libsqlite3-0=3.40.1-2" \ | ||
| "libssl3=3.0.9-1" \ | ||
| "libxml2=2.9.14+dfsg-1.3~deb12u1" \ | ||
| "zlib1g=1:1.2.13.dfsg-1" \ | ||
| "libncurses6=6.4-4" \ | ||
| "ruby=1:3.1" && \ | ||
| apt-get -s dist-upgrade | { grep -E '^Inst ' | grep -F 'Debian-Security' || true; } | awk '{print $2}' | xargs apt-get -y --no-install-recommends -o "dpkg::Options::=--refuse-downgrade" install && \ | ||
| npm install --global \ | ||
| "[email protected]" \ | ||
| "[email protected]" && \ | ||
| apt-get clean && \ | ||
| rm -rf /var/lib/apt/lists/* && \ | ||
| pip install -q --no-cache-dir boto3==1.16.53 | ||
| pip install -q --no-cache-dir "boto3==1.16.53" | ||