From db11cef05610a7bb949efc0baf93824331544943 Mon Sep 17 00:00:00 2001 From: Joseph LeGarreta Date: Mon, 31 Jul 2023 12:25:21 -0700 Subject: [PATCH] Pin docker images to hashes --- backend/Dockerfiles/Dockerfile.veracode | 42 ++++++++++++++++--------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/backend/Dockerfiles/Dockerfile.veracode b/backend/Dockerfiles/Dockerfile.veracode index 24e33c08..bc7ffbe2 100644 --- a/backend/Dockerfiles/Dockerfile.veracode +++ b/backend/Dockerfiles/Dockerfile.veracode @@ -1,7 +1,17 @@ ############################################################################### # Build stages ############################################################################### -FROM python:3.9-bookworm as srcclr-builder + +# python:3.9.17-bookworm +ARG PYTHON_IMG_VER=sha256:3d35a404db586d00a4ee5a65fd1496fe019ed4bdc068d436a67ce5b64b8b9659 + +# python:3.9.17-slim-bookworm +ARG PYTHON_SLIM_IMG_VER=sha256:2adc70122c1c77b4ce149129c27ae427e119578c28bc6fc9e8909866c582bd21 + +# php:8.2.8-cli-bookworm +ARG PHP_IMG_VER=sha256:5f1cbebbb6a873971786857b60a88f0f87f1959a4e29d93fd24afc11db351e09 + +FROM python@${PYTHON_IMG_VER} as srcclr-builder SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -12,7 +22,7 @@ RUN apt-get update && \ curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | gpg --dearmor -o /etc/apt/trusted.gpg.d/veracode-sca-archive.gpg && \ echo 'deb https://download.sourceclear.com/ubuntu stable/' >/etc/apt/sources.list.d/veracode-sca.list -FROM python:3.9-bookworm as golang-builder +FROM python@${PYTHON_IMG_VER} as golang-builder ARG GOLANGVER=1.20.6 ARG GOLANGSHA=b945ae2bb5db01a0fb4786afde64e6fbab50b67f6fa0eb6cfa4924f16a7ff1eb @@ -24,7 +34,7 @@ RUN mkdir -p /golang/go && \ tar -xzvf /golang/golang.tar.gz -C /golang/go && \ rm /golang/golang.tar.gz -FROM python:3.9-bookworm as gradle-builder +FROM python@${PYTHON_IMG_VER} as gradle-builder ARG GRADLEVER=8.2.1 ARG GRADLESHA=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1 @@ -37,7 +47,7 @@ RUN mkdir -p /gradle && \ mv /gradle/gradle-$GRADLEVER /gradle/gradle && \ rm /gradle/gradle.zip -FROM python:3.9-bookworm as ant-builder +FROM python@${PYTHON_IMG_VER} as ant-builder ARG ANTVER=1.10.13 ARG ANTSHA=de4ac604629e39a86a306f0541adb3775596909ad92feb8b7de759b1b286417db24f557228737c8b902d6abf722d2ce5bb0c3baa3640cbeec3481e15ab1958c9 @@ -50,7 +60,7 @@ RUN mkdir -p /ant && \ mv /ant/apache-ant-$ANTVER /ant/ant && \ rm /ant/ant.tar.gz -FROM python:3.9-bookworm as maven-builder +FROM python@${PYTHON_IMG_VER} as maven-builder ARG MAVENVER=3.9.3 ARG MAVENSHA=400fc5b6d000c158d5ee7937543faa06b6bda8408caa2444a9c947c21472fde0f0b64ac452b8cec8855d528c0335522ed5b6c8f77085811c7e29e1bedbb5daa2 @@ -63,7 +73,7 @@ RUN mkdir -p /maven && \ mv /maven/apache-maven-$MAVENVER /maven/maven && \ rm /maven/maven.tar.gz -FROM python:3.9-bookworm as node-builder +FROM python@${PYTHON_IMG_VER} as node-builder ARG NODEVER=18.17.0 ARG NODESHA=5c4a7fd9262c0c47bafab3442de6c3fed1602be3d243cb8cf11309a201955e75 @@ -76,13 +86,15 @@ RUN mkdir -p /node && \ mv /node/node-v$NODEVER-linux-x64 /node/node && \ rm /node/node.tar.gz -FROM php:8.2.8-cli-bookworm as php-builder +FROM php@${PHP_IMG_VER} as php-builder SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer -FROM python:3.9-bookworm as java-builder +FROM python@${PYTHON_IMG_VER} as java-builder + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] ARG JAVAVER=17.0.8 ARG JAVASHA=74b528a33bb2dfa02b4d74a0d66c9aff52e4f52924ce23a62d7f9eb1a6744657 @@ -97,7 +109,7 @@ RUN mkdir -p /java && \ ############################################################################### # App stage ############################################################################### -FROM python:3.9-slim-bookworm as app +FROM python@${PYTHON_SLIM_IMG_VER} as app SHELL ["/bin/bash", "-o", "pipefail", "-c"] ARG MAINTAINER @@ -140,11 +152,11 @@ ENV PATH="$PATH:/usr/local/java/bin" # Run all additional config in a single RUN to reduce the layers: # - Apply security updates # - Install: -# - srcclr agent # - git # - libyaml (Ruby dep) # - PHP dependencies # - Ruby +# - srcclr agent # - Install yarn and bower # - Clean up apt cache # - Upgrade pip and install boto3 for plugin utils @@ -153,20 +165,20 @@ ENV PATH="$PATH:/usr/local/java/bin" # hadolint ignore=DL3005 RUN apt-get update && \ apt-get install -y --no-install-recommends -o "dpkg::Options::=--refuse-downgrade" \ - "srcclr=3.8.36" \ "git=1:2.39.2-1.1" \ - "libyaml-0-2=0.2.5-1" \ "libargon2-1=0~20171227-0.3+deb12u1" \ "libcurl4=7.88.1-10+deb12u1" \ "libedit2=3.1-20221030-2" \ + "libncurses6=6.4-4" \ "libonig5=6.9.8-1" \ "libsodium23=1.0.18-1" \ "libsqlite3-0=3.40.1-2" \ "libssl3=3.0.9-1" \ "libxml2=2.9.14+dfsg-1.3~deb12u1" \ - "zlib1g=1:1.2.13.dfsg-1" \ - "libncurses6=6.4-4" \ - "ruby=1:3.1" && \ + "libyaml-0-2=0.2.5-1" \ + "ruby=1:3.1" \ + "srcclr=3.8.36" \ + "zlib1g=1:1.2.13.dfsg-1" && \ apt-get -s dist-upgrade | { grep -E '^Inst ' | grep -F 'Debian-Security' || true; } | awk '{print $2}' | xargs apt-get -y --no-install-recommends -o "dpkg::Options::=--refuse-downgrade" install && \ npm install --global \ "bower@1.8.14" \