Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update veracode dependencies #62

Merged
merged 2 commits into from
Jul 31, 2023
Merged

Update veracode dependencies #62

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9d98e6a
Updated several components of veracode image
jlegarreta Jul 29, 2023
db11cef
Pin docker images to hashes
jlegarreta Jul 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 77 additions & 54 deletions backend/Dockerfiles/Dockerfile.veracode
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,31 @@
###############################################################################
# Build stages
###############################################################################
FROM python:3.9-bullseye as srcclr-builder

# python:3.9.17-bookworm
ARG PYTHON_IMG_VER=sha256:3d35a404db586d00a4ee5a65fd1496fe019ed4bdc068d436a67ce5b64b8b9659

# python:3.9.17-slim-bookworm
ARG PYTHON_SLIM_IMG_VER=sha256:2adc70122c1c77b4ce149129c27ae427e119578c28bc6fc9e8909866c582bd21

# php:8.2.8-cli-bookworm
ARG PHP_IMG_VER=sha256:5f1cbebbb6a873971786857b60a88f0f87f1959a4e29d93fd24afc11db351e09

FROM python@${PYTHON_IMG_VER} as srcclr-builder

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Retrieve and install Veracode GPG signing key
# Add srcclr to the apt repo list
RUN apt-get update && \
apt-get install software-properties-common -y --no-install-recommends && \
apt-get -y --no-install-recommends install software-properties-common="0.99.30-4" && \
curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | gpg --dearmor -o /etc/apt/trusted.gpg.d/veracode-sca-archive.gpg && \
echo 'deb https://download.sourceclear.com/ubuntu stable/' >/etc/apt/sources.list.d/veracode-sca.list

FROM python:3.9-bullseye as golang-builder
FROM python@${PYTHON_IMG_VER} as golang-builder

ARG GOLANGVER=1.16.3
ARG GOLANGSHA=951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2
ARG GOLANGVER=1.20.6
ARG GOLANGSHA=b945ae2bb5db01a0fb4786afde64e6fbab50b67f6fa0eb6cfa4924f16a7ff1eb

RUN mkdir -p /golang/go && \
echo "$GOLANGSHA /golang/golang.tar.gz" > /golang_checksum.txt && \
Expand All @@ -24,10 +34,10 @@ RUN mkdir -p /golang/go && \
tar -xzvf /golang/golang.tar.gz -C /golang/go && \
rm /golang/golang.tar.gz

FROM python:3.9-bullseye as gradle-builder
FROM python@${PYTHON_IMG_VER} as gradle-builder

ARG GRADLEVER=7.0
ARG GRADLESHA=eb8b89184261025b0430f5b2233701ff1377f96da1ef5e278af6ae8bac5cc305
ARG GRADLEVER=8.2.1
ARG GRADLESHA=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1

RUN mkdir -p /gradle && \
echo "$GRADLESHA /gradle/gradle.zip" > /gradle_checksum.txt && \
Expand All @@ -37,10 +47,10 @@ RUN mkdir -p /gradle && \
mv /gradle/gradle-$GRADLEVER /gradle/gradle && \
rm /gradle/gradle.zip

FROM python:3.9-bullseye as ant-builder
FROM python@${PYTHON_IMG_VER} as ant-builder

ARG ANTVER=1.10.12
ARG ANTSHA=2287dc5cfc21043c14e5413f9afb1c87c9f266ec2a9ba2d3bf2285446f6e4ccb59b558bf2e5c57911a05dfa293c7d5c7ad60ac9f744ba11406f4e6f9a27b2403
ARG ANTVER=1.10.13
ARG ANTSHA=de4ac604629e39a86a306f0541adb3775596909ad92feb8b7de759b1b286417db24f557228737c8b902d6abf722d2ce5bb0c3baa3640cbeec3481e15ab1958c9

RUN mkdir -p /ant && \
echo "$ANTSHA /ant/ant.tar.gz" > /ant_checksum.txt && \
Expand All @@ -50,10 +60,10 @@ RUN mkdir -p /ant && \
mv /ant/apache-ant-$ANTVER /ant/ant && \
rm /ant/ant.tar.gz

FROM python:3.9-bullseye as maven-builder
FROM python@${PYTHON_IMG_VER} as maven-builder

ARG MAVENVER=3.8.8
ARG MAVENSHA=332088670d14fa9ff346e6858ca0acca304666596fec86eea89253bd496d3c90deae2be5091be199f48e09d46cec817c6419d5161fb4ee37871503f472765d00
ARG MAVENVER=3.9.3
ARG MAVENSHA=400fc5b6d000c158d5ee7937543faa06b6bda8408caa2444a9c947c21472fde0f0b64ac452b8cec8855d528c0335522ed5b6c8f77085811c7e29e1bedbb5daa2

RUN mkdir -p /maven && \
echo "$MAVENSHA /maven/maven.tar.gz" > /maven_checksum.txt && \
Expand All @@ -63,10 +73,10 @@ RUN mkdir -p /maven && \
mv /maven/apache-maven-$MAVENVER /maven/maven && \
rm /maven/maven.tar.gz

FROM python:3.9-bullseye as node-builder
FROM python@${PYTHON_IMG_VER} as node-builder

ARG NODEVER=14.16.1
ARG NODESHA=068400cb9f53d195444b9260fd106f7be83af62bb187932656b68166a2f87f44
ARG NODEVER=18.17.0
ARG NODESHA=5c4a7fd9262c0c47bafab3442de6c3fed1602be3d243cb8cf11309a201955e75

RUN mkdir -p /node && \
echo "$NODESHA /node/node.tar.gz" > /node_checksum.txt && \
Expand All @@ -76,28 +86,32 @@ RUN mkdir -p /node && \
mv /node/node-v$NODEVER-linux-x64 /node/node && \
rm /node/node.tar.gz

FROM python:3.9-bullseye as ruby-builder
FROM php@${PHP_IMG_VER} as php-builder

ARG RUBYVER=2.7.2
ARG RUBYSHA=3f50b100fb52cdf315fa17f41ae2e2538bb0c45abd9a6c569fd70ac851d61b2a
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN mkdir -p /ruby && \
echo "$RUBYSHA /ruby/ruby.tar.bz" > /ruby_checksum.txt && \
curl https://rvm_io.global.ssl.fastly.net/binaries/debian/10/x86_64/ruby-$RUBYVER.tar.bz2 -L -o /ruby/ruby.tar.bz && \
sha256sum -c /ruby_checksum.txt && \
tar -xjvf /ruby/ruby.tar.bz -C /ruby && \
mv /ruby/ruby-$RUBYVER /ruby/ruby && \
rm /ruby/ruby.tar.bz
Comment on lines -81 to -90
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to install ruby with apt-get instead, because the official website does not have binaries for Debian bookworm yet.

RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

FROM php:7.4.22-cli-bullseye as php-builder
FROM python@${PYTHON_IMG_VER} as java-builder

RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

ARG JAVAVER=17.0.8
ARG JAVASHA=74b528a33bb2dfa02b4d74a0d66c9aff52e4f52924ce23a62d7f9eb1a6744657

RUN mkdir -p /java && \
echo "$JAVASHA java.tar.gz" >java_checksum.txt && \
JAVAMAJOR=$(echo "${JAVAVER}" | cut -d . -f 1) && \
curl "https://download.oracle.com/java/${JAVAMAJOR}/archive/jdk-${JAVAVER}_linux-x64_bin.tar.gz" -L -o java.tar.gz && \
sha256sum -c java_checksum.txt && \
tar -xzvf java.tar.gz --strip-components 1 -C /java
Comment on lines +99 to +107
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to install java from Oracle as opposed to apt. There seems to be a bug in the post-installation script of the deb package which causes installation to fail.


###############################################################################
# App stage
###############################################################################
FROM python:3.9-slim-bullseye as app
FROM python@${PYTHON_SLIM_IMG_VER} as app

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ARG MAINTAINER
LABEL maintainer=$MAINTAINER

Expand Down Expand Up @@ -125,41 +139,50 @@ ENV PATH="$PATH:/usr/local/maven/bin"
COPY --from=node-builder /node /usr/local
ENV PATH="$PATH:/usr/local/node/bin"

# Install Ruby
COPY --from=ruby-builder /ruby /usr/local
ENV PATH="$PATH:/usr/local/ruby/bin"

# Install PHP
COPY --from=php-builder /usr/local/bin/php /usr/local/bin/
COPY --from=php-builder /usr/local/lib /usr/local
COPY --from=php-builder /usr/local/bin/composer /usr/local/bin/

# Install Java
COPY --from=java-builder /java /usr/local/java
ENV PATH="$PATH:/usr/local/java/bin"

################################################################################
# Run all additional config in a single RUN to reduce the layers:
# - Apply security updates
# - Install:
# srcclr agent
# git
# OpenJDK
# Go tools
# libyaml (Ruby dep)
# PHP dependencies
# - git
# - libyaml (Ruby dep)
# - PHP dependencies
# - Ruby
# - srcclr agent
# - Install yarn and bower
# - Clean up apt cache
# - Upgrade pip and install boto3 for plugin utils
# hadolint ignore=DL3008
################################################################################

# hadolint ignore=DL3005
RUN apt-get update && \
mkdir -p /usr/share/man/man1 && \
grep security /etc/apt/sources.list > /etc/apt/security.sources.list && \
apt-get upgrade -y && \
apt-get upgrade -y -o Dir::Etc::Sourcelist=/etc/apt/security.sources.list && \
apt-get install -y --no-install-recommends \
srcclr \
git \
openjdk-11-jre-headless \
govendor \
libyaml-0-2 -y \
libargon2-1 libcurl4 libedit2 libonig5 libsodium23 libsqlite3-0 libssl1.1 libxml2 zlib1g libncurses6 && \
npm install --global yarn bower && \
apt-get install -y --no-install-recommends -o "dpkg::Options::=--refuse-downgrade" \
"git=1:2.39.2-1.1" \
"libargon2-1=0~20171227-0.3+deb12u1" \
"libcurl4=7.88.1-10+deb12u1" \
"libedit2=3.1-20221030-2" \
"libncurses6=6.4-4" \
"libonig5=6.9.8-1" \
"libsodium23=1.0.18-1" \
"libsqlite3-0=3.40.1-2" \
"libssl3=3.0.9-1" \
"libxml2=2.9.14+dfsg-1.3~deb12u1" \
"libyaml-0-2=0.2.5-1" \
"ruby=1:3.1" \
"srcclr=3.8.36" \
"zlib1g=1:1.2.13.dfsg-1" && \
apt-get -s dist-upgrade | { grep -E '^Inst ' | grep -F 'Debian-Security' || true; } | awk '{print $2}' | xargs apt-get -y --no-install-recommends -o "dpkg::Options::=--refuse-downgrade" install && \
npm install --global \
"[email protected]" \
"[email protected]" && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
pip install -q --no-cache-dir boto3==1.16.53
pip install -q --no-cache-dir "boto3==1.16.53"
Loading