Issue 168 vulnerability checks (#183)

* Update plugin to latest to get vunerability analysis checks * Bumped alpine version to latest stable. * Updated Imagemagick to latest * Fix for java-jna package discontinued for aarch64 * Added link to aports issue that requires custom build of java-jna * Generate grype reports on pushs as well as pull requests. * Updated fits to latest to get security updates. * Added ability to ignore specific vulnerabilities, while a fix is not availiable. * Updated tomcat to latest * Documented additional flag for grype * Made alpine version a argument. Co-authored-by: Nigel Banks <[email protected]:w>
Islandora-Devops · Mar 24, 2022 · 2ee80c7 · 2ee80c7
1 parent 51a6b09
commit 2ee80c7
Show file tree

Hide file tree

Showing 30 changed files with 456 additions and 58 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -25,4 +25,8 @@ jobs:
     - name: Build/Test Docker images
       uses: eskatos/gradle-command-action@v1
       with:
-        arguments: build test -PisCI=true --info
+        arguments: build test grype -PisCI=true --info
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Grype Reports
+        path: build/**/*-grype.*
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -31,4 +31,8 @@ jobs:
     - name: Build/Test/Push Docker images
       uses: eskatos/gradle-command-action@v1
       with:
-        arguments: build test '-Pdocker.tags=${{ env.TAG }}' '-Pdocker.repository=${{ secrets.REPOSITORY }}' -Pdocker.push=true -Pdocker.driver=docker-container -Pdocker.cacheTo=true -Pdocker.platforms=linux/amd64,linux/arm64 -PisCI=true --info
+        arguments: build test grype '-Pdocker.tags=${{ env.TAG }}' '-Pdocker.repository=${{ secrets.REPOSITORY }}' -Pdocker.push=true -Pdocker.driver=docker-container -Pdocker.cacheTo=true -Pdocker.platforms=linux/amd64,linux/arm64 -PisCI=true --info
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Grype Reports
+        path: build/**/*-grype.*
diff --git a/abuild/Dockerfile b/abuild/Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM ${repository}/download:${tag} AS download
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 RUN --mount=type=cache,id=abuild-apk,sharing=locked,from=cache,target=/var/cache/apk \
     ln -s /var/cache/apk /etc/apk/cache && \

diff --git a/base/Dockerfile b/base/Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM ${repository}/download:${tag} AS download
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 ENV DOWNLOAD_CACHE_DIRECTORY=/opt/downloads
 

diff --git a/base/README.md b/base/README.md
@@ -7,7 +7,7 @@ It's based off off [Alpine Linux], and includes [s6 overlay] and [confd].
 
 ## Dependencies
 
-Requires `alpine:3.13.2`
+Requires `alpine`
 
 ## Settings
 

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,3 +1,3 @@
 plugins {
-  id("com.github.nigelgbanks.IsleDocker") version "0.7"
+  id("com.github.nigelgbanks.IsleDocker") version "0.9"
 }
diff --git a/cantaloupe/Dockerfile b/cantaloupe/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=cantaloupe-downloads,sharing=locked,target=/opt/downloads \
@@ -14,7 +15,7 @@ RUN --mount=type=cache,id=cantaloupe-downloads,sharing=locked,target=/opt/downlo
     install-war-into-tomcat.sh --name "cantaloupe" --file "/tmp/${CANTALOUPE_UNPACKED}/${CANTALOUPE_UNPACKED}.war" && \
     rm -fr "/tmp/${CANTALOUPE_UNPACKED}"
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
 COPY --from=download --chown=tomcat:tomcat /opt/tomcat /opt/tomcat

diff --git a/code-server/Dockerfile b/code-server/Dockerfile
@@ -1,9 +1,18 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
+FROM node:fermium-alpine3.15 as node
 FROM ${repository}/abuild:${tag} AS build
 
+COPY --from=node /usr/lib /usr/lib
+COPY --from=node /usr/local/share /usr/local/share
+COPY --from=node /usr/local/lib /usr/local/lib
+COPY --from=node /usr/local/include /usr/local/include
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /opt /opt
+
 # g++, make, python are only required to build native dependencies via node-gyp.
 # spdlog is required for building / using xdebug extension.
 RUN --mount=type=cache,id=code-server-apk,sharing=locked,from=cache,target=/var/cache/apk \
@@ -14,8 +23,7 @@ RUN --mount=type=cache,id=code-server-apk,sharing=locked,from=cache,target=/var/
         nghttp2-dev \
         python3 \
         spdlog \
-        sudo \
-        yarn
+        sudo
 
 # `node-gyp` must be installed before anything else. This is unfortuante, but
 # make sure the version here matches the exact version in:
@@ -83,7 +91,6 @@ RUN --mount=type=cache,id=code-server-drupal-apk,sharing=locked,from=cache,targe
         htop \
         php7-pecl-xdebug \
         spdlog \
-        yarn \
         sudo \
         unison \
         parallel \
@@ -104,6 +111,12 @@ ENV \
 COPY --from=composer --chown=nginx:nginx /root/.composer /var/lib/nginx/.composer
 COPY --from=build --chown=nginx:nginx /opt/code-server /opt/code-server
 COPY --from=build /usr/local/share/.config/yarn /usr/local/share/.config/yarn
+COPY --from=node /usr/lib /usr/lib
+COPY --from=node /usr/local/share /usr/local/share
+COPY --from=node /usr/local/lib /usr/local/lib
+COPY --from=node /usr/local/include /usr/local/include
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /opt /opt
 
 COPY rootfs /
 

diff --git a/composer/Dockerfile b/composer/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download 
 
 # https://getcomposer.org/download/
@@ -13,7 +14,7 @@ RUN --mount=type=cache,id=download-downloads,sharing=locked,target=/opt/download
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${COMPOSER_FILE}" /usr/bin/composer && \
     chmod a+x /usr/bin/composer
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/download:${tag}
 
 # Install packages and tools that allow for basic downloads.

diff --git a/download/Dockerfile b/download/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 # Install packages and tools that allow for basic downloads.
 RUN --mount=type=cache,id=download-apk,sharing=locked,from=cache,target=/var/cache/apk \

diff --git a/download/README.md b/download/README.md
@@ -4,7 +4,7 @@ Image used to cache downloads cuts down on build times / cache misses.
 
 ## Dependencies
 
-Requires `alpine:3.13.2`
+Requires `alpine`
 
 ## Settings
 

diff --git a/drupal/Dockerfile b/drupal/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=drupal-downloads,sharing=locked,target=/opt/downloads \
@@ -12,7 +13,7 @@ RUN --mount=type=cache,id=drupal-downloads,sharing=locked,target=/opt/downloads
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${DRUSH_FILE}" /usr/bin/drush && \
     chmod a+x /usr/bin/drush
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/nginx:${tag}
 
 EXPOSE 80

diff --git a/fcrepo6/Dockerfile b/fcrepo6/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:experimental
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=fcrepo6-downloads,sharing=locked,target=/opt/downloads \
@@ -30,7 +31,7 @@ RUN --mount=type=cache,id=fcrepo6-downloads,sharing=locked,target=/opt/downloads
     download.sh --url "${UPGRADE_UTILS_URL}" --sha256 "${UPGRADE_UTILS_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${UPGRADE_UTILS_FILE}" /opt/tomcat
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
 # Install packages and tools required by all downstream images.

diff --git a/fits/Dockerfile b/fits/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=fits-downloads,sharing=locked,target=/opt/downloads \
@@ -10,10 +11,10 @@ RUN --mount=type=cache,id=fits-downloads,sharing=locked,target=/opt/downloads \
     FITSSERVLET_SHA256="13cfcb910092b197757e459353f0c30381febfca6baf3031ac69ff92789b200c" && \
     download.sh --url "${FITSSERVLET_URL}" --sha256 "${FITSSERVLET_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     install-war-into-tomcat.sh --name "fits" --file "${DOWNLOAD_CACHE_DIRECTORY}/${FITSSERVLET_FILE}" && \
-    FITS_VERSION="1.5.0" && \
+    FITS_VERSION="1.5.1" && \
     FITS_FILE="fits-${FITS_VERSION}.zip" && \
     FITS_URL="https://github.com/harvard-lts/fits/releases/download/${FITS_VERSION}/${FITS_FILE}" \
-    FITS_SHA256="1378a78892db103b3a00e45c510b58c70e19a1a401b3720ff4d64a51438bfe0b" && \
+    FITS_SHA256="4bf4adfedf0779221cc2f4648f5dfd3040c7a3e5daa4060c5754d73dc1964442" && \
     mkdir /opt/fits && \
     download.sh --url "${FITS_URL}" --sha256 "${FITS_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     unzip "${DOWNLOAD_CACHE_DIRECTORY}/${FITS_FILE}" -d /opt/fits && \
@@ -24,9 +25,43 @@ RUN --mount=type=cache,id=fits-downloads,sharing=locked,target=/opt/downloads \
         /opt/fits/tools/file_utility_windows \
         /opt/fits/tools/mediainfo
 
-FROM alpine:3.13.2 AS cache
+# Onces this https://gitlab.alpinelinux.org/alpine/aports/-/issues/13495 is resolved we can remove this build step.
+FROM ${repository}/abuild:${tag} AS build
+
+RUN --mount=type=cache,id=imagemagick-apk,sharing=locked,from=cache,target=/var/cache/apk \
+    apk add \
+        apache-ant \
+        autoconf \
+        automake \
+        libffi-dev \
+        libtool \
+        openjdk8
+
+COPY /build /build
+
+WORKDIR /build
+
+RUN chown -R builder /build
+
+USER builder
+
+RUN export PACKAGER="Nigel Banks <[email protected]>" && \
+    abuild-keygen -ain && \
+    abuild-apk update && \
+    abuild
+
+USER root
+
+RUN cp -r /home/builder/packages/* /packages
+
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
+RUN --mount=type=bind,from=build,source=/packages,target=/packages \
+    --mount=type=bind,from=build,source=/etc/apk/keys,target=/etc/apk/keys \
+    apk add /packages/java-jna-*.apk && \
+    cleanup.sh
+
 COPY --from=download --chown=tomcat:tomcat /opt/tomcat /opt/tomcat
 COPY --from=download --chown=tomcat:tomcat /opt/fits /opt/fits
 
@@ -35,7 +70,6 @@ COPY --from=download --chown=tomcat:tomcat /opt/fits /opt/fits
 RUN --mount=type=cache,id=fits-apk,sharing=locked,from=cache,target=/var/cache/apk \
     apk add \
         file \
-        java-jna \
         libmediainfo \
         libzen \
         perl \