fix: False positive report GHSA-2jcg-qqmg-46q6

[sharat87]

Description

Some scanner tools like Syft and Grype are reporting a scary false positive at GHSA-2jcg-qqmg-46q6, on the following file in the Docker image:

/opt/appsmith/utils/node_modules/resolve/test/resolver/multirepo/package.json

The advisory itself isn't applicable to Appsmith, and this above package is not used in the product at all. This PR deletes this test folder so this false positive is immediately taken out.

Nevertheless, we shouldn't even have the node_modules folder in the Docker image, and we should be "building" appsmithctl instead. That's part of a larger effort to improve/fix appsmithctl and will be coming up in future PRs.

The SBOM entry for the package in Syft’s proprietary format

{
    "id": "8686a02f6819d5a1",
    "name": "monorepo-symlink-test",
    "version": "0.0.0",
    "type": "npm",
    "foundBy": "javascript-package-cataloger",
    "locations": [
        {
            "path": "/opt/appsmith/utils/node_modules/resolve/test/resolver/multirepo/package.json",
            "layerID": "sha256:02e68fb671fe8bc43f75862b43445160e17e3ec2f13f09bf346a65c66cd93557",
            "accessPath": "/opt/appsmith/utils/node_modules/resolve/test/resolver/multirepo/package.json",
            "annotations": {
                "evidence": "primary"
            }
        }
    ],
    "licenses": [
        {
            "value": "MIT",
            "spdxExpression": "MIT",
            "type": "declared",
            "urls": [],
            "locations": [
                {
                    "path": "/opt/appsmith/utils/node_modules/resolve/test/resolver/multirepo/package.json",
                    "layerID": "sha256:02e68fb671fe8bc43f75862b43445160e17e3ec2f13f09bf346a65c66cd93557",
                    "accessPath": "/opt/appsmith/utils/node_modules/resolve/test/resolver/multirepo/package.json",
                    "annotations": {
                        "evidence": "primary"
                    }
                }
            ]
        }
    ],
    "language": "javascript",
    "cpes": [
        {
            "cpe": "cpe:2.3:a:monorepo-symlink-test:monorepo-symlink-test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo-symlink-test:monorepo_symlink_test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo_symlink_test:monorepo-symlink-test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo_symlink_test:monorepo_symlink_test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo-symlink:monorepo-symlink-test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo-symlink:monorepo_symlink_test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo_symlink:monorepo-symlink-test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo_symlink:monorepo_symlink_test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo:monorepo-symlink-test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        },
        {
            "cpe": "cpe:2.3:a:monorepo:monorepo_symlink_test:0.0.0:*:*:*:*:*:*:*",
            "source": "syft-generated"
        }
    ],
    "purl": "pkg:npm/[email protected]",
    "metadataType": "javascript-npm-package",
    "metadata": {
        "name": "monorepo-symlink-test",
        "version": "0.0.0",
        "author": "",
        "homepage": "",
        "description": "",
        "url": "",
        "private": true
    }
}

Reported by a user.

⚠️ There will be conflicts on sync. Please do not merge unless the author of PR is available.

/test sanity

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/11715737322
Commit: 42aa69c
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Thu, 07 Nov 2024 03:26:39 UTC

Summary by CodeRabbit

• Chores
  • Enhanced the Dockerfile for improved build process and error handling.
  • Streamlined npm package installation and organized script execution for better readability.

[coderabbitai]

Walkthrough

The pull request introduces modifications to the Dockerfile aimed at enhancing the build process and error handling. Key changes include the adoption of heredoc syntax for improved script readability and the implementation of set -o errexit to ensure immediate exit on command failures. The npm package installation process has been streamlined, and the organization of commands related to permissions and directory creation has been improved for clarity and maintainability.

Changes

File	Change Summary
Dockerfile	Updated to use heredoc syntax for script execution; added set -o errexit for error handling; streamlined npm installation; organized permission checks and directory creation within heredoc for clarity.

Possibly related PRs

• Fix: Fix for GHSL-2024-277 #36836: Updates to the handling of environment variables in GitHub Actions workflows, potentially related to error handling improvements in the Dockerfile.
• chore: New schema change for vulnerabilities test #37204: Optimizations for workflows related to vulnerability scanning, which may connect with the enhancements in the Dockerfile's build process.

Suggested labels

Backend, Production, Needs Triaging

Suggested reviewers

• nidhi-nair

In the Dockerfile, changes take flight,
With heredoc syntax, everything's bright.
Error handling's now robust and clear,
Streamlined npm installs, give a cheer!
Permissions and paths, all neatly aligned,
A build process better, perfectly designed! 🎉

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 08ff8a9 and 42aa69c.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🔇 Additional comments (3)

Dockerfile (3)

42-44: Good improvement in error handling!

The addition of set -o errexit ensures the build fails fast if any command fails, which is crucial for maintaining Docker image integrity.

---

51-59: Well-structured security hardening measures!

The systematic approach to permission management and security hardening is commendable:

• Disabling setuid/setgid bits reduces potential security risks
• Directory permissions are properly configured for required functionality

---

45-49: Effective resolution of the security false positive!

The removal of the test folder effectively addresses the false positive security report while maintaining only production dependencies.

Let's verify no other test folders exist that might trigger similar issues:

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sharat87]

This is the line that's fixing the problem. Rest of the changes are a refactor to make code more readable.