Skip to content

Commit

Permalink
Upgrade Ruby image and tools (Debian) (#343)
Browse files Browse the repository at this point in the history 
* Upgrade Ruby, Brakeman, and Bundler-Audit.

- Ruby upgraded to 3.3, with Debian Bookworm.
- Brakeman upgraded to 6.2.2.
- Bundler-Audit upgraded to 0.9.2.

Also removed the separate install of security updates, since we already
upgrade all packages which includes security updates.

* Remove linux-libc-dev to avoid false-positives.

Container scans generate hundreds of findings on linux-libc-dev, even
though the package only contains headers. These headers aren't needed
anyway, so we remove them to eliminate the false-positives.
  • Loading branch information
@ZoogieZork
ZoogieZork authored Nov 4, 2024
1 parent 6980722 commit f3d0b19
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 10 deletions.
18 changes: 9 additions & 9 deletions backend/Dockerfiles/Dockerfile.ruby
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
ARG RUBY_VER=3.0-slim-bullseye
ARG RUBY_VER=3.3-slim-bookworm
FROM ruby:${RUBY_VER}

ARG MAINTAINER
LABEL maintainer=$MAINTAINER

ARG BRAKEMAN_VER=5.0.0
ARG BUNDLER_VER=0.8.0
ARG BRAKEMAN_VER=6.2.2
ARG BUNDLER_VER=0.9.2

# Run all additional config in a single RUN to reduce the layers:
# - Install brakeman and bundler-audit
# - Install git as a dependency of bundler-audit.
# - Remove bundler-audit rspec Gemfiles to avoid false-positives in scans.
# - Remove unused packages and bundler-audit rspec Gemfiles to avoid
# false-positives in scans.
# hadolint ignore=DL3008
RUN apt-get update && \
grep security /etc/apt/sources.list > /etc/apt/security.sources.list && \
apt-get upgrade -y && \
apt-get upgrade -y -o Dir::Etc::Sourcelist=/etc/apt/security.sources.list && \
apt-get install -y --no-install-recommends git && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
gem install brakeman --version ${BRAKEMAN_VER} && \
gem install bundler-audit --version ${BUNDLER_VER} && \
rm -rf /usr/local/bundle/gems/bundler-audit-${BUNDLER_VER}/spec/
rm -rf /usr/local/bundle/gems/bundler-audit-${BUNDLER_VER}/spec/ && \
apt-get remove -y linux-libc-dev && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
2 changes: 1 addition & 1 deletion backend/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,7 +530,7 @@ dist/docker/ruby: Dockerfiles/Dockerfile.ruby
$(DOCKER) build . --pull -t ${RUBY_TAG} -f Dockerfiles/Dockerfile.ruby \
--no-cache --force-rm \
--build-arg MAINTAINER=${MAINTAINER} \
--build-arg RUBY_VER=3.0-slim-bullseye
--build-arg RUBY_VER=3.3-slim-bookworm
mkdir -p ${DIST_DIR}/docker
${DOCKER} tag ${RUBY_TAG} ${ECR_URL}${RUBY_TAG}
${DOCKER} tag ${RUBY_TAG} ${ECR_URL}${RUBY_TAG}-stage-${LATEST_COMMIT}
Expand Down

0 comments on commit f3d0b19

Please sign in to comment.