📌 06/01/2025 Patching (#84)

Signed-off-by: Jacob Woffenden <[email protected]>
ministryofjustice · Jan 6, 2025 · b1a1d7d · b1a1d7d
1 parent a446c6d
commit b1a1d7d
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 28 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
 
       - name: Clean Actions Runner
         id: clean_actions_runner
-        uses: ministryofjustice/github-actions/clean-actions-runner@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0
+        uses: ministryofjustice/github-actions/clean-actions-runner@db1a54895bf5fb975c60af47e5a3aab96505ca3e # v18.6.0
         with:
           confirm: true
 
@@ -56,22 +56,22 @@ jobs:
 
       - name: Generate SBOM
         id: generate_sbom
-        uses: anchore/sbom-action@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
+        uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
         with:
           image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
           format: cyclonedx-json
           output-file: "sbom.cyclonedx.json"
 
       - name: Attest
-        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
         id: attest
         with:
           subject-name: ghcr.io/${{ github.repository }}
           subject-digest: ${{ steps.build_and_push.outputs.digest }}
           push-to-registry: true
 
       - name: Attest SBOM
-        uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
+        uses: actions/attest-sbom@cbfd0027ae731a5892db25ecd226930d7ffd19eb # v2.1.0
         id: attest_sbom
         with:
           subject-name: ghcr.io/${{ github.repository }}

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -21,7 +21,7 @@ jobs:
 
       - name: Clean Actions Runner
         id: clean_actions_runner
-        uses: ministryofjustice/github-actions/clean-actions-runner@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0
+        uses: ministryofjustice/github-actions/clean-actions-runner@db1a54895bf5fb975c60af47e5a3aab96505ca3e # v18.6.0
         with:
           confirm: true
 

diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -29,6 +29,6 @@ jobs:
 
       - name: Super-Linter
         id: super_linter
-        uses: super-linter/super-linter/slim@e1cb86b6e8d119f789513668b4b30bf17fe1efe4 # v7.2.0
+        uses: super-linter/super-linter/slim@85f7611e0f7b53c8573cca84aa0ed4344f6f6a4d # v7.2.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
 
       - name: Set Up Container Structure Test
         id: setup_container_structure_test
-        uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0
+        uses: ministryofjustice/github-actions/setup-container-structure-test@db1a54895bf5fb975c60af47e5a3aab96505ca3e # v18.6.0
 
       - name: Test
         id: test

diff --git a/.trivyignore b/.trivyignore
@@ -1,5 +1,6 @@
 # Ubuntu
 CVE-2024-43882
+CVE-2024-53103
 
 # Python
 ## setuptools
@@ -18,3 +19,5 @@ CVE-2024-0057
 ## aws-sso
 CVE-2024-41110 # Vulnerability in github.com/docker/docker, but we don't run Docker on CDE
 CVE-2024-34156
+ CVE-2024-45337
+ CVE-2024-45338
diff --git a/Dockerfile b/Dockerfile
@@ -15,22 +15,22 @@ ENV CONTAINER_USER="analyticalplatform" \
     ANALYTICAL_PLATFORM_DIRECTORY="/opt/analytical-platform" \
     DEBIAN_FRONTEND="noninteractive" \
     PIP_BREAK_SYSTEM_PACKAGES="1" \
-    AWS_CLI_VERSION="2.22.5" \
+    AWS_CLI_VERSION="2.22.28" \
     AWS_SSO_CLI_VERSION="1.17.0" \
-    MINICONDA_VERSION="24.9.2-0" \
-    MINICONDA_SHA256="8d936ba600300e08eca3d874dee88c61c6f39303597b2b66baee54af4f7b4122" \
-    NODE_LTS_VERSION="22.11.0" \
+    MINICONDA_VERSION="24.11.1-0" \
+    MINICONDA_SHA256="636b209b00b6673471f846581829d4b96b9c3378679925a59a584257c3fef5a3" \
+    NODE_LTS_VERSION="22.12.0" \
     CORRETTO_VERSION="1:21.0.5.11-1" \
-    DOTNET_SDK_VERSION="8.0.110-0ubuntu1~24.04.1" \
+    DOTNET_SDK_VERSION="8.0.111-0ubuntu1~24.04.1" \
     R_VERSION="4.4.2-1.2404.0" \
-    OLLAMA_VERSION="0.4.5" \
-    KUBECTL_VERSION="1.29.11" \
-    HELM_VERSION="3.16.3" \
-    CLOUD_PLATFORM_CLI_VERSION="1.37.13" \
+    OLLAMA_VERSION="0.5.4" \
+    KUBECTL_VERSION="1.29.12" \
+    HELM_VERSION="3.16.4" \
+    CLOUD_PLATFORM_CLI_VERSION="1.37.14" \
     MICROSOFT_SQL_ODBC_VERSION="18.4.1.1-1" \
     MICROSOFT_SQL_TOOLS_VERSION="18.4.1.1-1" \
     NBSTRIPOUT_VERSION="0.8.1" \
-    CUDA_VERSION="12.6.1" \
+    CUDA_VERSION="12.6.3" \
     NVIDIA_DISABLE_REQUIRE="true" \
     NVIDIA_CUDA_CUDART_VERSION="12.6.77-1" \
     NVIDIA_CUDA_COMPAT_VERSION="560.35.05-0ubuntu1" \
@@ -66,15 +66,15 @@ apt-get update --yes
 apt-get install --yes \
   "apt-transport-https=2.7.14build2" \
   "ca-certificates=20240203" \
-  "curl=8.5.0-2ubuntu10.5" \
+  "curl=8.5.0-2ubuntu10.6" \
   "git=1:2.43.0-1ubuntu7.1" \
   "ffmpeg=7:6.1.1-3ubuntu5" \
   "jq=1.7.1-3build1" \
   "mandoc=1.14.6-1" \
   "less=590-2ubuntu2.1" \
   "python3.12=3.12.3-1ubuntu0.3" \
   "python3-pip=24.0+dfsg-1ubuntu1.1" \
-  "vim=2:9.1.0016-1ubuntu7.4" \
+  "vim=2:9.1.0016-1ubuntu7.5" \
   "unixodbc=2.3.12-1ubuntu0.24.04.1" \
   "unzip=6.0-28ubuntu4.1"
 

diff --git a/test/container-structure-test.yml b/test/container-structure-test.yml
@@ -42,7 +42,7 @@ commandTests:
   - name: "aws"
     command: "aws"
     args: ["--version"]
-    expectedOutput: ["aws-cli/2.22.5"]
+    expectedOutput: ["aws-cli/2.22.28"]
 
   - name: "aws-sso"
     command: "aws-sso"
@@ -52,12 +52,12 @@ commandTests:
   - name: "conda"
     command: "conda"
     args: ["--version"]
-    expectedOutput: ["conda 24.9.2"]
+    expectedOutput: ["conda 24.11.1"]
 
   - name: "python (conda)"
     command: "python"
     args: ["--version"]
-    expectedOutput: ["Python 3.12.7"]
+    expectedOutput: ["Python 3.12.8"]
 
   - name: "pip (conda)"
     command: "pip"
@@ -67,7 +67,7 @@ commandTests:
   - name: "node"
     command: "node"
     args: ["--version"]
-    expectedOutput: ["v22.11.0"]
+    expectedOutput: ["v22.12.0"]
 
   - name: "corretto"
     command: "java"
@@ -77,7 +77,7 @@ commandTests:
   - name: "dotnet"
     command: "dotnet"
     args: ["--version"]
-    expectedOutput: ["8.0.110"]
+    expectedOutput: ["8.0.111"]
 
   - name: "r"
     command: "R"
@@ -87,22 +87,22 @@ commandTests:
   - name: "ollama"
     command: "ollama"
     args: ["--version"]
-    expectedOutput: ["0.4.5"]
+    expectedOutput: ["0.5.4"]
 
   - name: "kubectl"
     command: "kubectl"
     args: ["version", "--client"]
-    expectedOutput: ["Client Version: v1.29.11"]
+    expectedOutput: ["Client Version: v1.29.12"]
 
   - name: "helm"
     command: "helm"
     args: ["version"]
-    expectedOutput: ["3.16.3"]
+    expectedOutput: ["3.16.4"]
 
   - name: "cloud-platform"
     command: "cloud-platform"
     args: ["--skip-version-check", "version"]
-    expectedOutput: ["1.37.13"]
+    expectedOutput: ["1.37.14"]
 
   - name: "vim"
     command: "vim"