From e051f12fc3ac9bdb60a14a77d3f6601cb1ff56ac Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 7 Oct 2024 13:35:20 +0000 Subject: [PATCH] Update base image Update VS Code Update Makefile Fix for Trivy Signed-off-by: Jacob Woffenden --- .devcontainer/devcontainer-lock.json | 2 +- .github/workflows/scan.yml | 3 +++ .trivyignore | 3 +++ Dockerfile | 4 ++-- Makefile | 8 +++++++- test/container-structure-test.yml | 10 +++++++++- 6 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json index 8c1e7d6..6c23165 100644 --- a/.devcontainer/devcontainer-lock.json +++ b/.devcontainer/devcontainer-lock.json @@ -19,4 +19,4 @@ "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16" } } -} +} \ No newline at end of file diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 0076d3a..270963b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -31,6 +31,9 @@ jobs: - name: Scan id: scan uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 with: image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }} severity: HIGH,CRITICAL diff --git a/.trivyignore b/.trivyignore index c88e931..34b9208 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,3 +1,6 @@ +# Ubuntu +CVE-2024-43882 + # Python ## setuptools CVE-2024-6345 # TODO: @jacobwoffenden - Figure out where this comes from and patch it diff --git a/Dockerfile b/Dockerfile index c1b8281..2f5d6cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-base@sha256:cd9fdb57437707322896c33655c02e6ae10e114615b206713c899281cdb71153 +FROM ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-base@sha256:9ef99705307856126bef61285965f0c5aed6f4525bb69586ac1fad23a7728827 LABEL org.opencontainers.image.vendor="Ministry of Justice" \ org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" \ @@ -6,7 +6,7 @@ LABEL org.opencontainers.image.vendor="Ministry of Justice" \ org.opencontainers.image.description="Visual Studio Code image for Analytical Platform" \ org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-visual-studio-code" -ENV VISUAL_STUDIO_CODE_VERSION="1.93.1-1726079302" +ENV VISUAL_STUDIO_CODE_VERSION="1.94.0-1727878498" SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"] diff --git a/Makefile b/Makefile index 6013379..f57c4a1 100644 --- a/Makefile +++ b/Makefile @@ -1,14 +1,20 @@ -.PHONY: test build run +.PHONY: build scan test run IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-visual-studio-code IMAGE_TAG ?= local +TRIVY_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-db:2 +TRIVY_JAVA_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-java-db:1 + run: build docker run --rm -it --publish 8080:8080 $(IMAGE_NAME):$(IMAGE_TAG) test: build container-structure-test test --platform linux/amd64 --config test/container-structure-test.yml --image $(IMAGE_NAME):$(IMAGE_TAG) +scan: build + trivy image --platform linux/amd64 --severity HIGH,CRITICAL $(IMAGE_NAME):$(IMAGE_TAG) + build: @ARCH=`uname --machine`; \ case $$ARCH in \ diff --git a/test/container-structure-test.yml b/test/container-structure-test.yml index 1eff994..dfb2cb4 100644 --- a/test/container-structure-test.yml +++ b/test/container-structure-test.yml @@ -8,9 +8,17 @@ commandTests: - name: "code" command: "code" args: ["--version"] - expectedOutput: ["1.93.1"] + expectedOutput: ["1.94.0"] fileExistenceTests: - name: "/opt/analytical-platform/first-run-notice.txt" path: "/opt/analytical-platform/first-run-notice.txt" shouldExist: true + + - name: "/usr/local/bin/entrypoint.sh" + path: "/usr/local/bin/entrypoint.sh" + shouldExist: true + + - name: "/usr/local/bin/healthcheck.sh" + path: "/usr/local/bin/healthcheck.sh" + shouldExist: true