From e051f12fc3ac9bdb60a14a77d3f6601cb1ff56ac Mon Sep 17 00:00:00 2001
From: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
Date: Mon, 7 Oct 2024 13:35:20 +0000
Subject: [PATCH] Update base image Update VS Code Update Makefile Fix for
 Trivy

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
---
 .devcontainer/devcontainer-lock.json |  2 +-
 .github/workflows/scan.yml           |  3 +++
 .trivyignore                         |  3 +++
 Dockerfile                           |  4 ++--
 Makefile                             |  8 +++++++-
 test/container-structure-test.yml    | 10 +++++++++-
 6 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
index 8c1e7d6..6c23165 100644
--- a/.devcontainer/devcontainer-lock.json
+++ b/.devcontainer/devcontainer-lock.json
@@ -19,4 +19,4 @@
       "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 0076d3a..270963b 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -31,6 +31,9 @@ jobs:
       - name: Scan
         id: scan
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
         with:
           image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
           severity: HIGH,CRITICAL
diff --git a/.trivyignore b/.trivyignore
index c88e931..34b9208 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,3 +1,6 @@
+# Ubuntu
+CVE-2024-43882
+
 # Python
 ## setuptools
 CVE-2024-6345 # TODO: @jacobwoffenden - Figure out where this comes from and patch it
diff --git a/Dockerfile b/Dockerfile
index c1b8281..2f5d6cb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-base@sha256:cd9fdb57437707322896c33655c02e6ae10e114615b206713c899281cdb71153
+FROM ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-base@sha256:9ef99705307856126bef61285965f0c5aed6f4525bb69586ac1fad23a7728827
 
 LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" \
@@ -6,7 +6,7 @@ LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.description="Visual Studio Code image for Analytical Platform" \
       org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-visual-studio-code"
 
-ENV VISUAL_STUDIO_CODE_VERSION="1.93.1-1726079302"
+ENV VISUAL_STUDIO_CODE_VERSION="1.94.0-1727878498"
 
 SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 
diff --git a/Makefile b/Makefile
index 6013379..f57c4a1 100644
--- a/Makefile
+++ b/Makefile
@@ -1,14 +1,20 @@
-.PHONY: test build run
+.PHONY: build scan test run
 
 IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-visual-studio-code
 IMAGE_TAG  ?= local
 
+TRIVY_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-db:2
+TRIVY_JAVA_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-java-db:1
+
 run: build
 	docker run --rm -it --publish 8080:8080 $(IMAGE_NAME):$(IMAGE_TAG)
 
 test: build
 	container-structure-test test --platform linux/amd64 --config test/container-structure-test.yml --image $(IMAGE_NAME):$(IMAGE_TAG)
 
+scan: build
+	trivy image --platform linux/amd64 --severity HIGH,CRITICAL $(IMAGE_NAME):$(IMAGE_TAG)
+
 build:
 	@ARCH=`uname --machine`; \
 	case $$ARCH in \
diff --git a/test/container-structure-test.yml b/test/container-structure-test.yml
index 1eff994..dfb2cb4 100644
--- a/test/container-structure-test.yml
+++ b/test/container-structure-test.yml
@@ -8,9 +8,17 @@ commandTests:
   - name: "code"
     command: "code"
     args: ["--version"]
-    expectedOutput: ["1.93.1"]
+    expectedOutput: ["1.94.0"]
 
 fileExistenceTests:
   - name: "/opt/analytical-platform/first-run-notice.txt"
     path: "/opt/analytical-platform/first-run-notice.txt"
     shouldExist: true
+
+  - name: "/usr/local/bin/entrypoint.sh"
+    path: "/usr/local/bin/entrypoint.sh"
+    shouldExist: true
+
+  - name: "/usr/local/bin/healthcheck.sh"
+    path: "/usr/local/bin/healthcheck.sh"
+    shouldExist: true