Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[APIPUB-58] Update docker images and nuget packages to remove vulnerabilites #64

Closed
wants to merge 2 commits into from
Closed

[APIPUB-58] Update docker images and nuget packages to remove vulnerabilites #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c61910
[APIPUB-58] Update docker images and nuget packages to remove vulne…
jleiva-gap Jul 10, 2024
030322e
Update dev.Dockerfile
jleiva-gap Jul 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# See the LICENSE and NOTICES files in the project root for more information.

# Tag aspnet:8.0-alpine
FROM mcr.microsoft.com/dotnet/aspnet@sha256:de73c1e1abd69d3ffa2658075ad4cd4edccfef37eb92ddda2c78f20173403238
FROM mcr.microsoft.com/dotnet/aspnet@sha256:ba398f8c6a0469436cc115bfbd278002baf4ce9423b6d8a9e904da6adc31a23d
LABEL maintainer="Ed-Fi Alliance, LLC and Contributors <techsupport@ed-fi.org>"

ENV VERSION="1.0.0"
Expand All @@ -21,7 +21,7 @@

COPY ./Docker/run.sh /app/run.sh

RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 postgresql13-client=~13 icu=~74 curl=~8 && \

Check failure on line 24 in src/Dockerfile

View workflow job for this annotation

GitHub Actions / docker-analysis (publisher, src/Dockerfile) 

DL3047 info: Avoid use of wget without progress bar. Use `wget --progress=dot:giga <url>`. Or consider using `-q` or `-nv` (shorthands for `--quiet` or `--no-verbose`).
wget -O /app/ApiPublisher.zip https://pkgs.dev.azure.com/ed-fi-alliance/Ed-Fi-Alliance-OSS/_apis/packaging/feeds/EdFi/nuget/packages/EdFi.ApiPublisher/versions/${VERSION}/content && \
unzip /app/ApiPublisher.zip 'EdFi.ApiPublisher/**' -d /app/ && \
mv /app/EdFi.ApiPublisher/* /app/ && \
Expand Down
19 changes: 10 additions & 9 deletions src/dev.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@


# tag sdk:8.0 alpine
FROM mcr.microsoft.com/dotnet/sdk@sha256:e9f2d4a0452e823d615bf6da6e0575489d8037498571db6fa1c6ce6fb9987ecd AS build
FROM mcr.microsoft.com/dotnet/sdk@sha256:91cb46b0ee207d0df53e2e38f2e4013fe2668ab52dcca13c971afbbef94c83ef AS build
WORKDIR /source

COPY ./EdFi.Tools.ApiPublisher.Cli/ EdFi.Tools.ApiPublisher.Cli/
Expand Down Expand Up @@ -36,9 +36,17 @@


# Tag aspnet:8.0 alpine
FROM mcr.microsoft.com/dotnet/aspnet@sha256:de73c1e1abd69d3ffa2658075ad4cd4edccfef37eb92ddda2c78f20173403238
Copy link
Contributor

@stephenfuqua stephenfuqua Jul 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the error above: line 34 is unnecessary. Also, I don't think it will work now, since AS build was removed from the first line. I recommend restoring AS build on line 8 and removing line 34.

For faster local builds, add AS runtimeBase one line 39, and move the apk command from line 55 to be right below LABEL. Then create the final layer from runtimeBase. What does this do for you? It means that the apk install updates will be cached in a re-usable layer locally, so that you don't need to run them every time.

FROM mcr.microsoft.com/dotnet/aspnet@sha256:ba398f8c6a0469436cc115bfbd278002baf4ce9423b6d8a9e904da6adc31a23d as runtimeBase
LABEL maintainer="Ed-Fi Alliance, LLC and Contributors <techsupport@ed-fi.org>"

RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 icu=~74 curl=~8

FROM runtimebase AS setup

# Now add the rest of your ENV, COPY, RUN, and ENTRYPOINT commands

You may still get a warning like above, on the new FROM runtimebase AS setup line. At that point it is a false positive as far as I'm concerned - to my knowledge there is no version tagging you can apply here.

FROM mcr.microsoft.com/dotnet/aspnet@sha256:ba398f8c6a0469436cc115bfbd278002baf4ce9423b6d8a9e904da6adc31a23d AS runtimeBase
LABEL maintainer="Ed-Fi Alliance, LLC and Contributors <techsupport@ed-fi.org>"

RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 icu=~74 curl=~8 && \
dos2unix /app/*.json && \
dos2unix /app/*.sh && \
chmod 700 /app/*.sh -- ** && \
rm -f /app/*.pdb && \
rm -f /app/*.exe
FROM runtimebase AS setup

Check failure on line 48 in src/dev.Dockerfile

View workflow job for this annotation

GitHub Actions / docker-analysis (development, src/dev.Dockerfile) 

DL3006 warning: Always tag the version of an image explicitly

# Alpine image does not contain Globalization Cultures library so we need to install ICU library to get fopr LINQ expression to work
# Disable the globaliztion invariant mode (set in base image)
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
Expand All @@ -52,11 +60,4 @@
COPY ./Docker/plainTextNamedConnections.template.json /app/plainTextNamedConnections.template.json
COPY ./Docker/run.sh /app/run.sh

RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 icu=~74 curl=~8 && \
dos2unix /app/*.json && \
dos2unix /app/*.sh && \
chmod 700 /app/*.sh -- ** && \
rm -f /app/*.pdb && \
rm -f /app/*.exe

ENTRYPOINT [ "/app/run.sh" ]
Loading