Issue 168 vulnerability checks (#183)

* Update plugin to latest to get vunerability analysis checks

* Bumped alpine version to latest stable.

* Updated Imagemagick to latest

* Fix for java-jna package discontinued for aarch64

* Added link to aports issue that requires custom build of java-jna

* Generate grype reports on pushs as well as pull requests.

* Updated fits to latest to get security updates.

* Added ability to ignore specific vulnerabilities, while a fix is not availiable.

* Updated tomcat to latest

* Documented additional flag for grype

* Made alpine version a argument.

Co-authored-by: Nigel Banks <[email protected]:w>

Author: nigelgbanks

.github/workflows/pr.yml

@@ -25,4 +25,8 @@ jobs:
     - name: Build/Test Docker images
       uses: eskatos/gradle-command-action@v1
       with:
-        arguments: build test -PisCI=true --info
+        arguments: build test grype -PisCI=true --info
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Grype Reports
+        path: build/**/*-grype.*

.github/workflows/push.yml

@@ -31,4 +31,8 @@ jobs:
     - name: Build/Test/Push Docker images
       uses: eskatos/gradle-command-action@v1
       with:
-        arguments: build test '-Pdocker.tags=${{ env.TAG }}' '-Pdocker.repository=${{ secrets.REPOSITORY }}' -Pdocker.push=true -Pdocker.driver=docker-container -Pdocker.cacheTo=true -Pdocker.platforms=linux/amd64,linux/arm64 -PisCI=true --info
+        arguments: build test grype '-Pdocker.tags=${{ env.TAG }}' '-Pdocker.repository=${{ secrets.REPOSITORY }}' -Pdocker.push=true -Pdocker.driver=docker-container -Pdocker.cacheTo=true -Pdocker.platforms=linux/amd64,linux/arm64 -PisCI=true --info
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Grype Reports
+        path: build/**/*-grype.*

abuild/Dockerfile

@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM ${repository}/download:${tag} AS download
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 RUN --mount=type=cache,id=abuild-apk,sharing=locked,from=cache,target=/var/cache/apk \
     ln -s /var/cache/apk /etc/apk/cache && \

base/Dockerfile

@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM ${repository}/download:${tag} AS download
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 ENV DOWNLOAD_CACHE_DIRECTORY=/opt/downloads
 

base/README.md

@@ -7,7 +7,7 @@ It's based off off [Alpine Linux], and includes [s6 overlay] and [confd].
 
 ## Dependencies
 
-Requires `alpine:3.13.2`
+Requires `alpine`
 
 ## Settings
 

build.gradle.kts

@@ -1,3 +1,3 @@
 plugins {
-  id("com.github.nigelgbanks.IsleDocker") version "0.7"
+  id("com.github.nigelgbanks.IsleDocker") version "0.9"
 }

cantaloupe/Dockerfile

@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=cantaloupe-downloads,sharing=locked,target=/opt/downloads \
@@ -14,7 +15,7 @@ RUN --mount=type=cache,id=cantaloupe-downloads,sharing=locked,target=/opt/downlo
     install-war-into-tomcat.sh --name "cantaloupe" --file "/tmp/${CANTALOUPE_UNPACKED}/${CANTALOUPE_UNPACKED}.war" && \
     rm -fr "/tmp/${CANTALOUPE_UNPACKED}"
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
 COPY --from=download --chown=tomcat:tomcat /opt/tomcat /opt/tomcat

code-server/Dockerfile

@@ -1,9 +1,18 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
+FROM node:fermium-alpine3.15 as node
 FROM ${repository}/abuild:${tag} AS build
 
+COPY --from=node /usr/lib /usr/lib
+COPY --from=node /usr/local/share /usr/local/share
+COPY --from=node /usr/local/lib /usr/local/lib
+COPY --from=node /usr/local/include /usr/local/include
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /opt /opt
+
 # g++, make, python are only required to build native dependencies via node-gyp.
 # spdlog is required for building / using xdebug extension.
 RUN --mount=type=cache,id=code-server-apk,sharing=locked,from=cache,target=/var/cache/apk \
@@ -14,8 +23,7 @@ RUN --mount=type=cache,id=code-server-apk,sharing=locked,from=cache,target=/var/
         nghttp2-dev \
         python3 \
         spdlog \
-        sudo \
-        yarn
+        sudo
 
 # `node-gyp` must be installed before anything else. This is unfortuante, but
 # make sure the version here matches the exact version in:
@@ -83,7 +91,6 @@ RUN --mount=type=cache,id=code-server-drupal-apk,sharing=locked,from=cache,targe
         htop \
         php7-pecl-xdebug \
         spdlog \
-        yarn \
         sudo \
         unison \
         parallel \
@@ -104,6 +111,12 @@ ENV \
 COPY --from=composer --chown=nginx:nginx /root/.composer /var/lib/nginx/.composer
 COPY --from=build --chown=nginx:nginx /opt/code-server /opt/code-server
 COPY --from=build /usr/local/share/.config/yarn /usr/local/share/.config/yarn
+COPY --from=node /usr/lib /usr/lib
+COPY --from=node /usr/local/share /usr/local/share
+COPY --from=node /usr/local/lib /usr/local/lib
+COPY --from=node /usr/local/include /usr/local/include
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /opt /opt
 
 COPY rootfs /
 

composer/Dockerfile

@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download 
 
 # https://getcomposer.org/download/
@@ -13,7 +14,7 @@ RUN --mount=type=cache,id=download-downloads,sharing=locked,target=/opt/download
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${COMPOSER_FILE}" /usr/bin/composer && \
     chmod a+x /usr/bin/composer
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/download:${tag}
 
 # Install packages and tools that allow for basic downloads.

download/Dockerfile

@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 # Install packages and tools that allow for basic downloads.
 RUN --mount=type=cache,id=download-apk,sharing=locked,from=cache,target=/var/cache/apk \