From 049573f39adf4168fd3620d478731f81823dd08d Mon Sep 17 00:00:00 2001
From: Ruairidh MacLeod <ruairidh@rkm.dev>
Date: Tue, 19 Nov 2024 16:18:48 +0000
Subject: [PATCH 1/5] revert back to root user for rootless podman on NFS

---
 software/Freesurfer/Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile
index 5e16e43..cf1d727 100644
--- a/software/Freesurfer/Dockerfile
+++ b/software/Freesurfer/Dockerfile
@@ -90,7 +90,6 @@ RUN : \
 
 RUN : \
     && mkdir /safe_data /safe_outputs /scratch \
-    && useradd ces-user \
     && :
 
-USER ces-user
+USER root

From 6009e1938ee18ce7614eb3969329068e6b888aaa Mon Sep 17 00:00:00 2001
From: Ruairidh MacLeod <ruairidh@rkm.dev>
Date: Tue, 19 Nov 2024 16:19:11 +0000
Subject: [PATCH 2/5] restore lib/qt for graphical apps

---
 software/Freesurfer/Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile
index cf1d727..c9bcbc3 100644
--- a/software/Freesurfer/Dockerfile
+++ b/software/Freesurfer/Dockerfile
@@ -83,7 +83,6 @@ RUN : \
     && rm -rf \
         average/mult-comp-cor \
         lib/cuda \
-        lib/qt \
         subjects \
         trctrain \
     && :

From 9e874665c9dc36711a322a99b012bbd59f216a99 Mon Sep 17 00:00:00 2001
From: Ruairidh MacLeod <ruairidh@rkm.dev>
Date: Tue, 19 Nov 2024 16:19:18 +0000
Subject: [PATCH 3/5] bump image revision

---
 software/Freesurfer/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile
index c9bcbc3..ce8bead 100644
--- a/software/Freesurfer/Dockerfile
+++ b/software/Freesurfer/Dockerfile
@@ -1,7 +1,7 @@
 FROM docker.io/ubuntu@sha256:e9569c25505f33ff72e88b2990887c9dcf230f23259da296eb814fc2b41af999
 
 ARG FREESURFER_VERSION="7.4.1"
-ARG FREESURFER_IMAGE_REVISION="5"
+ARG FREESURFER_IMAGE_REVISION="6"
 ARG FREESURFER_DEB_MD5="bfe85dd76677cfb7ca2b247b9ac6148e"
 
 ENV \

From e8500b7dcbd243e2d865b29890a032aeac30fa62 Mon Sep 17 00:00:00 2001
From: Ruairidh MacLeod <ruairidh@rkm.dev>
Date: Tue, 19 Nov 2024 16:40:53 +0000
Subject: [PATCH 4/5] add ignore for trivy root user check

---
 bin/trivy-image-scan.bash           | 2 ++
 bin/trivy-misconfig-dockerfile.bash | 1 +
 configs/.trivyignore                | 1 +
 3 files changed, 4 insertions(+)
 create mode 100644 configs/.trivyignore

diff --git a/bin/trivy-image-scan.bash b/bin/trivy-image-scan.bash
index 32bdde8..6eff6a0 100755
--- a/bin/trivy-image-scan.bash
+++ b/bin/trivy-image-scan.bash
@@ -37,6 +37,7 @@ docker run \
     "${TRIVY_IMG}" \
         image \
         --config "/repo/configs/${config}" \
+        --ignorefile /repo/configs/.trivyignore \
         --format table \
         --output /reports/trivy-cve.txt \
         "${image}"
@@ -51,6 +52,7 @@ docker run \
     "${TRIVY_IMG}" \
         image \
         --config "/repo/configs/${config}" \
+        --ignorefile /repo/configs/.trivyignore \
         --format cyclonedx \
         --output /reports/trivy-sbom.json \
         "${image}"
diff --git a/bin/trivy-misconfig-dockerfile.bash b/bin/trivy-misconfig-dockerfile.bash
index d0e4744..d8426e9 100755
--- a/bin/trivy-misconfig-dockerfile.bash
+++ b/bin/trivy-misconfig-dockerfile.bash
@@ -27,5 +27,6 @@ docker run \
     ghcr.io/aquasecurity/trivy:latest \
         config \
         --config "/repo/configs/${config}" \
+        --ignorefile /repo/configs/.trivyignore \
         "/repo/${dockerfile}"
 
diff --git a/configs/.trivyignore b/configs/.trivyignore
new file mode 100644
index 0000000..28a8e11
--- /dev/null
+++ b/configs/.trivyignore
@@ -0,0 +1 @@
+AVD-DS-0002 # Image user should not be root

From f947570d778ec02cb7074c789f8280a438116b1b Mon Sep 17 00:00:00 2001
From: Ruairidh MacLeod <ruairidh@rkm.dev>
Date: Tue, 19 Nov 2024 16:43:07 +0000
Subject: [PATCH 5/5] allow root user via hadolint

---
 configs/hadolint.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configs/hadolint.yaml b/configs/hadolint.yaml
index a6d3f21..9210a9a 100644
--- a/configs/hadolint.yaml
+++ b/configs/hadolint.yaml
@@ -1,3 +1,5 @@
 ignored:
   # Ignore "Pin versions in apt get install"
   - DL3008
+  # Ignore "Last USER should not be root"
+  - DL3002