build: FORMS-1799 node update for security fixes #1599
Conversation
This comment has been minimized.
This comment has been minimized.
WalterMoar
requested review from
usingtechnology,
abhilash-aot,
nimya-aot,
jasonchung1871,
RyanBirtch-aot and
revanth-banala
| "context": "..", | ||
| "args": { | ||
| "VARIANT": "20.18.1-bookworm" | ||
| } | ||
| "context": ".." |
There was a problem hiding this comment.
While we could just update the value of this VARIANT argument and leave the Dockerfile as-is, I think it will be less confusing for future updates if we just remove this and update the Dockerfile value.
There was a problem hiding this comment.
Sounds good. Fine with me.
| libasound2 \ | ||
| libgbm-dev \ | ||
| libgtk-3-0 \ | ||
| libgtk2.0-0 \ | ||
| libnotify-dev \ | ||
| libnss3 \ | ||
| libxss1 \ | ||
| libxtst6 \ | ||
| vim \ | ||
| xauth \ | ||
| xvfb \ |
There was a problem hiding this comment.
Sonar wants the new packages to be in alphabetical order. While I'm usually 100% onboard with alphabetizing things, this does make it a bit more effort to check that we have all the Cypress prerequisites (in case those change).
There was a problem hiding this comment.
Since this is not a production image we could just ignore it in Sonar. Up to you... but I would be ok with ignoring this file.
There was a problem hiding this comment.
Maybe it's good to follow the Sonar recommendation - I don't think we'll be checking the Cypress prerequisites that often.
| vim \ | ||
| xauth \ | ||
| xvfb \ | ||
| && apt-get clean |
There was a problem hiding this comment.
Sonar recommended the clean step to help reduce image size.
| RUN mkdir /.npm | ||
| RUN chgrp -R 0 /.npm && \ | ||
| chmod -R g=u /.npm |
There was a problem hiding this comment.
Sonar recommended combining RUN steps so that there are fewer layers in the image.
WalterMoar
force-pushed
the
build/1799-node-update
branch
from
c6c05fb to
d6ba595
Compare
Update the node image to address security vulnerabilities reported by RedHat Advanced Cluster Security.
While the VARIANT argument is useful in some situations, there's the possibility that the Dockerfile is updated with a newer image version but the argument in the devcontainer.json overrides it. Remove it and just use what's in the Dockerfile.
Sonar was complaining that the installed packages were not in alphabetical order. It was also complaining that the install wasn't cleaned afterwards.
Sonar was complaining that the multiple RUN commands should be combined. Good point!
|
Description
The Red Hat Advanced Cluster Security (ACS) application has identified the image
nodeas having vulnerabilities that are fixable. To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this image must be updated to resolve fixable vulnerabilities (or mitigated in some other way, if updating the image is not possible).Acceptance Criteria
Type of Change
build (change in build system or dependencies)
Checklist
Further comments
apt-get cleannot being run