diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 8075f67..111abf8 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -17,17 +17,22 @@ jobs: discover_folders: runs-on: ubuntu-latest outputs: - language_folders: ${{ steps.find-folders.outputs.languages }} + base_node_folders: ${{ steps.find-folders.outputs.base_node }} + node_24_language_folders: ${{ steps.find-folders.outputs.node_24_languages }} project_folders: ${{ steps.find-folders.outputs.projects }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - id: find-folders run: | - language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') + base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') + node_24_language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -name 'node_24*' -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') - echo "languages=$language_folders" >> "$GITHUB_OUTPUT" - echo "projects=$project_folders" >> "$GITHUB_OUTPUT" + { + echo "base_node=$base_node_folders" + echo "node_24_languages=$node_24_language_folders" + echo "projects=$project_folders" + } >> "$GITHUB_OUTPUT" package_base_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml with: @@ -36,14 +41,31 @@ jobs: container_name: base base_folder: "." NO_CACHE: ${{ inputs.NO_CACHE }} - package_language_docker_images: + package_base_node_images: needs: - package_base_docker_image - discover_folders strategy: fail-fast: false matrix: - container_name: ${{ fromJson(needs.discover_folders.outputs.language_folders) }} + container_name: ${{ fromJson(needs.discover_folders.outputs.base_node_folders) }} + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} + base_folder: "base_node" + NO_CACHE: ${{ inputs.NO_CACHE }} + EXTRA_COMMON: "common_node_24" + package_node_24_language_docker_images: + needs: + - package_base_docker_image + - package_base_node_images + - discover_folders + strategy: + fail-fast: false + matrix: + container_name: ${{ fromJson(needs.discover_folders.outputs.node_24_language_folders) }} uses: ./.github/workflows/build_multi_arch_image.yml with: tag_latest: ${{ inputs.tag_latest }} @@ -51,10 +73,10 @@ jobs: container_name: ${{ matrix.container_name }} base_folder: "languages" NO_CACHE: ${{ inputs.NO_CACHE }} + EXTRA_COMMON: "common_node_24" package_project_docker_images: needs: - - package_language_docker_images - + - package_node_24_language_docker_images - discover_folders strategy: fail-fast: false @@ -67,3 +89,4 @@ jobs: container_name: ${{ matrix.container_name }} base_folder: "projects" NO_CACHE: ${{ inputs.NO_CACHE }} + EXTRA_COMMON: "common_node_24" diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index effc2b7..36e3c0f 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -17,6 +17,9 @@ name: Build and push docker image NO_CACHE: required: true type: boolean + EXTRA_COMMON: + required: false + type: string jobs: build_and_push_image: @@ -27,6 +30,7 @@ jobs: attestations: write id-token: write runs-on: '${{ matrix.runner }}' + strategy: fail-fast: false matrix: @@ -59,6 +63,10 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 + - name: setup trivy + uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 + with: + version: v0.69.1 - name: setup node uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: @@ -72,17 +80,6 @@ jobs: run: | echo "Building image..." make build-image - - echo "Creating combined trivy ignore file" - # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist - combined="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore_combined.yaml" - common="src/common/.trivyignore.yaml" - specific="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore.yaml" - echo "vulnerabilities:" > "$combined" - if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi - if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi - echo "Combined trivy ignore file created at $combined" - env: ARCHITECTURE: '${{ matrix.arch }}' CONTAINER_NAME: '${{ inputs.container_name }}' @@ -92,41 +89,34 @@ jobs: BASE_FOLDER: "${{ inputs.base_folder }}" NO_CACHE: '${{ inputs.NO_CACHE }}' - name: Check docker vulnerabilities - json output - uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 - with: - scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" - severity: "CRITICAL,HIGH" - scanners: "vuln" - vuln-type: "os,library" - format: "json" - output: "scan_results_docker.json" - exit-code: "0" - trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml + run: | + make scan-image-json + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_FOLDER: "${{ inputs.base_folder }}" + IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" + EXIT_CODE: 0 + EXTRA_COMMON: "${{ inputs.extra_common }}" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload scan results with: name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" - path: scan_results_docker.json + path: .out/scan_results_docker.json - name: Check docker vulnerabilities - table output - uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 - with: - scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" - severity: "CRITICAL,HIGH" - scanners: "vuln" - vuln-type: "os,library" - format: "table" - output: "scan_results_docker.txt" - exit-code: "1" - trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml - + run: | + make scan-image + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_FOLDER: "${{ inputs.base_folder }}" + IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" + EXIT_CODE: "1" + EXTRA_COMMON: "${{ inputs.extra_common }}" - name: Show docker vulnerability output if: always() run: | echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f scan_results_docker.txt ]; then - cat scan_results_docker.txt + if [ -f .out/scan_results_docker.txt ]; then + cat .out/scan_results_docker.txt fi env: ARCHITECTURE: '${{ matrix.arch }}' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a83ccb..4941baf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,8 @@ jobs: tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} secrets: inherit build_all_images: - needs: tag_release + needs: + - tag_release uses: ./.github/workflows/build_all_images.yml with: docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 15d64c1..83022ff 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,8 @@ jobs: tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} secrets: inherit build_all_images: - needs: tag_release + needs: + - tag_release uses: ./.github/workflows/build_all_images.yml with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' diff --git a/Makefile b/Makefile index 0920c27..c829f69 100644 --- a/Makefile +++ b/Makefile @@ -41,32 +41,40 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG . scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER + mkdir -p .out @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ common="src/common/.trivyignore.yaml"; \ + extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + exit_code="$${EXIT_CODE:-1}"; \ echo "vulnerabilities:" > "$$combined"; \ if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ - if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi + if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ trivy image \ --severity HIGH,CRITICAL \ --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ - --exit-code 1 \ - --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" + --exit-code $$exit_code \ + --format table \ + --output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG + mkdir -p .out @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ common="src/common/.trivyignore.yaml"; \ + extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + exit_code="$${EXIT_CODE:-1}"; \ echo "vulnerabilities:" > "$$combined"; \ if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ - if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi - mkdir -p .out + if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ trivy image \ --severity HIGH,CRITICAL \ --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ - --exit-code 1 \ + --exit-code "$$exit_code" \ --format json \ --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" @@ -89,3 +97,8 @@ github-login: lint-githubaction-scripts: shellcheck .github/scripts/*.sh + +clean: + rm -rf .out + find . -type f -name '.trivyignore_combined.yaml' -delete + diff --git a/README.md b/README.md index 7fa7a29..e20c8e3 100644 --- a/README.md +++ b/README.md @@ -130,18 +130,24 @@ It is important that - there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group - the default shell is set to be bash - the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions +## Using local or pull request images in visual studio code +You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json. +For an image built locally following instructions below, you should put the IMAGE_VERSION=local-build. +For an image built from a pull request, you should put the IMAGE_VERSION=. +You can only use images built from a pull request for testing changes in github actions. # Project structure -We have 4 types of dev container. These are defined under src +We have 5 types of dev container. These are defined under src `base` - this is the base image that all others are based on. -`languages` - this installs specific versions of node and python. +`base_node` - images that install node - most language projects rely on one of these +`languages` - this installs specific versions of python - normally based off a node image `projects` - this is used for projects where more customization is needed than just a base language image. `githubactions` - this just takes an existing image and remaps vscode user to be 1001 so it can be used by github actions. Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this -Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. +Images under languages should point to a dockerfile under src/common or src/common_node_24 that is based off the base or node image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude all known vulnerabilities @@ -180,6 +186,14 @@ CONTAINER_NAME=base \ IMAGE_TAG=local-build \ make build-image ``` +Base node 24 image +``` +CONTAINER_NAME=node_24 \ + BASE_VERSION_TAG=local-build \ + BASE_FOLDER=base_node \ + IMAGE_TAG=local-build \ + make build-image +``` Language images ``` CONTAINER_NAME=node_24_python_3_14 \ @@ -212,11 +226,20 @@ CONTAINER_NAME=base \ IMAGE_TAG=local-build \ make scan-image ``` +Base node 24 image +``` +CONTAINER_NAME=node_24 \ + BASE_FOLDER=base_node \ + IMAGE_TAG=local-build \ + EXTRA_COMMON=common_node_24 \ + make scan-image +``` Language images ``` -CONTAINER_NAME=node_24_python_3_12 \ +CONTAINER_NAME=node_24_python_3_14 \ BASE_FOLDER=languages \ IMAGE_TAG=local-build \ + EXTRA_COMMON=common_node_24 \ make scan-image ``` Project images @@ -254,12 +277,6 @@ CONTAINER_NAME=base \ make shell-image ``` -## Using local or pull request images in visual studio code -You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json. -For an image built locally, you should put the IMAGE_VERSION=local-build. -For an image built from a pull request, you should put the IMAGE_VERSION=. -You can only use images built from a pull request for testing changes in github actions. - ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 031b732..4beddbf 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -16,8 +16,12 @@ shellcheck: fi cfn-lint: - cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' - cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }' + @if find cloudformation -type f \( -name "*.yaml" -o -name "*.yml" \) 2>/dev/null | grep -q .; then \ + cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print; found=1 } END { exit found }'; \ + fi + @if find SAMtemplates -type f \( -name "*.yaml" -o -name "*.yml" \) 2>/dev/null | grep -q .; then \ + cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print; found=1 } END { exit found }'; \ + fi cdk-synth: echo "Not implemented" diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 2352747..386f398 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -27,7 +27,7 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ jq apt-transport-https ca-certificates gnupg-agent \ - software-properties-common bash-completion make \ + software-properties-common bash-completion make parallel \ libreadline-dev wget llvm libncurses5-dev libncursesw5-dev \ xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev uuid-runtime xxd unzip diff --git a/src/base_node/node_24/.devcontainer/.tool-versions b/src/base_node/node_24/.devcontainer/.tool-versions new file mode 100644 index 0000000..1b05724 --- /dev/null +++ b/src/base_node/node_24/.devcontainer/.tool-versions @@ -0,0 +1 @@ +nodejs 24.13.0 diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/base_node/node_24/.devcontainer/devcontainer.json similarity index 92% rename from src/languages/python_3_10/.devcontainer/devcontainer.json rename to src/base_node/node_24/.devcontainer/devcontainer.json index f593cf2..90d861a 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/base_node/node_24/.devcontainer/devcontainer.json @@ -1,7 +1,7 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "EPS Devcontainer node_24 python_3.10", + "name": "EPS Devcontainer node_24", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "../../../common/Dockerfile", diff --git a/src/languages/python_3_10/.devcontainer/scripts/root_install.sh b/src/base_node/node_24/.devcontainer/scripts/root_install.sh similarity index 100% rename from src/languages/python_3_10/.devcontainer/scripts/root_install.sh rename to src/base_node/node_24/.devcontainer/scripts/root_install.sh diff --git a/src/base_node/node_24/.devcontainer/scripts/vscode_install.sh b/src/base_node/node_24/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..ea370f1 --- /dev/null +++ b/src/base_node/node_24/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git +asdf install diff --git a/src/base_node/node_24/trivy.yaml b/src/base_node/node_24/trivy.yaml new file mode 100644 index 0000000..20e8f24 --- /dev/null +++ b/src/base_node/node_24/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/base_node/node_24/.trivyignore_combined.yaml" diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml new file mode 100644 index 0000000..46d9b0c --- /dev/null +++ b/src/common_node_24/.trivyignore.yaml @@ -0,0 +1,37 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-26960 + statement: "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-18 + - id: CVE-2026-26960 + statement: "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-18 diff --git a/src/common_node_24/Dockerfile b/src/common_node_24/Dockerfile new file mode 100644 index 0000000..9227065 --- /dev/null +++ b/src/common_node_24/Dockerfile @@ -0,0 +1,44 @@ +ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24:${BASE_VERSION_TAG} + +FROM ${BASE_IMAGE} + +ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24:${BASE_VERSION_TAG} +ARG SCRIPTS_DIR=/usr/local/share/eps +ARG CONTAINER_NAME +ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG +ARG IMAGE_TAG +ARG TARGETARCH + +ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV TARGETARCH=${TARGETARCH} + +USER root +COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh + +COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh +USER vscode + +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh + +# Switch back to root to install the devcontainer CLI globally +USER root + +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} +ENV IMAGE_TAG=${IMAGE_TAG} +ENV BASE_IMAGE=${BASE_IMAGE} + +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} diff --git a/src/languages/python_3_10/.devcontainer/.tool-versions b/src/languages/node_24_python_3_10/.devcontainer/.tool-versions similarity index 100% rename from src/languages/python_3_10/.devcontainer/.tool-versions rename to src/languages/node_24_python_3_10/.devcontainer/.tool-versions diff --git a/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json new file mode 100644 index 0000000..a810718 --- /dev/null +++ b/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json @@ -0,0 +1,18 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.10", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../../common_node_24/Dockerfile", + "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" + }, + "context": "." + }, + "features": {} + } + diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..52fa2b1 --- /dev/null +++ b/src/languages/node_24_python_3_10/.devcontainer/scripts/root_install.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -e +export DEBIAN_FRONTEND=noninteractive + +# clean up +apt-get clean +rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/languages/python_3_10/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh similarity index 100% rename from src/languages/python_3_10/.devcontainer/scripts/vscode_install.sh rename to src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh diff --git a/src/languages/python_3_10/.trivyignore.yaml b/src/languages/node_24_python_3_10/.trivyignore.yaml similarity index 100% rename from src/languages/python_3_10/.trivyignore.yaml rename to src/languages/node_24_python_3_10/.trivyignore.yaml diff --git a/src/languages/node_24_python_3_10/trivy.yaml b/src/languages/node_24_python_3_10/trivy.yaml new file mode 100644 index 0000000..549851b --- /dev/null +++ b/src/languages/node_24_python_3_10/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/languages/node_24_python_3_10/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_12/.devcontainer/.tool-versions b/src/languages/node_24_python_3_12/.devcontainer/.tool-versions index a27ded2..9dedcf5 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/.tool-versions +++ b/src/languages/node_24_python_3_12/.devcontainer/.tool-versions @@ -1,3 +1,2 @@ -nodejs 24.13.0 python 3.12.12 poetry 2.3.2 diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 100a86b..0ac0328 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -4,7 +4,7 @@ "name": "EPS Devcontainer node_24 python_3.13", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { - "dockerfile": "../../../common/Dockerfile", + "dockerfile": "../../../common_node_24/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh index 7b9883b..2ef142b 100755 --- a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh @@ -3,7 +3,6 @@ set -e asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git asdf install python asdf install diff --git a/src/languages/node_24_python_3_12/.trivyignore.yaml b/src/languages/node_24_python_3_12/.trivyignore.yaml index a8010cf..8697da6 100644 --- a/src/languages/node_24_python_3_12/.trivyignore.yaml +++ b/src/languages/node_24_python_3_12/.trivyignore.yaml @@ -1,27 +1 @@ vulnerabilities: - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_13/.devcontainer/.tool-versions b/src/languages/node_24_python_3_13/.devcontainer/.tool-versions index 19c9a1a..85e2d7a 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/.tool-versions +++ b/src/languages/node_24_python_3_13/.devcontainer/.tool-versions @@ -1,3 +1,2 @@ -nodejs 24.13.0 python 3.13.12 poetry 2.3.2 diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 100a86b..0ac0328 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -4,7 +4,7 @@ "name": "EPS Devcontainer node_24 python_3.13", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { - "dockerfile": "../../../common/Dockerfile", + "dockerfile": "../../../common_node_24/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh index 7b9883b..2ef142b 100755 --- a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh @@ -3,7 +3,6 @@ set -e asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git asdf install python asdf install diff --git a/src/languages/node_24_python_3_13/.trivyignore.yaml b/src/languages/node_24_python_3_13/.trivyignore.yaml index a8010cf..8697da6 100644 --- a/src/languages/node_24_python_3_13/.trivyignore.yaml +++ b/src/languages/node_24_python_3_13/.trivyignore.yaml @@ -1,27 +1 @@ vulnerabilities: - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_14/.devcontainer/.tool-versions b/src/languages/node_24_python_3_14/.devcontainer/.tool-versions index ed99ea2..65e66b7 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/.tool-versions +++ b/src/languages/node_24_python_3_14/.devcontainer/.tool-versions @@ -1,3 +1,2 @@ -nodejs 24.13.0 python 3.14.3 poetry 2.3.2 diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index 19adae8..8580944 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -4,7 +4,7 @@ "name": "EPS Devcontainer node_24 python_3.14", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { - "dockerfile": "../../../common/Dockerfile", + "dockerfile": "../../../common_node_24/Dockerfile", "args": { "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh index 7b9883b..2ef142b 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh @@ -3,7 +3,6 @@ set -e asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git asdf install python asdf install diff --git a/src/languages/node_24_python_3_14/.trivyignore.yaml b/src/languages/node_24_python_3_14/.trivyignore.yaml index 57d92bd..8799951 100644 --- a/src/languages/node_24_python_3_14/.trivyignore.yaml +++ b/src/languages/node_24_python_3_14/.trivyignore.yaml @@ -1,14 +1,4 @@ vulnerabilities: - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.4" - expired_at: 2026-08-12 - id: CVE-2026-23949 statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" purls: @@ -19,24 +9,3 @@ vulnerabilities: purls: - "pkg:pypi/wheel@0.45.1" expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-13 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-13 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-13 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-13 diff --git a/src/languages/python_3_10/trivy.yaml b/src/languages/python_3_10/trivy.yaml deleted file mode 100644 index fe0d67f..0000000 --- a/src/languages/python_3_10/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/python_3_10/.trivyignore_combined.yaml"