prime-reportstream icon indicating copy to clipboard operation
prime-reportstream copied to clipboard
verified publisher icon CDCgov

[17644] Update Production Backend Docker Image.

Open wcutshall opened this issue 8 months ago • 5 comments

This PR Is a first step attempt at removing vulnerabilities from the ReportStream Docker image. The specific goals for this PR are to:

  1. Put environment variables of the Dockerfile inside of curly braces as a best practice.
  2. Make changes to run the application as a non-root user.
  3. Add the —no-cache flag to the docker build command in actions/build-backend/action.yml.
  4. Use Microsoft's nightly builds to address the Debian-related vulnerabilities.

Test Steps:

  1. Install trivy (brew install trivy) on your local machine.
  2. Checkout the main branch of ReportStream.
  3. Run docker build . --file Dockerfile --tag cdcgov/reportstream:latest --no-cache in the prime-router directory.
  4. Run trivy image --severity HIGH,CRITICAL --ignore-unfixed cdcgov/reportstream:latest
  5. Note the Debian-related vulnerabilities in the output.
  6. Checkout this branch.
  7. Repeat steps 3 through 5.

Changes

Checklist

Testing

  • [x] Tested locally?

Process

  • [x] Includes a summary of what a code reviewer should test/verify?
  • [x] DevOps team has been notified if PR requires ops support?

Linked Issues

N/A

To Be Done

*Create additional useer story to address runtime jar vulnerabilities in build.gradle.kts.

Specific Security-related subjects a reviewer should pay specific attention to

N/A

wcutshall avatar Apr 02 '25 20:04 wcutshall

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

github-actions[bot] avatar Apr 02 '25 20:04 github-actions[bot]

Test Results

1 323 tests  ±0   1 318 :white_check_mark: ±0   7m 46s :stopwatch: +11s   172 suites ±0       5 :zzz: ±0    172 files   ±0       0 :x: ±0 

Results for commit de2b96d1. ± Comparison against base commit 38b145c2.

:recycle: This comment has been updated with latest results.

github-actions[bot] avatar Apr 02 '25 20:04 github-actions[bot]

Integration Test Results

 60 files  ±0   60 suites  ±0   38m 7s :stopwatch: +26s 428 tests ±0  418 :white_check_mark: ±0  10 :zzz: ±0  0 :x: ±0  431 runs  ±0  421 :white_check_mark: ±0  10 :zzz: ±0  0 :x: ±0 

Results for commit de2b96d1. ± Comparison against base commit 38b145c2.

:recycle: This comment has been updated with latest results.

github-actions[bot] avatar Apr 02 '25 21:04 github-actions[bot]

:tada: Snyk checks have passed. No issues have been found so far.

:white_check_mark: security/snyk check is complete. No issues have been found. (View Details)

scott-aquia avatar May 01 '25 15:05 scott-aquia

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar May 19 '25 15:05 sonarqubecloud[bot]