From 316672f8905a424303108286a952c0de333383c8 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 11:22:28 +0000 Subject: [PATCH 01/94] setup github action --- .github/dependabot.yml | 46 +++++++++++++++ .github/pull_request_template.md | 59 +++++++++++++++++++ .github/workflows/pull_request.yml | 92 ++++++++++++++++++++++++++++++ Makefile | 8 +++ 4 files changed, 205 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/pull_request.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4a87436 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,46 @@ +######################################################################### +# Dependabot configuration file +######################################################################### + +version: 2 + +updates: + - package-ecosystem: "github-actions" + # Workflow files stored in the + # default location of `.github/workflows` + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" # UTC + open-pull-requests-limit: 20 + commit-message: + prefix: "Upgrade: [dependabot] - " + + ################################### + # NPM workspace ################## + ################################### + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" + open-pull-requests-limit: 20 + versioning-strategy: increase + commit-message: + prefix: "Upgrade: [dependabot] - " + + ################################### + # Poetry ######################### + ################################### + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" + open-pull-requests-limit: 20 + versioning-strategy: increase + commit-message: + prefix: "Upgrade: [dependabot] - " diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..203df63 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,59 @@ +## Summary + +**Remove items from this list if they are not relevant. Remove this line once this has been done** + +- Routine Change +- :exclamation: Breaking Change +- :robot: Operational or Infrastructure Change +- :sparkles: New Feature +- :warning: Potential issues that might be caused by this change + +### Details + +Add any summary information of what is in the change. **Remove this line if you have nothing to add.** + +## Pull Request Naming + +Pull requests should be named using the following format: + +```text +Tag: [AEA-NNNN] - Short description +``` + +Tag can be one of: + +- `Fix` - for a bug fix. (Patch release) +- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) +- `New` - implemented a new feature. (Minor release) +- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) +- `Docs` - changes to documentation only. (Patch release) +- `Build` - changes to build process only. (No release) +- `Upgrade` - for a dependency upgrade. (Patch release) +- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) + +If the current release is x.y.z then +- a patch release increases z by 1 +- a minor release increases y by 1 +- a major release increases x by 1 + +Correct tagging is necessary for our automated versioning and release process. + +The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive. + +### Rerunning Checks + +If you need to rename your pull request, you can restart the checks by either: + +- Closing and reopening the pull request +- pushing an empty commit + ```bash + git commit --allow-empty -m 'trigger build' + git push + ``` +- Amend your last commit and force push to the branch + ```bash + git commit --amend --no-edit + git push --force + ``` + +Rerunning the checks from within the pull request will not use the updated title. diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml new file mode 100644 index 0000000..398dee2 --- /dev/null +++ b/.github/workflows/pull_request.yml @@ -0,0 +1,92 @@ +name: deploy_pr + +on: + pull_request: + branches: [master] + +env: + BRANCH_NAME: ${{ github.event.pull_request.head.ref }} + +jobs: + dependabot-auto-approve-and-merge: + needs: quality_checks + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + secrets: + AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} + AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} + + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: ${{ steps.asdf-version.outputs.version }} + tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + + - name: Get asdf version + id: asdf-version + run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy + needs: [get_asdf_version] + with: + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + pr_title_format_check: + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + + get_issue_number: + runs-on: ubuntu-22.04 + needs: quality_checks + outputs: + issue_number: ${{ steps.get_issue_number.outputs.result }} + version: ${{ steps.get_issue_number.outputs.version_number }} + + steps: + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd + name: get issue number + id: get_issue_number + with: + script: | + if (context.issue.number) { + // Return issue number if present + return context.issue.number; + } else { + // Otherwise return issue number from commit + return ( + await github.rest.repos.listPullRequestsAssociatedWithCommit({ + commit_sha: context.sha, + owner: context.repo.owner, + repo: context.repo.repo, + }) + ).data[0].number; + } + result-encoding: string + + get_commit_id: + runs-on: ubuntu-22.04 + outputs: + commit_id: ${{ steps.commit_id.outputs.commit_id }} + sha_short: ${{ steps.commit_id.outputs.sha_short }} + + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + ref: ${{ env.BRANCH_NAME }} + + - name: Get Commit ID + id: commit_id + run: | + # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" + echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" diff --git a/Makefile b/Makefile index 0fc362a..e2a7d48 100644 --- a/Makefile +++ b/Makefile @@ -31,3 +31,11 @@ scan-base-image: --ignorefile .trivyignore.yaml \ --exit-code 1 \ --format table ${IMAGE_NAME} + +lint: lint-githubactions + +test: + echo "Not implemented" + +lint-githubactions: + actionlint From ffbe7b95761a9865dcc0b6f818954fe6e6343c5f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 11:24:12 +0000 Subject: [PATCH 02/94] fix pull_request action --- .github/workflows/pull_request.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 398dee2..4bc5cb0 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,8 +1,8 @@ -name: deploy_pr +name: pull_request on: pull_request: - branches: [master] + branches: [main] env: BRANCH_NAME: ${{ github.event.pull_request.head.ref }} From 6e8825f36a339240f0965f00c591bdf45040dd60 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 11:25:21 +0000 Subject: [PATCH 03/94] set tagformat --- .github/config/settings.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/config/settings.yml diff --git a/.github/config/settings.yml b/.github/config/settings.yml new file mode 100644 index 0000000..05dbcda --- /dev/null +++ b/.github/config/settings.yml @@ -0,0 +1 @@ +TAG_FORMAT: "v${version}" From fe133a56ba9373d7675190280a48d65aa2ac7c51 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:07:33 +0000 Subject: [PATCH 04/94] build the image --- .gitallowed | 1 + .github/workflows/build_multi_arch_image.yml | 35 ++++++++++++++++++++ .github/workflows/pull_request.yml | 5 +++ 3 files changed, 41 insertions(+) create mode 100644 .gitallowed create mode 100644 .github/workflows/build_multi_arch_image.yml diff --git a/.gitallowed b/.gitallowed new file mode 100644 index 0000000..76bb1a8 --- /dev/null +++ b/.gitallowed @@ -0,0 +1 @@ +id-token: write diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml new file mode 100644 index 0000000..324c874 --- /dev/null +++ b/.github/workflows/build_multi_arch_image.yml @@ -0,0 +1,35 @@ +name: Build and push docker image + +on: + workflow_call: + +jobs: + build_image: + permissions: + id-token: write + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-22.04 + - arch: arm64 + runner: ubuntu-22.04-arm + steps: + - name: Checkout code + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Build container + run: | + make build-base-image + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }} + docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img + + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload docker images + with: + name: eps-devcontainer-base-latest-${{ matrix.arch }}.img + path: | + eps-devcontainer-base-latest-${{ matrix.arch }}.img diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4bc5cb0..ed66650 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -90,3 +90,8 @@ jobs: # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + + + package_docker_image: + needs: [get_issue_number, quality_checks, get_commit_id] + uses: ./.github/workflows/build_multi_arch_image.yml From 16938f80350f072f7babc2dfd73ee8a89e9feffb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:10:27 +0000 Subject: [PATCH 05/94] use github token --- .github/workflows/build_multi_arch_image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 324c874..4d7f212 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -26,7 +26,8 @@ jobs: make build-base-image docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }} docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img - + env: + GH_TOKEN: ${{ github.token }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: From c14ba96117462de3f9691996a513298d4c03eb68 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:18:08 +0000 Subject: [PATCH 06/94] correct script --- scripts/generate_language_version_files.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index b10626f..1e523ae 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -1,5 +1,9 @@ #!/usr/bin/env bash +# Get the current directory of the script +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +LANGUAGE_VERSIONS_DIR="${SCRIPT_DIR}/../src/base/.devcontainer/language_versions" + # Define repositories to fetch .tool-versions from REPOS=( "NHSDigital/electronic-prescription-service-clinical-prescription-tracker" @@ -30,12 +34,13 @@ REPOS=( # Define output files -NODEJS_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/nodejs-versions.txt" -PYTHON_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/python-versions.txt" -JAVA_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/java-versions.txt" -TERRAFORM_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/terraform-versions.txt" -GOLANG_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/golang-versions.txt" -ALL_LANGUAGES_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/language-versions.txt" +mkdir -p "${LANGUAGE_VERSIONS_DIR}" +NODEJS_FILE="${LANGUAGE_VERSIONS_DIR}/nodejs-versions.txt" +PYTHON_FILE="${LANGUAGE_VERSIONS_DIR}/python-versions.txt" +JAVA_FILE="${LANGUAGE_VERSIONS_DIR}/java-versions.txt" +TERRAFORM_FILE="${LANGUAGE_VERSIONS_DIR}/terraform-versions.txt" +GOLANG_FILE="${LANGUAGE_VERSIONS_DIR}/golang-versions.txt" +ALL_LANGUAGES_FILE="${LANGUAGE_VERSIONS_DIR}/language-versions.txt" # Clear existing files true > "$NODEJS_FILE" true > "$PYTHON_FILE" From 94adbe2234074b4553bcd4150897e7868876bd39 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:27:21 +0000 Subject: [PATCH 07/94] run make install --- .github/workflows/build_multi_arch_image.yml | 45 ++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 4d7f212..8af914e 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -4,10 +4,29 @@ on: workflow_call: jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: ${{ steps.asdf-version.outputs.version }} + tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + + - name: Get asdf version + id: asdf-version + run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + build_image: permissions: id-token: write runs-on: ${{ matrix.runner }} + needs: [get_asdf_version] strategy: matrix: include: @@ -21,6 +40,32 @@ jobs: with: fetch-depth: 0 + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} + + - name: Cache asdf + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: make install + run: | + make install + - name: Build container run: | make build-base-image From d0868cef22a68e684fcc785cab3787eafa0e4626 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:32:14 +0000 Subject: [PATCH 08/94] fix build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e2a7d48..bee24e6 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ install-hooks: install-python install-hooks: build-base-image: generate-language-version-files CONTAINER_NAME=$(CONTAINER_NAME) \ - devcontainer build \ + npx devcontainer build \ --workspace-folder ./src/base/ \ --push false \ --image-name "${IMAGE_NAME}" From 57e5cd9decc50827f25f713a23bdd93bc0b9593b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:40:20 +0000 Subject: [PATCH 09/94] use setup-node rather than asdf --- .github/workflows/build_multi_arch_image.yml | 45 +++----------------- 1 file changed, 5 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8af914e..8a6e635 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -4,29 +4,11 @@ on: workflow_call: jobs: - get_asdf_version: - runs-on: ubuntu-22.04 - outputs: - asdf_version: ${{ steps.asdf-version.outputs.version }} - tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} - steps: - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - - - name: Get asdf version - id: asdf-version - run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - - name: Load config value - id: load-config - run: | - TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) - echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" build_image: permissions: id-token: write runs-on: ${{ matrix.runner }} - needs: [get_asdf_version] strategy: matrix: include: @@ -36,32 +18,15 @@ jobs: runner: ubuntu-22.04-arm steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 - # using git commit sha for version of action to ensure we have stable version - - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 + # use setup-node rather than asdf so that it works multi-arch + - name: setup node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: - asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} - - - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: | - ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} - restore-keys: | - ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} - - - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ needs.get_asdf_version.outputs.asdf_version }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - + node-version-file: .tool-versions - name: make install run: | make install From 989a38a71403cddca8ed55ea2252d433b89e8962 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:45:33 +0000 Subject: [PATCH 10/94] make install node --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8a6e635..036915e 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -29,7 +29,7 @@ jobs: node-version-file: .tool-versions - name: make install run: | - make install + make install-node - name: Build container run: | From 6bdd72b359182c855227b6941a2eac68607b2c1b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:53:42 +0000 Subject: [PATCH 11/94] try different way of building --- .github/workflows/build_multi_arch_image.yml | 1 + .github/workflows/pull_request.yml | 2 +- Makefile | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 036915e..bc62b67 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -38,6 +38,7 @@ jobs: docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img env: GH_TOKEN: ${{ github.token }} + ARCHITECTURE: ${{ matrix.arch }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index ed66650..2c937f5 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -93,5 +93,5 @@ jobs: package_docker_image: - needs: [get_issue_number, quality_checks, get_commit_id] + needs: [get_issue_number, get_commit_id] uses: ./.github/workflows/build_multi_arch_image.yml diff --git a/Makefile b/Makefile index bee24e6..cf96122 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,7 @@ build-base-image: generate-language-version-files npx devcontainer build \ --workspace-folder ./src/base/ \ --push false \ + --platform linux/${ARCHITECTURE} \ --image-name "${IMAGE_NAME}" generate-language-version-files: From 8f16180348cdc167bf7239bc3e51f3a10a715536 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 12:54:37 +0000 Subject: [PATCH 12/94] remove deps --- .github/workflows/pull_request.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 2c937f5..d693dfe 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -93,5 +93,4 @@ jobs: package_docker_image: - needs: [get_issue_number, get_commit_id] uses: ./.github/workflows/build_multi_arch_image.yml From 9d9eca7d29d6487d6bc7a80bba3795f44bdf271c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:03:30 +0000 Subject: [PATCH 13/94] add some debug --- src/base/.devcontainer/scripts/root_install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index fd3a1ae..833d23d 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -14,6 +14,7 @@ rm -rf /var/lib/apt/lists/* # Add amd64 architecture if on arm64 if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then + echo "Adding amd64 architecture support" dpkg --add-architecture amd64 fi From 8ffc5b010cd551820e612d7d7d500e2018d1ffdc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:07:53 +0000 Subject: [PATCH 14/94] do not update dist --- src/base/.devcontainer/scripts/root_install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 833d23d..f50c163 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -24,7 +24,6 @@ apt-get remove -y \ # install necessary libraries for asdf and language runtimes apt-get update export DEBIAN_FRONTEND=noninteractive -apt-get -y dist-upgrade apt-get -y install --no-install-recommends htop vim curl git build-essential \ libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ From 3e486dcaa433c20de9ef0d248d118f58444ca757 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:16:44 +0000 Subject: [PATCH 15/94] debug --- src/base/.devcontainer/scripts/root_install.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index f50c163..b59dc9e 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +export DEBIAN_FRONTEND=noninteractive # Install essential packages first apt-get update @@ -16,14 +17,16 @@ rm -rf /var/lib/apt/lists/* if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then echo "Adding amd64 architecture support" dpkg --add-architecture amd64 + echo "Running apt-get update for multi-arch" + apt-get update fi # uninstall unnecessary packages +echo "Removing unnecessary packages" apt-get remove -y \ python3 # install necessary libraries for asdf and language runtimes -apt-get update -export DEBIAN_FRONTEND=noninteractive +echo "Installing necessary packages" apt-get -y install --no-install-recommends htop vim curl git build-essential \ libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ From 48ab087801c739f2f91f11b391573e11d2f5199b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:20:40 +0000 Subject: [PATCH 16/94] clean --- src/base/.devcontainer/scripts/root_install.sh | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index b59dc9e..d4b4e20 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -2,25 +2,14 @@ set -e export DEBIAN_FRONTEND=noninteractive -# Install essential packages first -apt-get update -apt-get install -y \ - curl \ - wget \ - git \ - sudo \ - unzip -apt-get clean -rm -rf /var/lib/apt/lists/* - # Add amd64 architecture if on arm64 if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then echo "Adding amd64 architecture support" dpkg --add-architecture amd64 - echo "Running apt-get update for multi-arch" - apt-get update fi +echo "Running apt-get update" +apt-get update # uninstall unnecessary packages echo "Removing unnecessary packages" apt-get remove -y \ From 35fc41bca4cb2ab5ca47f10bef8b0c827204b0a7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:28:12 +0000 Subject: [PATCH 17/94] fix it --- src/base/.devcontainer/scripts/root_install.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index d4b4e20..c441648 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -6,6 +6,14 @@ export DEBIAN_FRONTEND=noninteractive if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then echo "Adding amd64 architecture support" dpkg --add-architecture amd64 + + # Update sources.list to include amd64 repositories + echo "Configuring sources.list for amd64 and arm64" + sed -i.bak '/^deb / s|http://ports.ubuntu.com/ubuntu-ports|[arch=arm64] http://ports.ubuntu.com/ubuntu-ports|' /etc/apt/sources.list + # shellcheck disable=SC2129 + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy main universe" >> /etc/apt/sources.list + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-updates main universe" >> /etc/apt/sources.list + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-security main universe" >> /etc/apt/sources.list fi echo "Running apt-get update" From e9859604d103473310ec26d42b12431d1ace1b5e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 13:37:41 +0000 Subject: [PATCH 18/94] less verbose --- .../.devcontainer/scripts/root_install.sh | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index c441648..96d0988 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -18,10 +18,7 @@ fi echo "Running apt-get update" apt-get update -# uninstall unnecessary packages -echo "Removing unnecessary packages" -apt-get remove -y \ - python3 + # install necessary libraries for asdf and language runtimes echo "Installing necessary packages" apt-get -y install --no-install-recommends htop vim curl git build-essential \ @@ -35,22 +32,22 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ # install aws stuff # Download correct AWS CLI for arch if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \ + wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" else - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \ + wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" fi - unzip /tmp/awscliv2.zip -d /tmp/aws-cli + unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli /tmp/aws-cli/aws/install rm /tmp/awscliv2.zip rm -rf /tmp/aws-cli # Download correct SAM CLI for arch if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then - wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip"; \ + wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip" else - wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip"; \ + wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip" fi - unzip /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli + unzip -q /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli /tmp/aws-sam-cli/install rm /tmp/aws-sam-cli.zip rm -rf /tmp/aws-sam-cli @@ -58,9 +55,9 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then # Install ASDF ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"; \ + wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" else - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"; \ + wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz" fi tar -xzf /tmp/asdf.tar.gz -C /tmp mkdir -p /usr/bin From 54797f445396012e4e65a0d4042b94ac4804fd66 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 19:16:51 +0000 Subject: [PATCH 19/94] do not install java --- src/base/.devcontainer/scripts/root_install.sh | 3 +++ src/base/.devcontainer/scripts/vscode_install.sh | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 96d0988..0c0d632 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -31,6 +31,7 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ # install aws stuff # Download correct AWS CLI for arch +echo "Installing aws cli" if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" else @@ -42,6 +43,7 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then rm -rf /tmp/aws-cli # Download correct SAM CLI for arch +echo "Installing aws-sam cli" if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip" else @@ -53,6 +55,7 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then rm -rf /tmp/aws-sam-cli # Install ASDF +echo "Installing asdf" ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 0349116..838353a 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -42,9 +42,9 @@ while IFS= read -r version; do done < /tmp/python-versions.txt # Read Java versions from file and install -while IFS= read -r version; do - asdf install java "$version" -done < /tmp/java-versions.txt +# while IFS= read -r version; do +# asdf install java "$version" +# done < /tmp/java-versions.txt # Read Terraform versions from file and install while IFS= read -r version; do From d75d7836a1b933f69f81aca17a351a23f3aa9fa3 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 19:20:57 +0000 Subject: [PATCH 20/94] trigger build From 22fc0e85d4b60583659b84447d67ac5759ab8130 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 19:46:47 +0000 Subject: [PATCH 21/94] push the image --- .github/workflows/build_multi_arch_image.yml | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index bc62b67..364999c 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -45,3 +45,27 @@ jobs: name: eps-devcontainer-base-latest-${{ matrix.arch }}.img path: | eps-devcontainer-base-latest-${{ matrix.arch }}.img + + publish_image: + needs: build_image + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Download amd64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-amd64.img + - name: Download arm64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-arm64.img + - name: Load and push multi-arch image + run: | + docker load -i eps-devcontainer-base-latest-amd64.img + docker load -i eps-devcontainer-base-latest-arm64.img + docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + docker manifest push ghcr.io/nhsdigital/eps-devcontainer-base:latest From 21c4a8e1884eed962271f0450e18cb3144855af9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 20:19:48 +0000 Subject: [PATCH 22/94] free disk space first --- .github/workflows/build_multi_arch_image.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 364999c..621e0ea 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -55,6 +55,16 @@ jobs: attestations: write id-token: write steps: + - name: Free Disk Space for Docker + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: "rm" + remove_packages: "azure-cli google-cloud-cli microsoft-edge-stable google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-*" + remove_packages_one_command: true - name: Download amd64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: From 2eb89250961923aa800c2c191f5a7c9681d44f3b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 21:14:17 +0000 Subject: [PATCH 23/94] fix creating manifest --- .github/workflows/build_multi_arch_image.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 621e0ea..82d2125 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -77,5 +77,9 @@ jobs: run: | docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img - docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + echo "creating manifest" + docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest \ + --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 \ + --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + echo "pushing manifest" docker manifest push ghcr.io/nhsdigital/eps-devcontainer-base:latest From 7b5a8fda3c28ccfab754b948699b960b200c5c25 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 21:45:29 +0000 Subject: [PATCH 24/94] push image --- .github/workflows/build_multi_arch_image.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 82d2125..f27cc76 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -75,8 +75,12 @@ jobs: name: eps-devcontainer-base-latest-arm64.img - name: Load and push multi-arch image run: | + echo "loading images" docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img + echo "pushing images" + docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 + docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 echo "creating manifest" docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest \ --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 \ From 6dd163625e6d6e272836f9bf18d926b0fa82bbc2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 8 Jan 2026 00:03:01 +0000 Subject: [PATCH 25/94] fix name --- .github/workflows/build_multi_arch_image.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index f27cc76..cbf8fd2 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -34,7 +34,7 @@ jobs: - name: Build container run: | make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }} + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }} docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img env: GH_TOKEN: ${{ github.token }} @@ -79,11 +79,11 @@ jobs: docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img echo "pushing images" - docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "creating manifest" - docker manifest create ghcr.io/nhsdigital/eps-devcontainer-base:latest \ - --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-amd64 \ - --amend ghcr.io/nhsdigital/eps-devcontainer-base:latest-arm64 + docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "pushing manifest" - docker manifest push ghcr.io/nhsdigital/eps-devcontainer-base:latest + docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest From 4ed613d5cc9fe8269548f568b5beff8495bcf740 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 8 Jan 2026 07:50:40 +0000 Subject: [PATCH 26/94] fix name --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index cbf8fd2..bc74863 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -35,7 +35,7 @@ jobs: run: | make build-base-image docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }} - docker save "ghcr.io/nhsdigital/eps-devcontainer-base:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img + docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: ${{ matrix.arch }} From dc10f7dc7ff26e4c862638531ea391e784414a40 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 8 Jan 2026 08:45:38 +0000 Subject: [PATCH 27/94] auth to github --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index bc74863..b7737e7 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -75,6 +75,7 @@ jobs: name: eps-devcontainer-base-latest-arm64.img - name: Load and push multi-arch image run: | + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin echo "loading images" docker load -i eps-devcontainer-base-latest-amd64.img docker load -i eps-devcontainer-base-latest-arm64.img From bf02c2a171d13f49b37f7c8f3a7166e75532e72c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 09:14:46 +0000 Subject: [PATCH 28/94] build only on pull request --- .github/workflows/build_multi_arch_image.yml | 203 +++++++++++-------- .github/workflows/pull_request.yml | 58 +++--- 2 files changed, 146 insertions(+), 115 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b7737e7..6ad4a57 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -1,90 +1,127 @@ name: Build and push docker image +'on': + workflow_call: + inputs: + publish_image: + required: true + type: boolean +jobs: + build_image: + permissions: + id-token: write + runs-on: '${{ matrix.runner }}' + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-22.04 + - arch: arm64 + runner: ubuntu-22.04-arm + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + fetch-depth: 0 + - name: setup node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f + with: + node-version-file: .tool-versions + - name: make install + run: | + make install-node + - name: Build container + run: > + make build-base-image -on: - workflow_call: + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -jobs: + docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" + env: + GH_TOKEN: '${{ github.token }}' + ARCHITECTURE: '${{ matrix.arch }}' + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload docker images + with: + name: "eps-devcontainer-base-latest-${{ matrix.arch }}.img" + path: | + eps-devcontainer-base-latest-${{ matrix.arch }}.img + - name: Check docker vulnerabilities + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "table" + output: "dependency_results_docker.txt" + exit-code: "1" + trivy-config: trivy.yaml + + - name: Show docker vulnerability output + if: always() + run: | + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" + if [ -f dependency_results_docker.txt ]; then + cat dependency_results_docker.txt + fi + env: + ARCHITECTURE: '${{ matrix.arch }}' + + publish_image: + needs: build_image + runs-on: ubuntu-22.04 + if: ${{ inputs.publish_image }} + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Free Disk Space for Docker + uses: >- + endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: rm + remove_packages: >- + azure-cli google-cloud-cli microsoft-edge-stable + google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* + dotnet-sdk-* + remove_packages_one_command: true + - name: Download amd64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-amd64.img + - name: Download arm64 images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: eps-devcontainer-base-latest-arm64.img + - name: Load and push multi-arch image + run: > + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ + github.actor }} --password-stdin + + echo "loading images" + + docker load -i eps-devcontainer-base-latest-amd64.img + + docker load -i eps-devcontainer-base-latest-arm64.img + + echo "pushing images" + + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - build_image: - permissions: - id-token: write - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - arch: amd64 - runner: ubuntu-22.04 - - arch: arm64 - runner: ubuntu-22.04-arm - steps: - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - with: - fetch-depth: 0 + docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 - # use setup-node rather than asdf so that it works multi-arch - - name: setup node - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f - with: - node-version-file: .tool-versions - - name: make install - run: | - make install-node + echo "creating manifest" - - name: Build container - run: | - make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }} - docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" -o eps-devcontainer-base-latest-${{ matrix.arch }}.img - env: - GH_TOKEN: ${{ github.token }} - ARCHITECTURE: ${{ matrix.arch }} - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f - name: Upload docker images - with: - name: eps-devcontainer-base-latest-${{ matrix.arch }}.img - path: | - eps-devcontainer-base-latest-${{ matrix.arch }}.img + docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ + --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 + echo "pushing manifest" - publish_image: - needs: build_image - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - attestations: write - id-token: write - steps: - - name: Free Disk Space for Docker - uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 - with: - remove_android: true - remove_dotnet: true - remove_haskell: true - remove_tool_cache: true - rm_cmd: "rm" - remove_packages: "azure-cli google-cloud-cli microsoft-edge-stable google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-*" - remove_packages_one_command: true - - name: Download amd64 images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - with: - name: eps-devcontainer-base-latest-amd64.img - - name: Download arm64 images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - with: - name: eps-devcontainer-base-latest-arm64.img - - name: Load and push multi-arch image - run: | - echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - echo "loading images" - docker load -i eps-devcontainer-base-latest-amd64.img - docker load -i eps-devcontainer-base-latest-arm64.img - echo "pushing images" - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 - echo "creating manifest" - docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 - echo "pushing manifest" - docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest + docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index d693dfe..65d67bb 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,56 +1,53 @@ name: pull_request - -on: +'on': pull_request: - branches: [main] - + branches: + - main env: - BRANCH_NAME: ${{ github.event.pull_request.head.ref }} - + BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + uses: >- + NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 secrets: - AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} - AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} - + AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' + AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' get_asdf_version: runs-on: ubuntu-22.04 outputs: - asdf_version: ${{ steps.asdf-version.outputs.version }} - tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }} + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - - name: Get asdf version id: asdf-version - run: echo "version=$(awk '!/^#/ && NF {print $1; exit}' .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" - name: Load config value id: load-config run: | TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" - quality_checks: uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy - needs: [get_asdf_version] + needs: + - get_asdf_version with: - asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' secrets: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 - + uses: >- + NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 get_issue_number: runs-on: ubuntu-22.04 needs: quality_checks outputs: - issue_number: ${{ steps.get_issue_number.outputs.result }} - version: ${{ steps.get_issue_number.outputs.version_number }} - + issue_number: '${{ steps.get_issue_number.outputs.result }}' + version: '${{ steps.get_issue_number.outputs.version_number }}' steps: - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd name: get issue number @@ -71,26 +68,23 @@ jobs: ).data[0].number; } result-encoding: string - get_commit_id: runs-on: ubuntu-22.04 outputs: - commit_id: ${{ steps.commit_id.outputs.commit_id }} - sha_short: ${{ steps.commit_id.outputs.sha_short }} - + commit_id: '${{ steps.commit_id.outputs.commit_id }}' + sha_short: '${{ steps.commit_id.outputs.sha_short }}' steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: - ref: ${{ env.BRANCH_NAME }} - + ref: '${{ env.BRANCH_NAME }}' - name: Get Commit ID id: commit_id run: | # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - - package_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml + with: + publish_image: false From d364522f6a64ac6a3904b30ecaec073dc5ab0048 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 10:08:17 +0000 Subject: [PATCH 29/94] add release workflow --- .github/workflows/build_multi_arch_image.yml | 43 +++++++++++------ .github/workflows/pull_request.yml | 4 ++ .github/workflows/release.yml | 47 +++++++++++++++++++ .../.devcontainer/scripts/root_install.sh | 1 + 4 files changed, 80 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 6ad4a57..3d5aa48 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -5,12 +5,17 @@ name: Build and push docker image publish_image: required: true type: boolean + docker_tag: + required: true + type: string + jobs: build_image: permissions: id-token: write runs-on: '${{ matrix.runner }}' strategy: + fail-fast: false matrix: include: - arch: amd64 @@ -33,12 +38,13 @@ jobs: run: > make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:{DOCKER_TAG}-${ARCHITECTURE}" docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" env: GH_TOKEN: '${{ github.token }}' ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: @@ -49,7 +55,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers:latest-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -61,7 +67,7 @@ jobs: - name: Show docker vulnerability output if: always() run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${ARCHITECTURE}" if [ -f dependency_results_docker.txt ]; then cat dependency_results_docker.txt fi @@ -102,26 +108,33 @@ jobs: name: eps-devcontainer-base-latest-arm64.img - name: Load and push multi-arch image run: > - echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ - github.actor }} --password-stdin - + echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin echo "loading images" - docker load -i eps-devcontainer-base-latest-amd64.img - docker load -i eps-devcontainer-base-latest-arm64.img - echo "pushing images" + echo "Tagging latest images" + docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" + echo "pushing images" + docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "creating manifest" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:latest" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" - docker manifest create ghcr.io/nhsdigital/eps-devcontainers:latest \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 \ - --amend ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 echo "pushing manifest" - - docker manifest push ghcr.io/nhsdigital/eps-devcontainers:latest + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest" + env: + DOCKER_TAG: '${{ inputs.docker_tag }}' + GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + GITHUB_ACTOR: '${{ github.actor }}' diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 65d67bb..98a5a94 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -86,5 +86,9 @@ jobs: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" package_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml + needs: + - get_issue_number + - get_commit_id with: publish_image: false + docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..9ca0141 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,47 @@ +name: merge to main workflow +on: + push: + branches: [main] + +jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Get asdf version + id: asdf-version + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + needs: + - get_asdf_version + with: + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' + secrets: + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + tag_release: + needs: [quality_checks, get_asdf_version] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + with: + dry_run: false + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + branch_name: main + tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + secrets: inherit + package_docker_image: + needs: tag_release + uses: ./.github/workflows/build_multi_arch_image.yml + with: + publish_image: true + docker_tag: '${{ needs.tag_release.outputs.version_tag }}' diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 0c0d632..bdc0bc6 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -18,6 +18,7 @@ fi echo "Running apt-get update" apt-get update +apt-get upgrade -y # install necessary libraries for asdf and language runtimes echo "Installing necessary packages" From 0efc57737296a17d46664e815d16ffcfa7c77f35 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 10:27:03 +0000 Subject: [PATCH 30/94] fix tag --- .github/workflows/build_multi_arch_image.yml | 2 +- scripts/generate_language_version_files.sh | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 3d5aa48..d351476 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -38,7 +38,7 @@ jobs: run: > make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:{DOCKER_TAG}-${ARCHITECTURE}" + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" env: diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index 1e523ae..d36fcf7 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -25,8 +25,6 @@ REPOS=( "NHSDigital/nhs-fhir-middy-error-handler" "NHSDigital/nhs-eps-spine-client" "NHSDigital/electronic-prescription-service-api-regression-tests" - "NHSDigital/eps-action-sbom" - "NHSDigital/eps-action-cfn-lint" "NHSDigital/eps-common-workflows" "NHSDigital/eps-storage-terraform" "NHSDigital/eps-spine-shared" From 577f940ebd8cde6543d02ed6c02ab9cfd86ffc84 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 10:40:31 +0000 Subject: [PATCH 31/94] get repos from one place --- .github/workflows/build_multi_arch_image.yml | 9 ++++ scripts/generate_language_version_files.sh | 43 ++++++++------------ 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d351476..5de8819 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -31,6 +31,14 @@ jobs: uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version-file: .tool-versions + - name: Generate a token to get details from other repositories + id: generate-token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf + with: + app-id: ${{ vars.EPS_REPO_STATUS_APP_ID }} + private-key: ${{ secrets.EPS_REPO_STATUS_PEM }} + owner: "NHSDigital" + - name: make install run: | make install-node @@ -45,6 +53,7 @@ jobs: GH_TOKEN: '${{ github.token }}' ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' + GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index d36fcf7..104090c 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -1,35 +1,28 @@ #!/usr/bin/env bash +set -e # Get the current directory of the script SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" LANGUAGE_VERSIONS_DIR="${SCRIPT_DIR}/../src/base/.devcontainer/language_versions" -# Define repositories to fetch .tool-versions from -REPOS=( - "NHSDigital/electronic-prescription-service-clinical-prescription-tracker" - "NHSDigital/prescriptionsforpatients" - "NHSDigital/prescriptions-for-patients" - "NHSDigital/electronic-prescription-service-api" - "NHSDigital/electronic-prescription-service-release-notes" - "NHSDigital/electronic-prescription-service-account-resources" - "NHSDigital/eps-prescription-status-update-api" - "NHSDigital/eps-FHIR-validator-lambda" - "NHSDigital/eps-load-test" - "NHSDigital/eps-prescription-tracker-ui" - "NHSDigital/eps-aws-dashboards" - "NHSDigital/eps-cdk-utils" - "NHSDigital/eps-vpc-resources" - "NHSDigital/eps-assist-me" - "NHSDigital/validation-service-fhir-r4" - "NHSDigital/electronic-prescription-service-get-secrets" - "NHSDigital/nhs-fhir-middy-error-handler" - "NHSDigital/nhs-eps-spine-client" - "NHSDigital/electronic-prescription-service-api-regression-tests" - "NHSDigital/eps-common-workflows" - "NHSDigital/eps-storage-terraform" - "NHSDigital/eps-spine-shared" -) +# Check if the user is logged in with GitHub CLI +if ! gh auth status > /dev/null 2>&1; then + echo "You are not logged in to GitHub CLI. Initiating login..." + gh auth login +fi +# Fetch the repos.json file from the eps-repo-status repository using GitHub CLI +REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/packages/get_repo_status/app/repos.json" +TEMP_REPOS_JSON="/tmp/repos.json" + +# Download the repos.json file +if ! gh api -H 'Accept: application/vnd.github.v3.raw' "$REPOS_JSON_PATH" > "$TEMP_REPOS_JSON"; then + echo "Failed to fetch repos.json using GitHub CLI. Exiting." + exit 1 +fi + +# Parse the repoUrl values from the JSON file +mapfile -t REPOS < <(jq -r '.[].repoUrl' "$TEMP_REPOS_JSON") # Define output files mkdir -p "${LANGUAGE_VERSIONS_DIR}" From 075b2ea6b2c8fd503f4ae7a6a85d9ab180f3a2f9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 11:04:04 +0000 Subject: [PATCH 32/94] add secret --- .github/workflows/build_multi_arch_image.yml | 3 +++ .github/workflows/pull_request.yml | 2 ++ .github/workflows/release.yml | 2 ++ 3 files changed, 7 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 5de8819..e90d121 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -8,6 +8,9 @@ name: Build and push docker image docker_tag: required: true type: string + secrets: + EPS_REPO_STATUS_PEM: + required: true jobs: build_image: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 98a5a94..654d25d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,3 +92,5 @@ jobs: with: publish_image: false docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + secrets: + EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9ca0141..8da9db2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,3 +45,5 @@ jobs: with: publish_image: true docker_tag: '${{ needs.tag_release.outputs.version_tag }}' + secrets: + EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} From b4413b5be0ff6f5114a7b8a41dec5beee2f3e526 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 11:12:27 +0000 Subject: [PATCH 33/94] use token --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index e90d121..3ef6674 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -53,7 +53,7 @@ jobs: docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" env: - GH_TOKEN: '${{ github.token }}' + GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} From 41a14e4f1d942326fddf3bf4b6fea904a0499a01 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 12:15:09 +0000 Subject: [PATCH 34/94] add trivyignore --- .trivyignore.yaml | 471 ++++++++++++++++++++++++++++++++++++++++++++++ trivy.yaml | 1 + 2 files changed, 472 insertions(+) create mode 100644 .trivyignore.yaml create mode 100644 trivy.yaml diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..f9052ce --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,471 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..eb24337 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1 @@ +ignorefile: ".trivyignore.yaml" From aade34cf6de2bb87757da8fd909688dad9fd68f6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 12:43:34 +0000 Subject: [PATCH 35/94] fix build --- .github/workflows/build_multi_arch_image.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 3ef6674..185eca6 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -51,7 +51,7 @@ jobs: docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers:latest-${ARCHITECTURE}" -o "eps-devcontainer-base-latest-${ARCHITECTURE}.img" + docker save "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' @@ -60,9 +60,9 @@ jobs: - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: - name: "eps-devcontainer-base-latest-${{ matrix.arch }}.img" + name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" path: | - eps-devcontainer-base-latest-${{ matrix.arch }}.img + eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - name: Check docker vulnerabilities uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -79,12 +79,13 @@ jobs: - name: Show docker vulnerability output if: always() run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${ARCHITECTURE}" + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" if [ -f dependency_results_docker.txt ]; then cat dependency_results_docker.txt fi env: ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' publish_image: needs: build_image @@ -113,17 +114,17 @@ jobs: - name: Download amd64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-latest-amd64.img + name: eps-devcontainer-base-${{ inputs.docker_tag }}-amd64.img - name: Download arm64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-latest-arm64.img + name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img - name: Load and push multi-arch image run: > echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin echo "loading images" - docker load -i eps-devcontainer-base-latest-amd64.img - docker load -i eps-devcontainer-base-latest-arm64.img + docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" + docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" echo "Tagging latest images" docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" From 232c86f49e07d40016e4ef6fe73cd9b2e901b3c5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 12:56:54 +0000 Subject: [PATCH 36/94] use repo list from a different location --- Makefile | 1 + scripts/generate_language_version_files.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index cf96122..454c5bf 100644 --- a/Makefile +++ b/Makefile @@ -30,6 +30,7 @@ scan-base-image: trivy image \ --severity HIGH,CRITICAL \ --ignorefile .trivyignore.yaml \ + --scanners vuln \ --exit-code 1 \ --format table ${IMAGE_NAME} diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh index 104090c..7f4821d 100755 --- a/scripts/generate_language_version_files.sh +++ b/scripts/generate_language_version_files.sh @@ -12,7 +12,7 @@ if ! gh auth status > /dev/null 2>&1; then fi # Fetch the repos.json file from the eps-repo-status repository using GitHub CLI -REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/packages/get_repo_status/app/repos.json" +REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/repos.json" TEMP_REPOS_JSON="/tmp/repos.json" # Download the repos.json file From fc029d088dcc038419de23cb64aa184fd5785d4b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:25:34 +0000 Subject: [PATCH 37/94] add readme --- README.md | 54 ++++++++++++++++++++++++ src/base/.devcontainer/devcontainer.json | 2 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..883bb6f --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +EPS DEV CONTAINERS +================== + +# Introduction +This repo contains code to build a vscode devcontainer that is used as a base image for all EPS projects. +Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures. +Images are based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 +Images contain + - latest os packages + - asdf + - aws cli + - aws sam cli + + It installs the following dev container features + - docker outside of docker + - github cli + +As the vscode user the following also happens + +asdf install and setup for these so they are available globally as vscode user + - shellcheck + - direnv + - actionlint + - ruby (for github pages) + - trivy + +Install asdf plugins for all tools we use +Install asdf versions of node, python, java, terraform, golang used by all EPS projects to speed up initial build of local dev container +Install and setup git-secrets + +# Project structure +The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container + +The dev container is built using https://github.com/devcontainers/cli + +The script `scripts/generate_language_version_files.sh` gets the version of node, python, java and terraform from all EPS repositories. It uses the list of repos from https://github.com/NHSDigital/eps-repo-status/blob/main/repos.json to find all EPS repos. + +# Build process +Docker images are built for each pull request, and on merges to main + +Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. + +On merges to main, a new release is created and the images are pushed to github. The images are tagged with `latest` and the version of the release. + +# Local testing +For local testing, you can run +``` +ARCHITECTURE=amd64 make build-base-image +``` +to build a local image, and then +``` +make scan-base-image +``` +to scan for vulnerabilities diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index ae0f548..9f369d3 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -1,7 +1,7 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "Ubuntu", + "name": "EPS Devcontainer Base", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "Dockerfile", From 34fc02c8ad7fb83415972c23530282e9ba0a066e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:26:33 +0000 Subject: [PATCH 38/94] free space on build --- .github/workflows/build_multi_arch_image.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 185eca6..454509f 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -26,6 +26,20 @@ jobs: - arch: arm64 runner: ubuntu-22.04-arm steps: + - name: Free Disk Space for Docker + uses: >- + endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: rm + remove_packages: >- + azure-cli google-cloud-cli microsoft-edge-stable + google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* + dotnet-sdk-* + remove_packages_one_command: true - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: From 438de78b0d75927896fbad7985169bb9310d41a3 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:31:38 +0000 Subject: [PATCH 39/94] add common files --- CODE_OF_CONDUCT.md | 76 ++++++++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 61 +++++++++++++++++++++++++++++++++++++ LICENSE | 21 +++++++++++++ SECURITY.md | 35 +++++++++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..65cf5ff --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,76 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see +https://www.contributor-covenant.org/faq diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..9f62523 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,61 @@ +# Contribution Guidelines + +## Raising an Issue + +If you raise an issue against this repository, please include as much information as possible to reproduce any bugs, +or specific locations in the case of content errors. + +## Contributing code + +To contribute code, please fork the repository and raise a pull request. + +Ideally pull requests should be fairly granular and aim to solve one problem each. It would also be helpful if they +linked to an issue. If the maintainers cannot understand why a pull request was raised, it will be rejected, +so please explain why the changes need to be made (unless it is self-evident). + +### Merge responsibility + +- It is the responsibility of the reviewer to merge branches they have approved. +- It is the responsibility of the author of the merge to ensure their merge is in a mergeable state. +- It is the responsibility of the maintainers to ensure the merge process is unambiguous and automated where possible. + +### Branch naming + +Branch names should be of the format: + +`aea-nnn-short-issue-description` + +Multiple branches are permitted for the same ticket. + +### Commit messages + +We do not enforce any conventions on commit messages to a branch, as we use squash commits when merging to main branch. + +Commits from a pull request get squashed into a single commit on merge, using the pull request title as the commit message. +Please format your pull request title using tags from [ESLint Convention](https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint) as follows: + +```text +Tag: [AEA-NNNN] - Short description +``` + +Tag can be one of: + +- `Fix` - for a bug fix. (Patch release) +- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) +- `New` - implemented a new feature. (Minor release) +- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) +- `Docs` - changes to documentation only. (Patch release) +- `Build` - changes to build process only. (No release) +- `Upgrade` - for a dependency upgrade. (Patch release) +- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) + +If the current release is x.y.z then +- a patch release increases z by 1 +- a minor release increases y by 1 +- a major release increases x by 1 + +Correct tagging is necessary for our automated versioning and release process ([Release](./RELEASE.md)). + +### Changelog + +Release changelogs are generated from the titles of pull requests merged into the `main` branch. Please ensure that your pull request title is sufficiently descriptive of the changes made. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0ba95e8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Crown Copyright (c) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..15baeac --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ +# Security + +NHS England takes security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the methods outlined below. + +## Table of Contents + +- [Security](#security) + - [Table of Contents](#table-of-contents) + - [Reporting a vulnerability](#reporting-a-vulnerability) + - [Email](#email) + - [NCSC](#ncsc) + - [General Security Enquiries](#general-security-enquiries) + +## Reporting a vulnerability + +Please note, email is our preferred method of receiving reports. + +### Email + +If you wish to notify us of a vulnerability via email, please include detailed information on the nature of the vulnerability and any steps required to reproduce it. + +You can reach us at: + +- [epssupport@nhs.net](epssupport@nhs.net) +- [cybersecurity@nhs.net](cybersecurity@nhs.net) + +### NCSC + +You can send your report to the National Cyber Security Centre, who will assess your report and pass it on to NHS England if necessary. + +You can report vulnerabilities here: [https://www.ncsc.gov.uk/information/vulnerability-reporting](https://www.ncsc.gov.uk/information/vulnerability-reporting) + +## General Security Enquiries + +If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net) From eb0658322507ec340ca0555cfe908a498d687b8d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 13:50:42 +0000 Subject: [PATCH 40/94] upload scan results --- .github/workflows/build_multi_arch_image.yml | 26 +++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 454509f..b01002b 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -77,7 +77,25 @@ jobs: name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" path: | eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - - name: Check docker vulnerabilities + - name: Check docker vulnerabilities - json output + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "json" + output: "scan_results_docker_${{ matrix.arch }}.json" + exit-code: "0" + trivy-config: trivy.yaml + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload scan results + with: + name: "scan_results_docker_${{ matrix.arch }}.json" + path: | + "scan_results_docker_${{ matrix.arch }}.json" + - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" @@ -86,7 +104,7 @@ jobs: scanners: "vuln" vuln-type: "os,library" format: "table" - output: "dependency_results_docker.txt" + output: "scan_results_docker.txt" exit-code: "1" trivy-config: trivy.yaml @@ -94,8 +112,8 @@ jobs: if: always() run: | echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f dependency_results_docker.txt ]; then - cat dependency_results_docker.txt + if [ -f scan_results_docker.txt ]; then + cat scan_results_docker.txt fi env: ARCHITECTURE: '${{ matrix.arch }}' From fb3ed0be463798e38c207f9e7b00ec9aef0819a0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 14:18:36 +0000 Subject: [PATCH 41/94] update path --- .github/workflows/build_multi_arch_image.yml | 4 ++-- README.md | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b01002b..2e3ea71 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -86,7 +86,7 @@ jobs: scanners: "vuln" vuln-type: "os,library" format: "json" - output: "scan_results_docker_${{ matrix.arch }}.json" + output: "scan_results_docker.json" exit-code: "0" trivy-config: trivy.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f @@ -94,7 +94,7 @@ jobs: with: name: "scan_results_docker_${{ matrix.arch }}.json" path: | - "scan_results_docker_${{ matrix.arch }}.json" + "scan_results_docker.json" - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: diff --git a/README.md b/README.md index 883bb6f..692f065 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,8 @@ Install asdf versions of node, python, java, terraform, golang used by all EPS p Install and setup git-secrets # Project structure -The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container +The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container. +As part of the dockerfile, there are scripts in the scripts folder that run as root and vscode user that setup and install various programs. The dev container is built using https://github.com/devcontainers/cli From b0127fd1d7739e28930a4b09b11a1db43e8bd678 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 14:48:09 +0000 Subject: [PATCH 42/94] update .trivyignore --- .trivyignore.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index f9052ce..ca32650 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -469,3 +469,28 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 From 119f27291567424bde1b14cb5643a177677ffe0b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 15:20:18 +0000 Subject: [PATCH 43/94] try publishing image --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 654d25d..1052066 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -90,7 +90,7 @@ jobs: - get_issue_number - get_commit_id with: - publish_image: false + publish_image: true docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' secrets: EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} From 02d47c4213559152c1562f09c0a18c10738d8cb5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 16:08:02 +0000 Subject: [PATCH 44/94] correct login --- .gitallowed | 2 ++ .github/workflows/build_multi_arch_image.yml | 13 +++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.gitallowed b/.gitallowed index 76bb1a8..bb5927a 100644 --- a/.gitallowed +++ b/.gitallowed @@ -1 +1,3 @@ id-token: write +password: \${{secrets\.GITHUB_TOKEN}} +\.gitallowed diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 2e3ea71..af4c3e2 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -151,9 +151,16 @@ jobs: uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img + - name: Login to github container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Load and push multi-arch image run: > - echo "${GITHUB_TOKEN}" | docker login ghcr.io -u "${GITHUB_ACTOR}" --password-stdin echo "loading images" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" @@ -180,6 +187,4 @@ jobs: docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest" env: - DOCKER_TAG: '${{ inputs.docker_tag }}' - GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - GITHUB_ACTOR: '${{ github.actor }}' + DOCKER_TAG: ${{ inputs.docker_tag }} From 2d98a0c5354cb7fd26511daa8e127ce401971c91 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 6 Feb 2026 16:54:21 +0000 Subject: [PATCH 45/94] correct workflow --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index af4c3e2..8006211 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -160,7 +160,7 @@ jobs: - name: Load and push multi-arch image - run: > + run: | echo "loading images" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" From 1ff48846c5136e839263413c962753e41a30fff2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 07:31:23 +0000 Subject: [PATCH 46/94] build base image --- .github/workflows/build_multi_arch_image.yml | 38 +++---- Makefile | 5 +- scripts/generate_language_version_files.sh | 98 ------------------- src/base/.devcontainer/.tool-versions | 2 +- src/base/.devcontainer/Dockerfile | 5 - src/base/.devcontainer/devcontainer.json | 5 +- .../.devcontainer/scripts/root_install.sh | 20 ++-- .../.devcontainer/scripts/vscode_install.sh | 25 ----- 8 files changed, 35 insertions(+), 163 deletions(-) delete mode 100755 scripts/generate_language_version_files.sh diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8006211..236bc88 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -63,9 +63,9 @@ jobs: run: > make build-base-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" + docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" + docker save "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' @@ -81,7 +81,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -99,7 +99,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -111,7 +111,7 @@ jobs: - name: Show docker vulnerability output if: always() run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}" + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" if [ -f scan_results_docker.txt ]; then cat scan_results_docker.txt fi @@ -166,25 +166,25 @@ jobs: docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" echo "Tagging latest images" - docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" - docker tag "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-amd64 - docker push ghcr.io/nhsdigital/eps-devcontainers:latest-arm64 + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-arm64" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers:latest" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers:latest-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:latest" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers:latest" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:latest" env: DOCKER_TAG: ${{ inputs.docker_tag }} diff --git a/Makefile b/Makefile index 454c5bf..ea1d8ba 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite install-hooks: -build-base-image: generate-language-version-files +build-base-image: CONTAINER_NAME=$(CONTAINER_NAME) \ npx devcontainer build \ --workspace-folder ./src/base/ \ @@ -23,9 +23,6 @@ build-base-image: generate-language-version-files --platform linux/${ARCHITECTURE} \ --image-name "${IMAGE_NAME}" -generate-language-version-files: - ./scripts/generate_language_version_files.sh - scan-base-image: trivy image \ --severity HIGH,CRITICAL \ diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh deleted file mode 100755 index 7f4821d..0000000 --- a/scripts/generate_language_version_files.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/env bash -set -e - -# Get the current directory of the script -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -LANGUAGE_VERSIONS_DIR="${SCRIPT_DIR}/../src/base/.devcontainer/language_versions" - -# Check if the user is logged in with GitHub CLI -if ! gh auth status > /dev/null 2>&1; then - echo "You are not logged in to GitHub CLI. Initiating login..." - gh auth login -fi - -# Fetch the repos.json file from the eps-repo-status repository using GitHub CLI -REPOS_JSON_PATH="repos/NHSDigital/eps-repo-status/contents/repos.json" -TEMP_REPOS_JSON="/tmp/repos.json" - -# Download the repos.json file -if ! gh api -H 'Accept: application/vnd.github.v3.raw' "$REPOS_JSON_PATH" > "$TEMP_REPOS_JSON"; then - echo "Failed to fetch repos.json using GitHub CLI. Exiting." - exit 1 -fi - -# Parse the repoUrl values from the JSON file -mapfile -t REPOS < <(jq -r '.[].repoUrl' "$TEMP_REPOS_JSON") - -# Define output files -mkdir -p "${LANGUAGE_VERSIONS_DIR}" -NODEJS_FILE="${LANGUAGE_VERSIONS_DIR}/nodejs-versions.txt" -PYTHON_FILE="${LANGUAGE_VERSIONS_DIR}/python-versions.txt" -JAVA_FILE="${LANGUAGE_VERSIONS_DIR}/java-versions.txt" -TERRAFORM_FILE="${LANGUAGE_VERSIONS_DIR}/terraform-versions.txt" -GOLANG_FILE="${LANGUAGE_VERSIONS_DIR}/golang-versions.txt" -ALL_LANGUAGES_FILE="${LANGUAGE_VERSIONS_DIR}/language-versions.txt" -# Clear existing files -true > "$NODEJS_FILE" -true > "$PYTHON_FILE" -true > "$JAVA_FILE" -true > "$TERRAFORM_FILE" -true > "$GOLANG_FILE" -true > "$ALL_LANGUAGES_FILE" - -# Loop through repositories and fetch .tool-versions -for repo in "${REPOS[@]}"; do - TEMP_FILE="/tmp/.tool-versions" - - # Fetch .tool-versions from the repository - gh api -H 'Accept: application/vnd.github.v3.raw' "repos/${repo}/contents/.tool-versions" > "$TEMP_FILE" - - # Extract versions and append to respective files - if [ -f "$TEMP_FILE" ]; then - echo "" >> ${TEMP_FILE} - while IFS= read -r line; do - tool=$(echo "$line" | awk '{print $1}') - version=$(echo "$line" | awk '{print $2}') - - case $tool in - nodejs) - echo "$version" >> "$NODEJS_FILE" - echo "nodejs $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - python) - echo "$version" >> "$PYTHON_FILE" - echo "python $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - java) - echo "$version" >> "$JAVA_FILE" - echo "java $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - terraform) - echo "$version" >> "$TERRAFORM_FILE" - echo "terraform $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - golang) - echo "$version" >> "$GOLANG_FILE" - echo "golang $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - poetry) - echo "poetry $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - esac - done < "$TEMP_FILE" - fi - - # Remove temporary file - rm -f "$TEMP_FILE" -done - -# Remove duplicate entries from the files -sort -u "$NODEJS_FILE" -o "$NODEJS_FILE" -sort -u "$PYTHON_FILE" -o "$PYTHON_FILE" -sort -u "$JAVA_FILE" -o "$JAVA_FILE" -sort -u "$TERRAFORM_FILE" -o "$TERRAFORM_FILE" -sort -u "$GOLANG_FILE" -o "$GOLANG_FILE" -sort -u "$ALL_LANGUAGES_FILE" -o "$ALL_LANGUAGES_FILE" - -echo "Version files generated successfully." -cat "$ALL_LANGUAGES_FILE" diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index 79ed779..9d748cb 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,4 +2,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.68.2 +trivy 0.69.1 diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 6c0e8d6..bc6c461 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -20,10 +20,5 @@ ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} COPY .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY .tool-versions /home/vscode/.tool-versions -COPY language_versions/nodejs-versions.txt /tmp/nodejs-versions.txt -COPY language_versions/python-versions.txt /tmp/python-versions.txt -COPY language_versions/java-versions.txt /tmp/java-versions.txt -COPY language_versions/terraform-versions.txt /tmp/terraform-versions.txt -COPY language_versions/golang-versions.txt /tmp/golang-versions.txt RUN ./vscode_install.sh diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 9f369d3..6ef919b 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -17,7 +17,10 @@ "moby": "true", "installDockerBuildx": "true" }, - "ghcr.io/devcontainers/features/github-cli:1": {} + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/aws-cli:1": { + "version": "latest" + } } } diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index bdc0bc6..9f86e5c 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -32,16 +32,16 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ # install aws stuff # Download correct AWS CLI for arch -echo "Installing aws cli" -if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" - else - wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" - fi - unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli - /tmp/aws-cli/aws/install - rm /tmp/awscliv2.zip - rm -rf /tmp/aws-cli +# echo "Installing aws cli" +# if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then +# wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" +# else +# wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" +# fi +# unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli +# /tmp/aws-cli/aws/install +# rm /tmp/awscliv2.zip +# rm -rf /tmp/aws-cli # Download correct SAM CLI for arch echo "Installing aws-sam cli" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 838353a..bfcc23e 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -31,31 +31,6 @@ asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git cd /home/vscode asdf install -# Read Node.js versions from file and install -while IFS= read -r version; do - asdf install nodejs "$version" -done < /tmp/nodejs-versions.txt - -# Read Python versions from file and install -while IFS= read -r version; do - asdf install python "$version" -done < /tmp/python-versions.txt - -# Read Java versions from file and install -# while IFS= read -r version; do -# asdf install java "$version" -# done < /tmp/java-versions.txt - -# Read Terraform versions from file and install -while IFS= read -r version; do - asdf install terraform "$version" -done < /tmp/terraform-versions.txt - -# Read Golang versions from file and install -while IFS= read -r version; do - asdf install golang "$version" -done < /tmp/golang-versions.txt - # setup gitsecrets git-secrets --register-aws --global git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt From fb4f07fc27208066c0922cae6b4646810f760451 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 07:58:44 +0000 Subject: [PATCH 47/94] fix it --- .github/workflows/pull_request.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 1052066..0796f80 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -9,7 +9,7 @@ jobs: dependabot-auto-approve-and-merge: needs: quality_checks uses: >- - NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 secrets: AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' @@ -32,7 +32,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@trivy + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 needs: - get_asdf_version with: @@ -41,7 +41,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: uses: >- - NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@2b3ddfd1e59daf9905522d0140c6cd08e2547432 + NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 get_issue_number: runs-on: ubuntu-22.04 needs: quality_checks From c1635d9af94db331ed8dd68ec4569de2791043ad Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 08:19:59 +0000 Subject: [PATCH 48/94] more generic --- .github/workflows/build_multi_arch_image.yml | 65 +++++++++----------- .github/workflows/pull_request.yml | 3 +- .github/workflows/release.yml | 5 +- .trivyignore.yaml | 24 ++++++++ Makefile | 23 +++---- 5 files changed, 68 insertions(+), 52 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 236bc88..9d95662 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -8,9 +8,9 @@ name: Build and push docker image docker_tag: required: true type: string - secrets: - EPS_REPO_STATUS_PEM: + container_name: required: true + type: string jobs: build_image: @@ -48,40 +48,32 @@ jobs: uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version-file: .tool-versions - - name: Generate a token to get details from other repositories - id: generate-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf - with: - app-id: ${{ vars.EPS_REPO_STATUS_APP_ID }} - private-key: ${{ secrets.EPS_REPO_STATUS_PEM }} - owner: "NHSDigital" - name: make install run: | make install-node - name: Build container run: > - make build-base-image + make build-image - docker tag ghcr.io/nhsdigital/eps-devcontainer-base:latest "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" + docker tag "ghcr.io/nhsdigital/eps-devcontainers-${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-base-${DOCKER_TAG}-${ARCHITECTURE}.img" + docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" env: - GH_TOKEN: ${{ steps.generate-token.outputs.token }} ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + CONTAINER_NAME: '${{ inputs.container_name }}' - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: - name: "eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" + name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" path: | - eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img + eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -99,7 +91,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "image" - image-ref: "ghcr.io/nhsdigital/eps-devcontainers/base:${{ inputs.docker_tag }}-${{ matrix.arch }}" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" severity: "CRITICAL,HIGH" scanners: "vuln" vuln-type: "os,library" @@ -146,11 +138,11 @@ jobs: - name: Download amd64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-${{ inputs.docker_tag }}-amd64.img + name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-amd64.img - name: Download arm64 images uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: - name: eps-devcontainer-base-${{ inputs.docker_tag }}-arm64.img + name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-arm64.img - name: Login to github container registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: @@ -162,29 +154,30 @@ jobs: - name: Load and push multi-arch image run: | echo "loading images" - docker load -i "eps-devcontainer-base-${DOCKER_TAG}-amd64.img" - docker load -i "eps-devcontainer-base-${DOCKER_TAG}-arm64.img" + docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img" + docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img" echo "Tagging latest images" - docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" - docker tag "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-arm64" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/base:latest" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/base:latest-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/base:latest" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" env: DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 0796f80..f07de62 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,5 +92,4 @@ jobs: with: publish_image: true docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - secrets: - EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} + container_name: base diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8da9db2..efffec9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 needs: - get_asdf_version with: @@ -45,5 +45,4 @@ jobs: with: publish_image: true docker_tag: '${{ needs.tag_release.outputs.version_tag }}' - secrets: - EPS_REPO_STATUS_PEM: ${{ secrets.EPS_REPO_STATUS_PEM }} + container_name: base diff --git a/.trivyignore.yaml b/.trivyignore.yaml index ca32650..da35d5d 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -494,3 +494,27 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index ea1d8ba..245a2dc 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,10 @@ -CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainer- -CONTAINER_NAME=base -IMAGE_NAME=${CONTAINER_PREFIX}$(CONTAINER_NAME) -WORKSPACE_FOLDER=. +CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers- + +guard-%: + @ if [ "${${*}}" = "" ]; then \ + echo "Environment variable $* not set"; \ + exit 1; \ + fi install: install-python install-node install-hooks @@ -15,21 +18,19 @@ install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite install-hooks: -build-base-image: - CONTAINER_NAME=$(CONTAINER_NAME) \ +build-image: guard-CONTAINER_NAME npx devcontainer build \ - --workspace-folder ./src/base/ \ + --workspace-folder ./src/$${CONTAINER_NAME}/ \ --push false \ - --platform linux/${ARCHITECTURE} \ - --image-name "${IMAGE_NAME}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}" -scan-base-image: +scan-image: guard-CONTAINER_NAME trivy image \ --severity HIGH,CRITICAL \ --ignorefile .trivyignore.yaml \ --scanners vuln \ --exit-code 1 \ - --format table ${IMAGE_NAME} + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" lint: lint-githubactions From 438e1255bf30b1c891e706ce8398341ff7f2c4bd Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 08:29:43 +0000 Subject: [PATCH 49/94] fix name --- .github/workflows/build_multi_arch_image.yml | 2 +- Makefile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 9d95662..927c0ab 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -56,7 +56,7 @@ jobs: run: > make build-image - docker tag "ghcr.io/nhsdigital/eps-devcontainers-${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" env: diff --git a/Makefile b/Makefile index 245a2dc..99d85f3 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers- +CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/ guard-%: @ if [ "${${*}}" = "" ]; then \ @@ -30,7 +30,7 @@ scan-image: guard-CONTAINER_NAME --ignorefile .trivyignore.yaml \ --scanners vuln \ --exit-code 1 \ - --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --format table "${CONTAINER_PREFIX}/$${CONTAINER_NAME}" lint: lint-githubactions From 57f26d54ebbdf3ba595842b2ae05a856209f0579 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 09:23:13 +0000 Subject: [PATCH 50/94] add another image --- Makefile | 1 - src/base/.devcontainer/Dockerfile | 1 + .../.devcontainer/scripts/vscode_install.sh | 7 ------ src/common/Dockerfile | 9 ++++++++ .../.devcontainer/devcontainer.json | 23 +++++++++++++++++++ 5 files changed, 33 insertions(+), 8 deletions(-) create mode 100644 src/common/Dockerfile create mode 100644 src/node_24_python_3.14/.devcontainer/devcontainer.json diff --git a/Makefile b/Makefile index 99d85f3..1654e93 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,6 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -install-hooks: build-image: guard-CONTAINER_NAME npx devcontainer build \ --workspace-folder ./src/$${CONTAINER_NAME}/ \ diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index bc6c461..bc39b56 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -22,3 +22,4 @@ COPY .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY .tool-versions /home/vscode/.tool-versions RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index bfcc23e..2759bce 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -13,17 +13,10 @@ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc # Install ASDF plugins -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git asdf plugin add direnv asdf plugin add actionlint asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git -asdf plugin add java -asdf plugin add maven -asdf plugin add golang https://github.com/kennyp/asdf-golang.git -asdf plugin add golangci-lint https://github.com/hypnoglow/asdf-golangci-lint.git asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git diff --git a/src/common/Dockerfile b/src/common/Dockerfile new file mode 100644 index 0000000..69227f5 --- /dev/null +++ b/src/common/Dockerfile @@ -0,0 +1,9 @@ +FROM ghcr.io/nhsdigital/eps-devcontainers/base:latest + +# common Dockerfile used to setup poetry after installing python + +ARG POETRY_VERSION=2.3.2 + +RUN curl -sSL https://install.python-poetry.org | python3 - --version ${POETRY_VERSION} + +ENV PATH="/home/vscode/.local/bin:${PATH}" diff --git a/src/node_24_python_3.14/.devcontainer/devcontainer.json b/src/node_24_python_3.14/.devcontainer/devcontainer.json new file mode 100644 index 0000000..83773b5 --- /dev/null +++ b/src/node_24_python_3.14/.devcontainer/devcontainer.json @@ -0,0 +1,23 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.14", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../common/Dockerfile", + "args": {} + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": { + "ghcr.io/devcontainers/features/node:1": { + "version": "24.13.1" + }, + "ghcr.io/devcontainers/features/python:1": { + "version": "3.14.3" + } + } + } + From 9236a42723e806865b4ef8688ddf01c35ffd31f5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 10:04:34 +0000 Subject: [PATCH 51/94] build more images --- .github/workflows/build_multi_arch_image.yml | 31 +++++++++++++------ .github/workflows/pull_request.yml | 14 +++++++-- .github/workflows/release.yml | 2 +- Makefile | 2 +- src/common/Dockerfile | 4 ++- .../.devcontainer/devcontainer.json | 4 ++- 6 files changed, 41 insertions(+), 16 deletions(-) rename src/{node_24_python_3.14 => node_24_python_3_14}/.devcontainer/devcontainer.json (90%) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 927c0ab..8b74393 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -2,7 +2,7 @@ name: Build and push docker image 'on': workflow_call: inputs: - publish_image: + tag_latest: required: true type: boolean docker_tag: @@ -63,6 +63,7 @@ jobs: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_VERSION: ${{ inputs.docker_tag}} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: @@ -114,7 +115,6 @@ jobs: publish_image: needs: build_image runs-on: ubuntu-22.04 - if: ${{ inputs.publish_image }} permissions: contents: read packages: write @@ -150,33 +150,44 @@ jobs: username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} - - - name: Load and push multi-arch image + - name: Load and push multi-arch tagged image run: | echo "loading images" docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img" docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img" + echo "pushing images" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + + echo "creating manifest" + docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ + --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + + echo "pushing manifest" + docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Load and push multi-arch latest image + if: ${{ inputs.tag_latest }} + run: | echo "Tagging latest images" docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" env: DOCKER_TAG: ${{ inputs.docker_tag }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index f07de62..88fda51 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -84,12 +84,22 @@ jobs: # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - package_docker_image: + package_base_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml needs: - get_issue_number - get_commit_id with: - publish_image: true + tag_latest: false docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' container_name: base + package_node_24_python_3_14_docker_image: + uses: ./.github/workflows/build_multi_arch_image.yml + needs: + - get_issue_number + - get_commit_id + - package_base_docker_image + with: + tag_latest: false + docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + container_name: node_24_python_3_14 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index efffec9..ab35ddb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,6 +43,6 @@ jobs: needs: tag_release uses: ./.github/workflows/build_multi_arch_image.yml with: - publish_image: true + tag_latest: true docker_tag: '${{ needs.tag_release.outputs.version_tag }}' container_name: base diff --git a/Makefile b/Makefile index 1654e93..47ef153 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME +build-image: guard-CONTAINER_NAME guard-BASE_VERSION npx devcontainer build \ --workspace-folder ./src/$${CONTAINER_NAME}/ \ --push false \ diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 69227f5..84ca1d6 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -1,4 +1,6 @@ -FROM ghcr.io/nhsdigital/eps-devcontainers/base:latest +ARG BASE_VERSION=latest + +FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} # common Dockerfile used to setup poetry after installing python diff --git a/src/node_24_python_3.14/.devcontainer/devcontainer.json b/src/node_24_python_3_14/.devcontainer/devcontainer.json similarity index 90% rename from src/node_24_python_3.14/.devcontainer/devcontainer.json rename to src/node_24_python_3_14/.devcontainer/devcontainer.json index 83773b5..c033f16 100644 --- a/src/node_24_python_3.14/.devcontainer/devcontainer.json +++ b/src/node_24_python_3_14/.devcontainer/devcontainer.json @@ -5,7 +5,9 @@ // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "../../common/Dockerfile", - "args": {} + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}" + } }, "runArgs": [ "--network=host" From bbadc2d5e865d365d837789314edeeb7fb35af3f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 10:20:09 +0000 Subject: [PATCH 52/94] correct tag --- .github/workflows/pull_request.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 88fda51..9f76321 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -91,7 +91,7 @@ jobs: - get_commit_id with: tag_latest: false - docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' container_name: base package_node_24_python_3_14_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml @@ -101,5 +101,5 @@ jobs: - package_base_docker_image with: tag_latest: false - docker_tag: 'pr${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' container_name: node_24_python_3_14 From 828a1822905f38c12fa565d752dc9dc01aa40870 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 10:34:55 +0000 Subject: [PATCH 53/94] update trivyignore --- .trivyignore.yaml | 9 +++++++++ Makefile | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index da35d5d..62fcf7b 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -518,3 +518,12 @@ vulnerabilities: - id: CVE-2026-26007 statement: "CHANGE ME" expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index 47ef153..d75d048 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ scan-image: guard-CONTAINER_NAME --ignorefile .trivyignore.yaml \ --scanners vuln \ --exit-code 1 \ - --format table "${CONTAINER_PREFIX}/$${CONTAINER_NAME}" + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" lint: lint-githubactions From 1bed137facd0b0e1e2074b5a33439675fd05e263 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:28:06 +0000 Subject: [PATCH 54/94] build multiple images --- .github/workflows/build_all_images.yml | 36 +++++++++++++++++++ .github/workflows/pull_request.yml | 17 ++------- .github/workflows/release.yml | 9 +++-- .../.devcontainer/devcontainer.json | 25 +++++++++++++ 4 files changed, 68 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/build_all_images.yml create mode 100644 src/node_24_python_3_13/.devcontainer/devcontainer.json diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml new file mode 100644 index 0000000..535f581 --- /dev/null +++ b/.github/workflows/build_all_images.yml @@ -0,0 +1,36 @@ +name: build_all_images +'on': + workflow_call: + inputs: + docker_tag: + required: true + type: string + tag_latest: + required: true + type: boolean +env: + BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' +jobs: + package_base_docker_image: + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: base + package_non_base_docker_image: + runs-on: ubuntu-22.04 + needs: + - package_base_docker_image + strategy: + fail-fast: false + matrix: + include: + - container_name: node_24_python_3_14 + - container_name: node_24_python_3_13 + steps: + - name: build + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9f76321..3e39073 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -84,22 +84,11 @@ jobs: # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - package_base_docker_image: - uses: ./.github/workflows/build_multi_arch_image.yml + build_all_images: needs: - get_issue_number - get_commit_id - with: - tag_latest: false + uses: ./.github/workflows/build_all_images.yml + with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - container_name: base - package_node_24_python_3_14_docker_image: - uses: ./.github/workflows/build_multi_arch_image.yml - needs: - - get_issue_number - - get_commit_id - - package_base_docker_image - with: tag_latest: false - docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' - container_name: node_24_python_3_14 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ab35ddb..0a4876c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,10 +39,9 @@ jobs: branch_name: main tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} secrets: inherit - package_docker_image: + build_all_images: needs: tag_release - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: true + uses: ./.github/workflows/build_all_images.yml + with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' - container_name: base + tag_latest: true diff --git a/src/node_24_python_3_13/.devcontainer/devcontainer.json b/src/node_24_python_3_13/.devcontainer/devcontainer.json new file mode 100644 index 0000000..58a0c60 --- /dev/null +++ b/src/node_24_python_3_13/.devcontainer/devcontainer.json @@ -0,0 +1,25 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}" + } + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": { + "ghcr.io/devcontainers/features/node:1": { + "version": "24.13.1" + }, + "ghcr.io/devcontainers/features/python:1": { + "version": "3.13.12" + } + } + } + From 989fd406edd241fc0c408d22e90e01aeb7157a16 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:32:33 +0000 Subject: [PATCH 55/94] debug to find scan results --- .github/workflows/build_multi_arch_image.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 8b74393..df2d6b4 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -27,8 +27,7 @@ jobs: runner: ubuntu-22.04-arm steps: - name: Free Disk Space for Docker - uses: >- - endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 with: remove_android: true remove_dotnet: true @@ -82,6 +81,10 @@ jobs: output: "scan_results_docker.json" exit-code: "0" trivy-config: trivy.yaml + - name: find scan results + run: | + ls -lart + find . -name "scan_results_docker.json" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload scan results with: From 0b67ad5f4c9d0a96141985e965fe6aabc9cf099a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:51:55 +0000 Subject: [PATCH 56/94] try a single path --- .github/workflows/build_multi_arch_image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index df2d6b4..2678be8 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -89,8 +89,7 @@ jobs: name: Upload scan results with: name: "scan_results_docker_${{ matrix.arch }}.json" - path: | - "scan_results_docker.json" + path: scan_results_docker.json - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: From f096643163e35f08de4f536b23e670591575eb28 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 11:59:21 +0000 Subject: [PATCH 57/94] fix matrix --- .github/workflows/build_all_images.yml | 13 +++++-------- .github/workflows/build_multi_arch_image.yml | 6 +++--- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 535f581..331a9ac 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -18,7 +18,6 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base package_non_base_docker_image: - runs-on: ubuntu-22.04 needs: - package_base_docker_image strategy: @@ -27,10 +26,8 @@ jobs: include: - container_name: node_24_python_3_14 - container_name: node_24_python_3_13 - steps: - - name: build - uses: ./.github/workflows/build_multi_arch_image.yml - with: - tag_latest: ${{ inputs.tag_latest }} - docker_tag: ${{ inputs.docker_tag }} - container_name: ${{ matrix.container_name }} + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 2678be8..f024b36 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,6 +14,7 @@ name: Build and push docker image jobs: build_image: + name: Build image for ${{ inputs.container_name }} permissions: id-token: write runs-on: '${{ matrix.runner }}' @@ -115,7 +116,7 @@ jobs: DOCKER_TAG: '${{ inputs.docker_tag }}' publish_image: - needs: build_image + name: Publish image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 permissions: contents: read @@ -124,8 +125,7 @@ jobs: id-token: write steps: - name: Free Disk Space for Docker - uses: >- - endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 with: remove_android: true remove_dotnet: true From 831b8b7da36581114bbb9506d1308586b779e63f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:04:24 +0000 Subject: [PATCH 58/94] add needs --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index f024b36..a91f006 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -118,6 +118,7 @@ jobs: publish_image: name: Publish image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 + needs: build_image permissions: contents: read packages: write From 4cd5eacdfa373f3622b53e84a4486a5ef1ebd17e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:10:45 +0000 Subject: [PATCH 59/94] fix name --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index a91f006..36bb97c 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,7 +14,7 @@ name: Build and push docker image jobs: build_image: - name: Build image for ${{ inputs.container_name }} + name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }} permissions: id-token: write runs-on: '${{ matrix.runner }}' From 194411235e6150ccf6347f0d097d65c3b5db8bca Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:32:44 +0000 Subject: [PATCH 60/94] use specific trivyignore --- .github/workflows/build_multi_arch_image.yml | 23 +- .gitignore | 1 + Makefile | 8 +- src/base/.trivyignore.yaml | 1 + src/base/trivy.yaml | 1 + src/common/.trivyignore.yaml | 502 ++++++++++++++++++ src/node_24_python_3_13/.trivyignore.yaml | 529 +++++++++++++++++++ src/node_24_python_3_13/trivy.yaml | 1 + src/node_24_python_3_14/.trivyignore.yaml | 28 + src/node_24_python_3_14/trivy.yaml | 1 + 10 files changed, 1084 insertions(+), 11 deletions(-) create mode 100644 src/base/.trivyignore.yaml create mode 100644 src/base/trivy.yaml create mode 100644 src/common/.trivyignore.yaml create mode 100644 src/node_24_python_3_13/.trivyignore.yaml create mode 100644 src/node_24_python_3_13/trivy.yaml create mode 100644 src/node_24_python_3_14/.trivyignore.yaml create mode 100644 src/node_24_python_3_14/trivy.yaml diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 36bb97c..240b7f3 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -53,12 +53,19 @@ jobs: run: | make install-node - name: Build container - run: > + run: | make build-image - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" + + # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist + combined="src/${CONTAINER_NAME}/.trivyignore_combined.yaml" + common="src/common/.trivyignore.yaml" + specific="src/${CONTAINER_NAME}/.trivyignore.yaml" + echo "vulnerabilities:" > "$combined" + if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi + if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi + env: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' @@ -81,15 +88,11 @@ jobs: format: "json" output: "scan_results_docker.json" exit-code: "0" - trivy-config: trivy.yaml - - name: find scan results - run: | - ls -lart - find . -name "scan_results_docker.json" + trivy-config: src/${{ inputs.container_name }}/trivy.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload scan results with: - name: "scan_results_docker_${{ matrix.arch }}.json" + name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" path: scan_results_docker.json - name: Check docker vulnerabilities - table output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -102,7 +105,7 @@ jobs: format: "table" output: "scan_results_docker.txt" exit-code: "1" - trivy-config: trivy.yaml + trivy-config: src/${{ inputs.container_name }}/trivy.yaml - name: Show docker vulnerability output if: always() diff --git a/.gitignore b/.gitignore index 42dd729..0e266d2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ node_modules/ .venv/ src/base/.devcontainer/language_versions/ +.trivyignore_combined.yaml diff --git a/Makefile b/Makefile index d75d048..e89d2ae 100644 --- a/Makefile +++ b/Makefile @@ -24,9 +24,15 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}" scan-image: guard-CONTAINER_NAME + @combined="src/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ + common="src/common/.trivyignore.yaml"; \ + specific="src/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + echo "vulnerabilities:" > "$$combined"; \ + if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi trivy image \ --severity HIGH,CRITICAL \ - --ignorefile .trivyignore.yaml \ + --config src/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml new file mode 100644 index 0000000..8697da6 --- /dev/null +++ b/src/base/.trivyignore.yaml @@ -0,0 +1 @@ +vulnerabilities: diff --git a/src/base/trivy.yaml b/src/base/trivy.yaml new file mode 100644 index 0000000..48343ee --- /dev/null +++ b/src/base/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/base/.trivyignore_combined.yaml" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml new file mode 100644 index 0000000..89d5f1f --- /dev/null +++ b/src/common/.trivyignore.yaml @@ -0,0 +1,502 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/node_24_python_3_13/.trivyignore.yaml b/src/node_24_python_3_13/.trivyignore.yaml new file mode 100644 index 0000000..62fcf7b --- /dev/null +++ b/src/node_24_python_3_13/.trivyignore.yaml @@ -0,0 +1,529 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/node_24_python_3_13/trivy.yaml b/src/node_24_python_3_13/trivy.yaml new file mode 100644 index 0000000..46a4f39 --- /dev/null +++ b/src/node_24_python_3_13/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/node_24_python_3_14/.trivyignore.yaml b/src/node_24_python_3_14/.trivyignore.yaml new file mode 100644 index 0000000..1b10dea --- /dev/null +++ b/src/node_24_python_3_14/.trivyignore.yaml @@ -0,0 +1,28 @@ +vulnerabilities: + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/node_24_python_3_14/trivy.yaml b/src/node_24_python_3_14/trivy.yaml new file mode 100644 index 0000000..e8aafd5 --- /dev/null +++ b/src/node_24_python_3_14/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/node_24_python_3_14/.trivyignore_combined.yaml" From e06fc1a4e42780cbeb9d386dc1a1c4e281912e5e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:41:07 +0000 Subject: [PATCH 61/94] bump trivy --- .tool-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tool-versions b/.tool-versions index 07d6f84..e2bc3a2 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,4 +5,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.68.2 +trivy 0.69.1 From 61ec9f7e5e6467009416c85a196c890f1aaf4608 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 12:50:05 +0000 Subject: [PATCH 62/94] upload combined trivyignore --- .github/workflows/build_multi_arch_image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 240b7f3..2c4d5f7 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -65,12 +65,18 @@ jobs: echo "vulnerabilities:" > "$combined" if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi + echo "Combined trivy ignore file created at $combined" env: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' BASE_VERSION: ${{ inputs.docker_tag}} + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload combined trivy ignore file + with: + name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}" + path: src/${{ inputs.container_name}}/.trivyignore_combined.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: From b903207fe99cea23eb6958dea2ded683254064a0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 13:06:37 +0000 Subject: [PATCH 63/94] even more debug --- .github/workflows/build_multi_arch_image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 2c4d5f7..0582572 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -66,6 +66,7 @@ jobs: if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi echo "Combined trivy ignore file created at $combined" + cat "$combined" env: ARCHITECTURE: '${{ matrix.arch }}' @@ -76,7 +77,7 @@ jobs: name: Upload combined trivy ignore file with: name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}" - path: src/${{ inputs.container_name}}/.trivyignore_combined.yaml + path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: From 4a44268db35dfc9c0a46360a6ba20f3dd86a004f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 13:23:42 +0000 Subject: [PATCH 64/94] more supressions --- src/common/.trivyignore.yaml | 34 ++++++---------------------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 89d5f1f..9af6ac3 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -444,15 +444,8 @@ vulnerabilities: purls: - "pkg:golang/stdlib@v1.24.9" expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - id: CVE-2024-53179 statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2025-21780 statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" @@ -461,38 +454,17 @@ vulnerabilities: expired_at: 2026-06-01 - id: CVE-2025-37899 statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2024-35870 statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2025-21780 statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - id: CVE-2025-38118 statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" expired_at: 2026-06-01 - id: CVE-2025-68121 statement: "CHANGE ME" @@ -500,3 +472,9 @@ vulnerabilities: - id: CVE-2025-61730 statement: "CHANGE ME" expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 From 844be0860e3b8285b4a6ef4741830f1f68b4010f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 14:03:56 +0000 Subject: [PATCH 65/94] update readme --- .github/workflows/build_multi_arch_image.yml | 2 +- README.md | 50 ++++++++++++++++---- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 0582572..bfeb06a 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -66,7 +66,6 @@ jobs: if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi echo "Combined trivy ignore file created at $combined" - cat "$combined" env: ARCHITECTURE: '${{ matrix.arch }}' @@ -78,6 +77,7 @@ jobs: with: name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}" path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml + include-hidden-files: true - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload docker images with: diff --git a/README.md b/README.md index 692f065..7c8d1d9 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ EPS DEV CONTAINERS ================== # Introduction -This repo contains code to build a vscode devcontainer that is used as a base image for all EPS projects. +This repo contains code to build a vscode devcontainers that can be used as a base image for all EPS projects. Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures. Images are based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 Images contain @@ -25,31 +25,63 @@ asdf install and setup for these so they are available globally as vscode user - trivy Install asdf plugins for all tools we use -Install asdf versions of node, python, java, terraform, golang used by all EPS projects to speed up initial build of local dev container Install and setup git-secrets # Project structure -The dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container. +## base container +The base dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container. As part of the dockerfile, there are scripts in the scripts folder that run as root and vscode user that setup and install various programs. The dev container is built using https://github.com/devcontainers/cli -The script `scripts/generate_language_version_files.sh` gets the version of node, python, java and terraform from all EPS repositories. It uses the list of repos from https://github.com/NHSDigital/eps-repo-status/blob/main/repos.json to find all EPS repos. +## common files +There are some common files under src/common. These include +- a Dockerfile used to build specific containers that installs poetry after python has been installed +- a .trivyignore file that contains trivy suppressions in the base image + +## specific containers +There are specific containers in src/ - eg src/base/node_24_python_3_14 +These have a .devcontainer/devcontainer.json file used to built the image +These use the base container as a base and then install specific versions of tools using devcontainer features, or a customised Dockerfile +If there are specific vulnerabilities from these tools, then these should be added to the .trivyignore file in the folder # Build process -Docker images are built for each pull request, and on merges to main +Docker images are built for each pull request, and on merges to main. +Docker images are built for amd64 and arm64 architecture, and a combined manifest is created and pushed as part of the build. + +The base image is built first, and then all other images are built Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. - -On merges to main, a new release is created and the images are pushed to github. The images are tagged with `latest` and the version of the release. + +For pull requests, an image is pushed with tag `pr--` +On merges to main, a new release is created, and images are tagged with `latest` and the version of the release. # Local testing For local testing, you can run ``` -ARCHITECTURE=amd64 make build-base-image +CONTAINER_NAME=base BASE_VERSION=latest make build-image ``` to build a local image, and then ``` -make scan-base-image +CONTAINER_NAME=base BASE_VERSION=latest make scan-image ``` to scan for vulnerabilities + +# Using the images +In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. +``` +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13: + +USER root +# specify DOCKER_GID to force container docker group id to match host +RUN if [ -n "${DOCKER_GID}" ]; then \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ + fi + +USER vscode +``` From 3ec4392b4d152204263ed8536c47876bf317c1ac Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 14:54:07 +0000 Subject: [PATCH 66/94] build lots of images --- .github/workflows/build_all_images.yml | 13 + Makefile | 5 + src/base/.devcontainer/Dockerfile | 8 +- src/base/.devcontainer/devcontainer.json | 4 +- .../.devcontainer/scripts/root_install.sh | 15 +- src/common/Dockerfile | 17 +- src/cpt_api/.devcontainer/.tool-versions | 0 src/cpt_api/.devcontainer/Dockerfile | 3 + src/cpt_api/.devcontainer/devcontainer.json | 20 + .../.devcontainer/scripts/root_install.sh | 2 + .../.devcontainer/scripts/vscode_install.sh | 2 + src/cpt_api/.trivyignore.yaml | 529 ++++++++++++++++++ src/cpt_api/trivy.yaml | 1 + .../.devcontainer/.tool-versions | 3 + .../.devcontainer/devcontainer.json | 15 +- .../.devcontainer/scripts/root_install.sh | 2 + .../.devcontainer/scripts/vscode_install.sh | 9 + .../.devcontainer/.tool-versions | 3 + .../.devcontainer/devcontainer.json | 12 +- .../.devcontainer/scripts/root_install.sh | 2 + .../.devcontainer/scripts/vscode_install.sh | 9 + 21 files changed, 632 insertions(+), 42 deletions(-) create mode 100644 src/cpt_api/.devcontainer/.tool-versions create mode 100644 src/cpt_api/.devcontainer/Dockerfile create mode 100644 src/cpt_api/.devcontainer/devcontainer.json create mode 100755 src/cpt_api/.devcontainer/scripts/root_install.sh create mode 100755 src/cpt_api/.devcontainer/scripts/vscode_install.sh create mode 100644 src/cpt_api/.trivyignore.yaml create mode 100644 src/cpt_api/trivy.yaml create mode 100644 src/node_24_python_3_13/.devcontainer/.tool-versions create mode 100755 src/node_24_python_3_13/.devcontainer/scripts/root_install.sh create mode 100755 src/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh create mode 100644 src/node_24_python_3_14/.devcontainer/.tool-versions create mode 100755 src/node_24_python_3_14/.devcontainer/scripts/root_install.sh create mode 100755 src/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 331a9ac..026cf06 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -31,3 +31,16 @@ jobs: tag_latest: ${{ inputs.tag_latest }} docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} + package_product_docker_image: + needs: + - package_non_base_docker_image + strategy: + fail-fast: false + matrix: + include: + - container_name: cpt_api + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} diff --git a/Makefile b/Makefile index e89d2ae..0547918 100644 --- a/Makefile +++ b/Makefile @@ -37,6 +37,11 @@ scan-image: guard-CONTAINER_NAME --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" +shell-image: guard-CONTAINER_NAME + docker run -it \ + "${CONTAINER_PREFIX}$${CONTAINER_NAME}" \ + bash + lint: lint-githubactions test: diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index bc39b56..e226d67 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -2,13 +2,13 @@ FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} -ARG SCRIPTS_DIR=/usr/local/share/eps/ +ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ENV CONTAINER_NAME=${CONTAINER_NAME} ENV SCRIPTS_DIR=${SCRIPTS_DIR} ARG ASDF_VERSION -COPY .tool-versions.asdf /tmp/.tool-versions.asdf +COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -18,8 +18,8 @@ USER vscode ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -COPY .tool-versions.asdf /home/vscode/.tool-versions.asdf -COPY .tool-versions /home/vscode/.tool-versions +COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf +COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions RUN ./vscode_install.sh WORKDIR /home/vscode diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 6ef919b..6d879af 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -5,7 +5,9 @@ // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "Dockerfile", - "args": {} + "args": { + "CONTAINER_NAME": "eps_devcontainer_base" + } }, "runArgs": [ "--network=host" diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index 9f86e5c..5457b9f 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -30,19 +30,6 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \ xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev uuid-runtime xxd unzip -# install aws stuff -# Download correct AWS CLI for arch -# echo "Installing aws cli" -# if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then -# wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -# else -# wget -O /tmp/awscliv2.zip --no-verbose "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -# fi -# unzip -q /tmp/awscliv2.zip -d /tmp/aws-cli -# /tmp/aws-cli/aws/install -# rm /tmp/awscliv2.zip -# rm -rf /tmp/aws-cli - # Download correct SAM CLI for arch echo "Installing aws-sam cli" if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then @@ -57,7 +44,7 @@ if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then # Install ASDF echo "Installing asdf" -ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) +ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' "${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf") if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" else diff --git a/src/common/Dockerfile b/src/common/Dockerfile index 84ca1d6..fc6cca7 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -2,10 +2,19 @@ ARG BASE_VERSION=latest FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} -# common Dockerfile used to setup poetry after installing python +ARG CONTAINER_NAME +ENV CONTAINER_NAME=${CONTAINER_NAME} -ARG POETRY_VERSION=2.3.2 +USER root +COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh -RUN curl -sSL https://install.python-poetry.org | python3 - --version ${POETRY_VERSION} +USER vscode -ENV PATH="/home/vscode/.local/bin:${PATH}" +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/cpt_api/.devcontainer/.tool-versions b/src/cpt_api/.devcontainer/.tool-versions new file mode 100644 index 0000000..e69de29 diff --git a/src/cpt_api/.devcontainer/Dockerfile b/src/cpt_api/.devcontainer/Dockerfile new file mode 100644 index 0000000..0d5e2f6 --- /dev/null +++ b/src/cpt_api/.devcontainer/Dockerfile @@ -0,0 +1,3 @@ +ARG BASE_VERSION=latest + +FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} diff --git a/src/cpt_api/.devcontainer/devcontainer.json b/src/cpt_api/.devcontainer/devcontainer.json new file mode 100644 index 0000000..4226455 --- /dev/null +++ b/src/cpt_api/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "cpt_api" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/cpt_api/.devcontainer/scripts/root_install.sh b/src/cpt_api/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/cpt_api/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/cpt_api/.devcontainer/scripts/vscode_install.sh b/src/cpt_api/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/cpt_api/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/cpt_api/.trivyignore.yaml b/src/cpt_api/.trivyignore.yaml new file mode 100644 index 0000000..62fcf7b --- /dev/null +++ b/src/cpt_api/.trivyignore.yaml @@ -0,0 +1,529 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/cpt_api/trivy.yaml b/src/cpt_api/trivy.yaml new file mode 100644 index 0000000..46a4f39 --- /dev/null +++ b/src/cpt_api/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/node_24_python_3_13/.devcontainer/.tool-versions b/src/node_24_python_3_13/.devcontainer/.tool-versions new file mode 100644 index 0000000..19c9a1a --- /dev/null +++ b/src/node_24_python_3_13/.devcontainer/.tool-versions @@ -0,0 +1,3 @@ +nodejs 24.13.0 +python 3.13.12 +poetry 2.3.2 diff --git a/src/node_24_python_3_13/.devcontainer/devcontainer.json b/src/node_24_python_3_13/.devcontainer/devcontainer.json index 58a0c60..d192e19 100644 --- a/src/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/node_24_python_3_13/.devcontainer/devcontainer.json @@ -6,20 +6,15 @@ "build": { "dockerfile": "../../common/Dockerfile", "args": { - "BASE_VERSION": "${localEnv:BASE_VERSION}" - } + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + }, + "context": "." }, "runArgs": [ "--network=host" ], "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, - "features": { - "ghcr.io/devcontainers/features/node:1": { - "version": "24.13.1" - }, - "ghcr.io/devcontainers/features/python:1": { - "version": "3.13.12" - } - } + "features": {} } diff --git a/src/node_24_python_3_13/.devcontainer/scripts/root_install.sh b/src/node_24_python_3_13/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/node_24_python_3_13/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..e16905e --- /dev/null +++ b/src/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git + +asdf install python +asdf install diff --git a/src/node_24_python_3_14/.devcontainer/.tool-versions b/src/node_24_python_3_14/.devcontainer/.tool-versions new file mode 100644 index 0000000..ed99ea2 --- /dev/null +++ b/src/node_24_python_3_14/.devcontainer/.tool-versions @@ -0,0 +1,3 @@ +nodejs 24.13.0 +python 3.14.3 +poetry 2.3.2 diff --git a/src/node_24_python_3_14/.devcontainer/devcontainer.json b/src/node_24_python_3_14/.devcontainer/devcontainer.json index c033f16..484a2de 100644 --- a/src/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/node_24_python_3_14/.devcontainer/devcontainer.json @@ -6,20 +6,14 @@ "build": { "dockerfile": "../../common/Dockerfile", "args": { - "BASE_VERSION": "${localEnv:BASE_VERSION}" + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_14" } }, "runArgs": [ "--network=host" ], "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, - "features": { - "ghcr.io/devcontainers/features/node:1": { - "version": "24.13.1" - }, - "ghcr.io/devcontainers/features/python:1": { - "version": "3.14.3" - } - } + "features": {} } diff --git a/src/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/node_24_python_3_14/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/node_24_python_3_14/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..e16905e --- /dev/null +++ b/src/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git + +asdf install python +asdf install From 5f392e6213166471f5ad5ccd3028c9d22a7592ad Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 14:56:28 +0000 Subject: [PATCH 67/94] remove unused files --- src/cpt_api/.devcontainer/.tool-versions | 0 src/cpt_api/.devcontainer/scripts/root_install.sh | 2 -- src/cpt_api/.devcontainer/scripts/vscode_install.sh | 2 -- src/cpt_api/trivy.yaml | 2 +- 4 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 src/cpt_api/.devcontainer/.tool-versions delete mode 100755 src/cpt_api/.devcontainer/scripts/root_install.sh delete mode 100755 src/cpt_api/.devcontainer/scripts/vscode_install.sh diff --git a/src/cpt_api/.devcontainer/.tool-versions b/src/cpt_api/.devcontainer/.tool-versions deleted file mode 100644 index e69de29..0000000 diff --git a/src/cpt_api/.devcontainer/scripts/root_install.sh b/src/cpt_api/.devcontainer/scripts/root_install.sh deleted file mode 100755 index 0510f2c..0000000 --- a/src/cpt_api/.devcontainer/scripts/root_install.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env bash -set -e diff --git a/src/cpt_api/.devcontainer/scripts/vscode_install.sh b/src/cpt_api/.devcontainer/scripts/vscode_install.sh deleted file mode 100755 index 0510f2c..0000000 --- a/src/cpt_api/.devcontainer/scripts/vscode_install.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env bash -set -e diff --git a/src/cpt_api/trivy.yaml b/src/cpt_api/trivy.yaml index 46a4f39..cc777f0 100644 --- a/src/cpt_api/trivy.yaml +++ b/src/cpt_api/trivy.yaml @@ -1 +1 @@ -ignorefile: "src/node_24_python_3_13/.trivyignore_combined.yaml" +ignorefile: "src/cpt_api/.trivyignore_combined.yaml" From 0f52c4a8a60c43adc51bede953230c6c80430311 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 16:02:17 +0000 Subject: [PATCH 68/94] build fhir facade dev container --- .github/workflows/build_all_images.yml | 2 +- src/cpt_api/.devcontainer/Dockerfile | 3 --- .../.devcontainer/.tool-versions | 1 + src/fhir_facade_api/.devcontainer/Dockerfile | 20 +++++++++++++++++++ .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/scripts/root_install.sh | 13 ++++++++++++ .../.devcontainer/scripts/vscode_install.sh | 6 ++++++ .../.trivyignore.yaml | 0 src/{cpt_api => fhir_facade_api}/trivy.yaml | 0 .../.devcontainer/devcontainer.json | 3 ++- 10 files changed, 44 insertions(+), 6 deletions(-) delete mode 100644 src/cpt_api/.devcontainer/Dockerfile create mode 100644 src/fhir_facade_api/.devcontainer/.tool-versions create mode 100644 src/fhir_facade_api/.devcontainer/Dockerfile rename src/{cpt_api => fhir_facade_api}/.devcontainer/devcontainer.json (93%) create mode 100755 src/fhir_facade_api/.devcontainer/scripts/root_install.sh create mode 100755 src/fhir_facade_api/.devcontainer/scripts/vscode_install.sh rename src/{cpt_api => fhir_facade_api}/.trivyignore.yaml (100%) rename src/{cpt_api => fhir_facade_api}/trivy.yaml (100%) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 026cf06..4f178ff 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -38,7 +38,7 @@ jobs: fail-fast: false matrix: include: - - container_name: cpt_api + - container_name: fhir_facade_api uses: ./.github/workflows/build_multi_arch_image.yml with: tag_latest: ${{ inputs.tag_latest }} diff --git a/src/cpt_api/.devcontainer/Dockerfile b/src/cpt_api/.devcontainer/Dockerfile deleted file mode 100644 index 0d5e2f6..0000000 --- a/src/cpt_api/.devcontainer/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -ARG BASE_VERSION=latest - -FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} diff --git a/src/fhir_facade_api/.devcontainer/.tool-versions b/src/fhir_facade_api/.devcontainer/.tool-versions new file mode 100644 index 0000000..af19266 --- /dev/null +++ b/src/fhir_facade_api/.devcontainer/.tool-versions @@ -0,0 +1 @@ +java openjdk-20 diff --git a/src/fhir_facade_api/.devcontainer/Dockerfile b/src/fhir_facade_api/.devcontainer/Dockerfile new file mode 100644 index 0000000..b5d33e4 --- /dev/null +++ b/src/fhir_facade_api/.devcontainer/Dockerfile @@ -0,0 +1,20 @@ +ARG BASE_VERSION=latest + +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} + +USER root +COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh + + +USER vscode + +USER vscode + +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/cpt_api/.devcontainer/devcontainer.json b/src/fhir_facade_api/.devcontainer/devcontainer.json similarity index 93% rename from src/cpt_api/.devcontainer/devcontainer.json rename to src/fhir_facade_api/.devcontainer/devcontainer.json index 4226455..da3a820 100644 --- a/src/cpt_api/.devcontainer/devcontainer.json +++ b/src/fhir_facade_api/.devcontainer/devcontainer.json @@ -7,7 +7,7 @@ "dockerfile": "Dockerfile", "args": { "BASE_VERSION": "${localEnv:BASE_VERSION}", - "CONTAINER_NAME": "cpt_api" + "CONTAINER_NAME": "fhir_facade_api" }, "context": "." }, diff --git a/src/fhir_facade_api/.devcontainer/scripts/root_install.sh b/src/fhir_facade_api/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0733658 --- /dev/null +++ b/src/fhir_facade_api/.devcontainer/scripts/root_install.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -e + +# install non snap version of firefox +add-apt-repository -y ppa:mozillateam/ppa +cat < /etc/apt/preferences.d/mozilla-firefox +Package: * +Pin: release o=LP-PPA-mozillateam +Pin-Priority: 1001 +EOF + +apt-get -y install firefox diff --git a/src/fhir_facade_api/.devcontainer/scripts/vscode_install.sh b/src/fhir_facade_api/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..dd0f582 --- /dev/null +++ b/src/fhir_facade_api/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -e + +# install java using asdf +asdf plugin add java +asdf install diff --git a/src/cpt_api/.trivyignore.yaml b/src/fhir_facade_api/.trivyignore.yaml similarity index 100% rename from src/cpt_api/.trivyignore.yaml rename to src/fhir_facade_api/.trivyignore.yaml diff --git a/src/cpt_api/trivy.yaml b/src/fhir_facade_api/trivy.yaml similarity index 100% rename from src/cpt_api/trivy.yaml rename to src/fhir_facade_api/trivy.yaml diff --git a/src/node_24_python_3_14/.devcontainer/devcontainer.json b/src/node_24_python_3_14/.devcontainer/devcontainer.json index 484a2de..e9ac91c 100644 --- a/src/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/node_24_python_3_14/.devcontainer/devcontainer.json @@ -8,7 +8,8 @@ "args": { "BASE_VERSION": "${localEnv:BASE_VERSION}", "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_14" - } + }, + "context": "." }, "runArgs": [ "--network=host" From ef29bafa4ad710e05e11d0cb069a0ef0e81db600 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 16:05:55 +0000 Subject: [PATCH 69/94] fix fhir facade --- src/fhir_facade_api/.trivyignore.yaml | 13 +++++++++++++ src/fhir_facade_api/trivy.yaml | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/fhir_facade_api/.trivyignore.yaml b/src/fhir_facade_api/.trivyignore.yaml index 62fcf7b..801c647 100644 --- a/src/fhir_facade_api/.trivyignore.yaml +++ b/src/fhir_facade_api/.trivyignore.yaml @@ -527,3 +527,16 @@ vulnerabilities: - id: CVE-2026-24049 statement: "CHANGE ME" expired_at: 2026-06-01 + + - id: CVE-2022-25235 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2022-25236 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2022-26485 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2022-26486 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/src/fhir_facade_api/trivy.yaml b/src/fhir_facade_api/trivy.yaml index cc777f0..a6f8101 100644 --- a/src/fhir_facade_api/trivy.yaml +++ b/src/fhir_facade_api/trivy.yaml @@ -1 +1 @@ -ignorefile: "src/cpt_api/.trivyignore_combined.yaml" +ignorefile: "src/fhir_facade_api/.trivyignore_combined.yaml" From 00ab22f0bcc468fc7253b37c61067d33dc72d4f3 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 16:37:16 +0000 Subject: [PATCH 70/94] add method to fix trivyignore --- .gitignore | 1 + Makefile | 16 + README.md | 12 + scripts/trivy_to_trivyignore.py | 151 ++++++ src/common/.trivyignore.yaml | 487 ++++++------------- src/fhir_facade_api/.trivyignore.yaml | 555 ++-------------------- src/node_24_python_3_13/.trivyignore.yaml | 522 +------------------- src/node_24_python_3_14/.trivyignore.yaml | 41 +- 8 files changed, 380 insertions(+), 1405 deletions(-) create mode 100644 scripts/trivy_to_trivyignore.py diff --git a/.gitignore b/.gitignore index 0e266d2..7061e3a 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ node_modules/ .venv/ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml +.out/ diff --git a/Makefile b/Makefile index 0547918..b3a0986 100644 --- a/Makefile +++ b/Makefile @@ -37,6 +37,22 @@ scan-image: guard-CONTAINER_NAME --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" +scan-image-json: guard-CONTAINER_NAME + @combined="src/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ + common="src/common/.trivyignore.yaml"; \ + specific="src/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + echo "vulnerabilities:" > "$$combined"; \ + if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi + mkdir -p .out + trivy image \ + --severity HIGH,CRITICAL \ + --config src/${CONTAINER_NAME}/trivy.yaml \ + --scanners vuln \ + --exit-code 1 \ + --format json \ + --output .out/scan.out.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + shell-image: guard-CONTAINER_NAME docker run -it \ "${CONTAINER_PREFIX}$${CONTAINER_NAME}" \ diff --git a/README.md b/README.md index 7c8d1d9..6bc7ce2 100644 --- a/README.md +++ b/README.md @@ -85,3 +85,15 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ USER vscode ``` + +# Generating a .trivyignore file +You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using +``` +CONTAINER_NAME=base BASE_VERSION=latest make scan-image-json +``` +If generated locally, then the output goes into .out/scan.out.json + +Once you have this, use the following to generate a .trivyignore +``` +poetry run python scripts/trivy_to_trivyignore.py --input .out/scan.out.json --output src/common/.trivyignore.yaml +``` diff --git a/scripts/trivy_to_trivyignore.py b/scripts/trivy_to_trivyignore.py new file mode 100644 index 0000000..bcbb023 --- /dev/null +++ b/scripts/trivy_to_trivyignore.py @@ -0,0 +1,151 @@ +#!/usr/bin/env python3 +"""Convert Trivy JSON output into a .trivyignore YAML file.""" + +import argparse +import datetime as dt +import json +from pathlib import Path +from typing import Any, Dict, Iterable, List, Optional + + +def add_months(date_value: dt.date, months: int) -> dt.date: + """ + Add months to a date, clamping the day to the last day of the target month. + """ + if months == 0: + return date_value + + month_index = date_value.month - 1 + months + year = date_value.year + month_index // 12 + month = month_index % 12 + 1 + + # Clamp day to the last day of the target month. + next_year = year + (1 if month == 12 else 0) + next_month = 1 if month == 12 else month + 1 + first_of_next = dt.date(next_year, next_month, 1) + last_day = first_of_next - dt.timedelta(days=1) + day = min(date_value.day, last_day.day) + return dt.date(year, month, day) + + +def extract_vulnerabilities(data: Dict[str, Any]) -> List[Dict[str, Any]]: + """Collect vulnerability entries from Trivy JSON output.""" + results = data.get("Results", []) + if not isinstance(results, list): + return [] + + vulnerabilities: List[Dict[str, Any]] = [] + for result in results: + if not isinstance(result, dict): + continue + for vuln in result.get("Vulnerabilities", []) or []: + if isinstance(vuln, dict): + vulnerabilities.append(vuln) + return vulnerabilities + + +def normalize_purl(vuln: Dict[str, Any]) -> Optional[str]: + identifier = vuln.get("PkgIdentifier") + if isinstance(identifier, dict): + purl = identifier.get("PURL") + if isinstance(purl, str) and purl.strip(): + return purl.strip() + return None + + +def build_entries( + vulnerabilities: Iterable[Dict[str, Any]], + expires_on: dt.date +) -> List[Dict[str, Any]]: + """Build YAML entries with de-duplication by CVE, merging PURLs.""" + entries: Dict[str, Dict[str, Any]] = {} + + for vuln in vulnerabilities: + vuln_id = vuln.get("VulnerabilityID") + title = vuln.get("Title") + purl = normalize_purl(vuln) + + if not isinstance(vuln_id, str) or not vuln_id.strip(): + continue + if not isinstance(title, str) or not title.strip(): + continue + + key = vuln_id.strip() + entry = entries.get(key) + if entry is None: + entry = { + "id": key, + "statement": title.strip(), + "purls": set(), + "expired_at": expires_on.isoformat(), + } + entries[key] = entry + + if purl: + entry["purls"].add(purl) + + merged_entries: List[Dict[str, Any]] = [] + for entry in entries.values(): + purls = sorted(entry["purls"]) + if purls: + entry["purls"] = purls + else: + entry.pop("purls", None) + merged_entries.append(entry) + + return merged_entries + + +def write_yaml(entries: List[Dict[str, Any]], output_path: Path) -> None: + """Write entries to a YAML file without external dependencies.""" + lines: List[str] = ["vulnerabilities:"] + for entry in entries: + lines.append(f" - id: {entry['id']}") + lines.append(f" statement: {json.dumps(entry['statement'])}") + if "purls" in entry: + lines.append(" purls:") + for purl in entry["purls"]: + lines.append(f" - {json.dumps(purl)}") + lines.append(f" expired_at: {entry['expired_at']}") + + output_path.parent.mkdir(parents=True, exist_ok=True) + output_path.write_text("\n".join(lines) + "\n", encoding="utf-8") + + +def parse_args() -> argparse.Namespace: + parser = argparse.ArgumentParser( + description="Convert Trivy JSON output to .trivyignore YAML." + ) + parser.add_argument( + "--input", + required=True, + help="Path to the Trivy JSON output file.", + ) + parser.add_argument( + "--output", + required=True, + help="Path to write the .trivyignore YAML file.", + ) + return parser.parse_args() + + +def main() -> int: + args = parse_args() + input_path = Path(args.input) + output_path = Path(args.output) + + if not input_path.is_file(): + raise FileNotFoundError(f"Input file not found: {input_path}") + + data = json.loads(input_path.read_text(encoding="utf-8")) + vulnerabilities = extract_vulnerabilities(data) + + expires_on = add_months(dt.date.today(), 6) + entries = build_entries(vulnerabilities, expires_on) + + write_yaml(entries, output_path) + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 9af6ac3..b5f8e5f 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -1,480 +1,279 @@ vulnerabilities: - - id: CVE-2026-25547 - statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@3.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@11.0.3" - expired_at: 2026-06-01 - - id: CVE-2022-25881 - statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" - purls: - - "pkg:npm/http-cache-semantics@4.1.0" - expired_at: 2026-06-01 - - id: CVE-2024-29415 - statement: "node-ip Incomplete fix for CVE-2023-42282" - purls: - - "pkg:npm/ip@1.1.5" - expired_at: 2026-06-01 - - id: CVE-2022-3517 - statement: "nodejs-minimatch ReDoS via the braceExpand function" - purls: - - "pkg:npm/minimatch@3.0.4" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@11.6.2" - expired_at: 2026-06-01 - - id: CVE-2022-29244 - statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2022-25883 - statement: "nodejs-semver Regular expression denial of service" - purls: - - "pkg:npm/semver@7.3.5" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-49761 - statement: "rexml REXML ReDoS vulnerability" + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37849 + statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2026-26007 + statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + - "pkg:pypi/cryptography@46.0.3" + expired_at: 2026-08-12 + - id: CVE-2024-49761 + statement: "rexml: REXML ReDoS vulnerability" purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-08-12 + - id: CVE-2025-68121 + statement: "During session resumption in crypto/tls, if the underlying Config has ..." purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-22874 - statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + statement: "golang: net/url: Memory exhaustion in query parameter parsing in net/url" purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-66564 - statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" - purls: - - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" + statement: "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip" purls: + - "pkg:golang/stdlib@v1.16.15" - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 + - id: CVE-2025-61730 + statement: "During the TLS 1.3 handshake if multiple messages are sent in records ..." purls: + - "pkg:golang/stdlib@v1.16.15" - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 + - id: CVE-2025-47907 + statement: "database/sql: Postgres Scan Race Condition" purls: + - "pkg:golang/stdlib@v1.16.15" - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-08-12 + - id: CVE-2025-58183 + statement: "golang: archive/tar: Unbounded allocation when parsing GNU sparse map" purls: + - "pkg:golang/stdlib@v1.16.15" - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-08-12 - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + statement: "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate" purls: + - "pkg:golang/stdlib@v1.16.15" - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-08-12 - id: CVE-2023-24538 - statement: "golang html/template backticks not treated as string delimiters" + statement: "golang: html/template: backticks not treated as string delimiters" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-24540 - statement: "golang html/template improper handling of JavaScript whitespace" + statement: "golang: html/template: improper handling of JavaScript whitespace" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2024-24790 - statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + statement: "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-24675 - statement: "golang encoding/pem fix stack overflow in Decode" + statement: "golang: encoding/pem: fix stack overflow in Decode" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-27664 - statement: "golang net/http handle server errors after sending GOAWAY" + statement: "golang: net/http: handle server errors after sending GOAWAY" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-28131 - statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + statement: "golang: encoding/xml: stack exhaustion in Decoder.Skip" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-28327 - statement: "golang crypto/elliptic panic caused by oversized scalar" + statement: "golang: crypto/elliptic: panic caused by oversized scalar" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-2879 - statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + statement: "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-2880 - statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + statement: "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-29804 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30580 - statement: "golang os/exec Code injection in Cmd.Start" + statement: "golang: os/exec: Code injection in Cmd.Start" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30630 - statement: "golang io/fs stack exhaustion in Glob" + statement: "golang: io/fs: stack exhaustion in Glob" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30631 - statement: "golang compress/gzip stack exhaustion in Reader.Read" + statement: "golang: compress/gzip: stack exhaustion in Reader.Read" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30632 - statement: "golang path/filepath stack exhaustion in Glob" + statement: "golang: path/filepath: stack exhaustion in Glob" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30633 - statement: "golang encoding/xml stack exhaustion in Unmarshal" + statement: "golang: encoding/xml: stack exhaustion in Unmarshal" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30634 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-30635 - statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + statement: "golang: encoding/gob: stack exhaustion in Decoder.Decode" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-32189 - statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + statement: "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41715 - statement: "golang regexp/syntax limit memory used by parsing regexps" + statement: "golang: regexp/syntax: limit memory used by parsing regexps" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41716 statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41720 - statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + statement: "golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41722 - statement: "golang path/filepath path-filepath filepath.Clean path traversal" + statement: "golang: path/filepath: path-filepath filepath.Clean path traversal" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41723 - statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + statement: "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41724 - statement: "golang crypto/tls large handshake records may cause panics" + statement: "golang: crypto/tls: large handshake records may cause panics" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2022-41725 - statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + statement: "golang: net/http, mime/multipart: denial of service from excessive resource consumption" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-24534 - statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + statement: "golang: net/http, net/textproto: denial of service from excessive memory allocation" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-24536 - statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + statement: "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-24537 - statement: "golang go/parser Infinite loop in parsing" + statement: "golang: go/parser: Infinite loop in parsing" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-24539 - statement: "golang html/template improper sanitization of CSS values" + statement: "golang: html/template: improper sanitization of CSS values" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-29400 - statement: "golang html/template improper handling of empty HTML attributes" + statement: "golang: html/template: improper handling of empty HTML attributes" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-29403 - statement: "golang runtime unexpected behavior of setuid/setgid binaries" + statement: "golang: runtime: unexpected behavior of setuid/setgid binaries" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-39325 - statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + statement: "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a prefix as sp ..." + statement: "The filepath package does not recognize paths with a \\??\\ prefix as sp ..." purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-45287 - statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + statement: "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges." purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2023-45288 - statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + statement: "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2024-34156 - statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + statement: "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" purls: - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2024-25621 - statement: "github.com/containerd/containerd containerd local privilege escalation" + statement: "github.com/containerd/containerd: containerd local privilege escalation" purls: - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - expired_at: 2026-06-01 - - id: CVE-2025-68121 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-61730 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 + expired_at: 2026-08-12 diff --git a/src/fhir_facade_api/.trivyignore.yaml b/src/fhir_facade_api/.trivyignore.yaml index 801c647..4d4afb0 100644 --- a/src/fhir_facade_api/.trivyignore.yaml +++ b/src/fhir_facade_api/.trivyignore.yaml @@ -1,542 +1,47 @@ vulnerabilities: - - id: CVE-2026-25547 - statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" purls: - - "pkg:npm/ansi-regex@3.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" purls: - - "pkg:npm/ansi-regex@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" purls: - - "pkg:npm/glob@10.4.5" - expired_at: 2026-06-01 + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" purls: + - "pkg:npm/glob@10.4.5" - "pkg:npm/glob@11.0.3" - expired_at: 2026-06-01 - - id: CVE-2022-25881 - statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" - purls: - - "pkg:npm/http-cache-semantics@4.1.0" - expired_at: 2026-06-01 - - id: CVE-2024-29415 - statement: "node-ip Incomplete fix for CVE-2023-42282" - purls: - - "pkg:npm/ip@1.1.5" - expired_at: 2026-06-01 - - id: CVE-2022-3517 - statement: "nodejs-minimatch ReDoS via the braceExpand function" - purls: - - "pkg:npm/minimatch@3.0.4" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@11.6.2" - expired_at: 2026-06-01 - - id: CVE-2022-29244 - statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2022-25883 - statement: "nodejs-semver Regular expression denial of service" - purls: - - "pkg:npm/semver@7.3.5" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" purls: - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" purls: - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" purls: - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-49761 - statement: "rexml REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-22874 - statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-66564 - statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" - purls: - - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2023-24538 - statement: "golang html/template backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24540 - statement: "golang html/template improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-24790 - statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-24675 - statement: "golang encoding/pem fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-27664 - statement: "golang net/http handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28131 - statement: "golang encoding/xml stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28327 - statement: "golang crypto/elliptic panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2879 - statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2880 - statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30580 - statement: "golang os/exec Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30630 - statement: "golang io/fs stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30631 - statement: "golang compress/gzip stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30632 - statement: "golang path/filepath stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30633 - statement: "golang encoding/xml stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30635 - statement: "golang encoding/gob stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-32189 - statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41715 - statement: "golang regexp/syntax limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41720 - statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41722 - statement: "golang path/filepath path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41724 - statement: "golang crypto/tls large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41725 - statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24534 - statement: "golang net/http, net/textproto denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24536 - statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24537 - statement: "golang go/parser Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24539 - statement: "golang html/template improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29400 - statement: "golang html/template improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29403 - statement: "golang runtime unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-39325 - statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45287 - statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45288 - statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-34156 - statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-68121 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-61730 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-23949 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24049 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - - id: CVE-2022-25235 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2022-25236 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2022-26485 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2022-26486 - statement: "CHANGE ME" - expired_at: 2026-06-01 + expired_at: 2026-08-12 diff --git a/src/node_24_python_3_13/.trivyignore.yaml b/src/node_24_python_3_13/.trivyignore.yaml index 62fcf7b..a8010cf 100644 --- a/src/node_24_python_3_13/.trivyignore.yaml +++ b/src/node_24_python_3_13/.trivyignore.yaml @@ -1,529 +1,27 @@ vulnerabilities: - id: CVE-2026-25547 - statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" purls: - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@3.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@5.0.0" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" purls: - "pkg:npm/glob@10.4.5" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - "pkg:npm/glob@11.0.3" - expired_at: 2026-06-01 - - id: CVE-2022-25881 - statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" - purls: - - "pkg:npm/http-cache-semantics@4.1.0" - expired_at: 2026-06-01 - - id: CVE-2024-29415 - statement: "node-ip Incomplete fix for CVE-2023-42282" - purls: - - "pkg:npm/ip@1.1.5" - expired_at: 2026-06-01 - - id: CVE-2022-3517 - statement: "nodejs-minimatch ReDoS via the braceExpand function" - purls: - - "pkg:npm/minimatch@3.0.4" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@11.6.2" - expired_at: 2026-06-01 - - id: CVE-2022-29244 - statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2022-25883 - statement: "nodejs-semver Regular expression denial of service" - purls: - - "pkg:npm/semver@7.3.5" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" purls: - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" purls: - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 + expired_at: 2026-08-12 - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" purls: - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-49761 - statement: "rexml REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-22874 - statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-66564 - statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" - purls: - - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2023-24538 - statement: "golang html/template backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24540 - statement: "golang html/template improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-24790 - statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-24675 - statement: "golang encoding/pem fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-27664 - statement: "golang net/http handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28131 - statement: "golang encoding/xml stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28327 - statement: "golang crypto/elliptic panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2879 - statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2880 - statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30580 - statement: "golang os/exec Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30630 - statement: "golang io/fs stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30631 - statement: "golang compress/gzip stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30632 - statement: "golang path/filepath stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30633 - statement: "golang encoding/xml stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30635 - statement: "golang encoding/gob stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-32189 - statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41715 - statement: "golang regexp/syntax limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41720 - statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41722 - statement: "golang path/filepath path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41724 - statement: "golang crypto/tls large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41725 - statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24534 - statement: "golang net/http, net/textproto denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24536 - statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24537 - statement: "golang go/parser Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24539 - statement: "golang html/template improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29400 - statement: "golang html/template improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29403 - statement: "golang runtime unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-39325 - statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45287 - statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45288 - statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-34156 - statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-68121 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-61730 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-23949 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24049 - statement: "CHANGE ME" - expired_at: 2026-06-01 + expired_at: 2026-08-12 diff --git a/src/node_24_python_3_14/.trivyignore.yaml b/src/node_24_python_3_14/.trivyignore.yaml index 1b10dea..4ddaa2a 100644 --- a/src/node_24_python_3_14/.trivyignore.yaml +++ b/src/node_24_python_3_14/.trivyignore.yaml @@ -1,28 +1,21 @@ vulnerabilities: - - id: CVE-2024-35870 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 - id: CVE-2026-24842 - statement: "CHANGE ME" - expired_at: 2026-06-01 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.4" + expired_at: 2026-08-12 - id: CVE-2026-23949 - statement: "CHANGE ME" - expired_at: 2026-06-01 + statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" + purls: + - "pkg:pypi/jaraco.context@5.3.0" + expired_at: 2026-08-12 - id: CVE-2026-24049 - statement: "CHANGE ME" - expired_at: 2026-06-01 + statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" + purls: + - "pkg:pypi/wheel@0.45.1" + expired_at: 2026-08-12 From e4f39cf8368c44bb2f984b49860d78492d47226a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 16:41:46 +0000 Subject: [PATCH 71/94] add node_24_python_3_12 --- .github/workflows/build_all_images.yml | 1 + .../.devcontainer/.tool-versions | 3 +++ .../.devcontainer/devcontainer.json | 20 ++++++++++++++ .../.devcontainer/scripts/root_install.sh | 2 ++ .../.devcontainer/scripts/vscode_install.sh | 9 +++++++ src/node_24_python_3_12/.trivyignore.yaml | 27 +++++++++++++++++++ src/node_24_python_3_12/trivy.yaml | 1 + 7 files changed, 63 insertions(+) create mode 100644 src/node_24_python_3_12/.devcontainer/.tool-versions create mode 100644 src/node_24_python_3_12/.devcontainer/devcontainer.json create mode 100755 src/node_24_python_3_12/.devcontainer/scripts/root_install.sh create mode 100755 src/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh create mode 100644 src/node_24_python_3_12/.trivyignore.yaml create mode 100644 src/node_24_python_3_12/trivy.yaml diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 4f178ff..b213837 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -26,6 +26,7 @@ jobs: include: - container_name: node_24_python_3_14 - container_name: node_24_python_3_13 + - container_name: node_24_python_3_12 uses: ./.github/workflows/build_multi_arch_image.yml with: tag_latest: ${{ inputs.tag_latest }} diff --git a/src/node_24_python_3_12/.devcontainer/.tool-versions b/src/node_24_python_3_12/.devcontainer/.tool-versions new file mode 100644 index 0000000..a27ded2 --- /dev/null +++ b/src/node_24_python_3_12/.devcontainer/.tool-versions @@ -0,0 +1,3 @@ +nodejs 24.13.0 +python 3.12.12 +poetry 2.3.2 diff --git a/src/node_24_python_3_12/.devcontainer/devcontainer.json b/src/node_24_python_3_12/.devcontainer/devcontainer.json new file mode 100644 index 0000000..d192e19 --- /dev/null +++ b/src/node_24_python_3_12/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/node_24_python_3_12/.devcontainer/scripts/root_install.sh b/src/node_24_python_3_12/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/node_24_python_3_12/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..e16905e --- /dev/null +++ b/src/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git + +asdf install python +asdf install diff --git a/src/node_24_python_3_12/.trivyignore.yaml b/src/node_24_python_3_12/.trivyignore.yaml new file mode 100644 index 0000000..a8010cf --- /dev/null +++ b/src/node_24_python_3_12/.trivyignore.yaml @@ -0,0 +1,27 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 diff --git a/src/node_24_python_3_12/trivy.yaml b/src/node_24_python_3_12/trivy.yaml new file mode 100644 index 0000000..fcf8dc3 --- /dev/null +++ b/src/node_24_python_3_12/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/node_24_python_3_12/.trivyignore_combined.yaml" From 890c1745f5bb19c9ca1f0a09788e8e784031881b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 16:48:45 +0000 Subject: [PATCH 72/94] build python 3.10 --- .github/workflows/build_all_images.yml | 1 + src/python_3_10/.devcontainer/.tool-versions | 2 ++ .../.devcontainer/devcontainer.json | 20 +++++++++++++++++++ .../.devcontainer/scripts/root_install.sh | 2 ++ .../.devcontainer/scripts/vscode_install.sh | 8 ++++++++ src/python_3_10/.trivyignore.yaml | 16 +++++++++++++++ src/python_3_10/trivy.yaml | 1 + 7 files changed, 50 insertions(+) create mode 100644 src/python_3_10/.devcontainer/.tool-versions create mode 100644 src/python_3_10/.devcontainer/devcontainer.json create mode 100755 src/python_3_10/.devcontainer/scripts/root_install.sh create mode 100755 src/python_3_10/.devcontainer/scripts/vscode_install.sh create mode 100644 src/python_3_10/.trivyignore.yaml create mode 100644 src/python_3_10/trivy.yaml diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index b213837..eb48d3d 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -27,6 +27,7 @@ jobs: - container_name: node_24_python_3_14 - container_name: node_24_python_3_13 - container_name: node_24_python_3_12 + - container_name: python_3_10 uses: ./.github/workflows/build_multi_arch_image.yml with: tag_latest: ${{ inputs.tag_latest }} diff --git a/src/python_3_10/.devcontainer/.tool-versions b/src/python_3_10/.devcontainer/.tool-versions new file mode 100644 index 0000000..deac4f1 --- /dev/null +++ b/src/python_3_10/.devcontainer/.tool-versions @@ -0,0 +1,2 @@ +python 3.10.12 +poetry 2.1.3 diff --git a/src/python_3_10/.devcontainer/devcontainer.json b/src/python_3_10/.devcontainer/devcontainer.json new file mode 100644 index 0000000..d192e19 --- /dev/null +++ b/src/python_3_10/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/python_3_10/.devcontainer/scripts/root_install.sh b/src/python_3_10/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/python_3_10/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/python_3_10/.devcontainer/scripts/vscode_install.sh b/src/python_3_10/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..f13cedf --- /dev/null +++ b/src/python_3_10/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git + +asdf install python +asdf install diff --git a/src/python_3_10/.trivyignore.yaml b/src/python_3_10/.trivyignore.yaml new file mode 100644 index 0000000..dfaba04 --- /dev/null +++ b/src/python_3_10/.trivyignore.yaml @@ -0,0 +1,16 @@ +vulnerabilities: + - id: CVE-2022-40897 + statement: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-08-12 + - id: CVE-2024-6345 + statement: "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-08-12 + - id: CVE-2025-47273 + statement: "setuptools: Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-08-12 diff --git a/src/python_3_10/trivy.yaml b/src/python_3_10/trivy.yaml new file mode 100644 index 0000000..6137120 --- /dev/null +++ b/src/python_3_10/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/python_3_10/.trivyignore_combined.yaml" From b201080c77fb73491b46cc324fce6f54376805a9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 17:14:55 +0000 Subject: [PATCH 73/94] more vulns --- src/common/.trivyignore.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index b5f8e5f..618fed5 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -277,3 +277,28 @@ vulnerabilities: purls: - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" expired_at: 2026-08-12 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37849 + statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 From d79c799c5aaa2a36a9a310a62c20c81cb252656d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 12 Feb 2026 17:21:13 +0000 Subject: [PATCH 74/94] force platform --- .github/workflows/build_multi_arch_image.yml | 1 + Makefile | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index bfeb06a..f402482 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -72,6 +72,7 @@ jobs: DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' BASE_VERSION: ${{ inputs.docker_tag}} + PLATFORM: linux/${{ matrix.arch }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload combined trivy ignore file with: diff --git a/Makefile b/Makefile index b3a0986..e525a2a 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,9 @@ CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/ +ifneq ($(strip $(PLATFORM)),) +PLATFORM_FLAG=--platform $(PLATFORM) +endif + guard-%: @ if [ "${${*}}" = "" ]; then \ echo "Environment variable $* not set"; \ @@ -17,10 +21,11 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME guard-BASE_VERSION +build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-PLATFORM npx devcontainer build \ --workspace-folder ./src/$${CONTAINER_NAME}/ \ --push false \ + --platform $${PLATFORM} \ --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}" scan-image: guard-CONTAINER_NAME From 747ce9260cd38c4b378c1e12d33f5583a0d0db22 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 07:35:52 +0000 Subject: [PATCH 75/94] refactor workflow --- .github/workflows/build_multi_arch_image.yml | 100 +++++++------------ 1 file changed, 34 insertions(+), 66 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index f402482..eedcea4 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -40,6 +40,12 @@ jobs: google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-* remove_packages_one_command: true + - name: Login to github container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: @@ -54,10 +60,11 @@ jobs: make install-node - name: Build container run: | + echo "Building image..." make build-image docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" - docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" + echo "Creating combined trivy ignore file" # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist combined="src/${CONTAINER_NAME}/.trivyignore_combined.yaml" common="src/common/.trivyignore.yaml" @@ -73,18 +80,6 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' BASE_VERSION: ${{ inputs.docker_tag}} PLATFORM: linux/${{ matrix.arch }} - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f - name: Upload combined trivy ignore file - with: - name: "trivyigonre-${{ inputs.container_name }}-${{ matrix.arch }}" - path: src/${{ inputs.container_name }}/.trivyignore_combined.yaml - include-hidden-files: true - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f - name: Upload docker images - with: - name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" - path: | - eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -125,6 +120,24 @@ jobs: env: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' + - name: Push tagged image + run: | + echo "Pushing image..." + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + - name: Push latest image + if: ${{ inputs.tag_latest }} + run: | + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" + echo "Pushing image..." + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' publish_image: name: Publish image for ${{ inputs.container_name }} @@ -136,27 +149,6 @@ jobs: attestations: write id-token: write steps: - - name: Free Disk Space for Docker - uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 - with: - remove_android: true - remove_dotnet: true - remove_haskell: true - remove_tool_cache: true - rm_cmd: rm - remove_packages: >- - azure-cli google-cloud-cli microsoft-edge-stable - google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* - dotnet-sdk-* - remove_packages_one_command: true - - name: Download amd64 images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - with: - name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-amd64.img - - name: Download arm64 images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - with: - name: eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-arm64.img - name: Login to github container registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: @@ -164,45 +156,21 @@ jobs: username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} - - name: Load and push multi-arch tagged image + - name: Push multi-arch tagged image run: | - echo "loading images" - docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-amd64.img" - docker load -i "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-arm64.img" - - echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" - - echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" - - echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" + docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' - - name: Load and push multi-arch latest image + - name: Push multi-arch latest image if: ${{ inputs.tag_latest }} run: | - echo "Tagging latest images" - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" - - echo "pushing images" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" - docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" - - echo "creating manifest" - docker manifest create "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ - --amend "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" - - echo "pushing manifest" - docker manifest push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" + docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' From 55142e6c45c9e7ed6aba0f179989b0d4088d1af5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 07:51:59 +0000 Subject: [PATCH 76/94] fix permissions --- .github/workflows/build_multi_arch_image.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index eedcea4..985488a 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -13,9 +13,12 @@ name: Build and push docker image type: string jobs: - build_image: + build_and_push_image: name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }} permissions: + contents: read + packages: write + attestations: write id-token: write runs-on: '${{ matrix.runner }}' strategy: @@ -139,10 +142,10 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' - publish_image: + publish_combined_image: name: Publish image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 - needs: build_image + needs: build_and_push_image permissions: contents: read packages: write From 00cf5fd24b6424e64d07068980d33c6ae98d5e07 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 08:30:52 +0000 Subject: [PATCH 77/94] tag image on build --- .github/workflows/build_multi_arch_image.yml | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 985488a..4e64420 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -65,7 +65,6 @@ jobs: run: | echo "Building image..." make build-image - docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" echo "Creating combined trivy ignore file" # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist @@ -83,6 +82,7 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' BASE_VERSION: ${{ inputs.docker_tag}} PLATFORM: linux/${{ matrix.arch }} + IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: diff --git a/Makefile b/Makefile index e525a2a..f7b0ec3 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-PLATFORM --workspace-folder ./src/$${CONTAINER_NAME}/ \ --push false \ --platform $${PLATFORM} \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME @combined="src/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ From a8d52c68389d89da6e9f214bca8cdde55e0bd011 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 08:33:17 +0000 Subject: [PATCH 78/94] update .trivyignore --- src/node_24_python_3_14/.trivyignore.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/node_24_python_3_14/.trivyignore.yaml b/src/node_24_python_3_14/.trivyignore.yaml index 4ddaa2a..57d92bd 100644 --- a/src/node_24_python_3_14/.trivyignore.yaml +++ b/src/node_24_python_3_14/.trivyignore.yaml @@ -19,3 +19,24 @@ vulnerabilities: purls: - "pkg:pypi/wheel@0.45.1" expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-13 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-13 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-13 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-13 From a94846a46d177d1fe7dbc79a191edb86dba36791 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 08:46:14 +0000 Subject: [PATCH 79/94] refactor folder structure --- .github/workflows/build_all_images.yml | 9 +++++--- .github/workflows/build_multi_arch_image.yml | 5 ++++- Makefile | 5 ++--- README.md | 22 +++++++++++++++++-- src/fhir_facade_api/trivy.yaml | 1 - .../.devcontainer/.tool-versions | 0 .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/scripts/root_install.sh | 0 .../.devcontainer/scripts/vscode_install.sh | 0 .../node_24_python_3_12/.trivyignore.yaml | 0 src/languages/node_24_python_3_12/trivy.yaml | 1 + .../.devcontainer/.tool-versions | 0 .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/scripts/root_install.sh | 0 .../.devcontainer/scripts/vscode_install.sh | 0 .../node_24_python_3_13/.trivyignore.yaml | 0 src/languages/node_24_python_3_13/trivy.yaml | 1 + .../.devcontainer/.tool-versions | 0 .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/scripts/root_install.sh | 0 .../.devcontainer/scripts/vscode_install.sh | 0 .../node_24_python_3_14/.trivyignore.yaml | 0 src/languages/node_24_python_3_14/trivy.yaml | 1 + .../python_3_10/.devcontainer/.tool-versions | 0 .../.devcontainer/devcontainer.json | 2 +- .../.devcontainer/scripts/root_install.sh | 0 .../.devcontainer/scripts/vscode_install.sh | 0 .../python_3_10/.trivyignore.yaml | 0 src/languages/python_3_10/trivy.yaml | 1 + src/node_24_python_3_12/trivy.yaml | 1 - src/node_24_python_3_13/trivy.yaml | 1 - src/node_24_python_3_14/trivy.yaml | 1 - .../.devcontainer/.tool-versions | 0 .../fhir_facade_api/.devcontainer/Dockerfile | 0 .../.devcontainer/devcontainer.json | 0 .../.devcontainer/scripts/root_install.sh | 0 .../.devcontainer/scripts/vscode_install.sh | 0 .../fhir_facade_api/.trivyignore.yaml | 0 src/projects/fhir_facade_api/trivy.yaml | 1 + src/python_3_10/trivy.yaml | 1 - 40 files changed, 41 insertions(+), 18 deletions(-) delete mode 100644 src/fhir_facade_api/trivy.yaml rename src/{ => languages}/node_24_python_3_12/.devcontainer/.tool-versions (100%) rename src/{ => languages}/node_24_python_3_12/.devcontainer/devcontainer.json (92%) rename src/{ => languages}/node_24_python_3_12/.devcontainer/scripts/root_install.sh (100%) rename src/{ => languages}/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh (100%) rename src/{ => languages}/node_24_python_3_12/.trivyignore.yaml (100%) create mode 100644 src/languages/node_24_python_3_12/trivy.yaml rename src/{ => languages}/node_24_python_3_13/.devcontainer/.tool-versions (100%) rename src/{python_3_10 => languages/node_24_python_3_13}/.devcontainer/devcontainer.json (92%) rename src/{ => languages}/node_24_python_3_13/.devcontainer/scripts/root_install.sh (100%) rename src/{ => languages}/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh (100%) rename src/{ => languages}/node_24_python_3_13/.trivyignore.yaml (100%) create mode 100644 src/languages/node_24_python_3_13/trivy.yaml rename src/{ => languages}/node_24_python_3_14/.devcontainer/.tool-versions (100%) rename src/{ => languages}/node_24_python_3_14/.devcontainer/devcontainer.json (92%) rename src/{ => languages}/node_24_python_3_14/.devcontainer/scripts/root_install.sh (100%) rename src/{ => languages}/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh (100%) rename src/{ => languages}/node_24_python_3_14/.trivyignore.yaml (100%) create mode 100644 src/languages/node_24_python_3_14/trivy.yaml rename src/{ => languages}/python_3_10/.devcontainer/.tool-versions (100%) rename src/{node_24_python_3_13 => languages/python_3_10}/.devcontainer/devcontainer.json (92%) rename src/{ => languages}/python_3_10/.devcontainer/scripts/root_install.sh (100%) rename src/{ => languages}/python_3_10/.devcontainer/scripts/vscode_install.sh (100%) rename src/{ => languages}/python_3_10/.trivyignore.yaml (100%) create mode 100644 src/languages/python_3_10/trivy.yaml delete mode 100644 src/node_24_python_3_12/trivy.yaml delete mode 100644 src/node_24_python_3_13/trivy.yaml delete mode 100644 src/node_24_python_3_14/trivy.yaml rename src/{ => projects}/fhir_facade_api/.devcontainer/.tool-versions (100%) rename src/{ => projects}/fhir_facade_api/.devcontainer/Dockerfile (100%) rename src/{ => projects}/fhir_facade_api/.devcontainer/devcontainer.json (100%) rename src/{ => projects}/fhir_facade_api/.devcontainer/scripts/root_install.sh (100%) rename src/{ => projects}/fhir_facade_api/.devcontainer/scripts/vscode_install.sh (100%) rename src/{ => projects}/fhir_facade_api/.trivyignore.yaml (100%) create mode 100644 src/projects/fhir_facade_api/trivy.yaml delete mode 100644 src/python_3_10/trivy.yaml diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index eb48d3d..1532800 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -17,7 +17,8 @@ jobs: tag_latest: ${{ inputs.tag_latest }} docker_tag: ${{ inputs.docker_tag }} container_name: base - package_non_base_docker_image: + base_folder: "." + package_language_docker_image: needs: - package_base_docker_image strategy: @@ -33,9 +34,10 @@ jobs: tag_latest: ${{ inputs.tag_latest }} docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} - package_product_docker_image: + base_folder: "languages" + package_project_docker_image: needs: - - package_non_base_docker_image + - package_language_docker_image strategy: fail-fast: false matrix: @@ -46,3 +48,4 @@ jobs: tag_latest: ${{ inputs.tag_latest }} docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} + base_folder: "projects" diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 4e64420..e21eaf7 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -11,6 +11,9 @@ name: Build and push docker image container_name: required: true type: string + base_folder: + required: true + type: string jobs: build_and_push_image: @@ -81,8 +84,8 @@ jobs: DOCKER_TAG: '${{ inputs.docker_tag }}' CONTAINER_NAME: '${{ inputs.container_name }}' BASE_VERSION: ${{ inputs.docker_tag}} - PLATFORM: linux/${{ matrix.arch }} IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" + BASE_FOLDER: "${{ inputs.base_folder }}" - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: diff --git a/Makefile b/Makefile index f7b0ec3..621fbf1 100644 --- a/Makefile +++ b/Makefile @@ -21,11 +21,10 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-PLATFORM +build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER npx devcontainer build \ - --workspace-folder ./src/$${CONTAINER_NAME}/ \ + --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ - --platform $${PLATFORM} \ --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME diff --git a/README.md b/README.md index 6bc7ce2..5174b6a 100644 --- a/README.md +++ b/README.md @@ -57,10 +57,28 @@ For pull requests, an image is pushed with tag `pr-- Date: Fri, 13 Feb 2026 08:54:09 +0000 Subject: [PATCH 80/94] dynamic folders --- .github/workflows/build_all_images.yml | 32 ++++++++++++++++++-------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 1532800..2cde7f1 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -11,6 +11,20 @@ name: build_all_images env: BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: + discover_folders: + runs-on: ubuntu-latest + outputs: + language_folders: ${{ steps.find-folders.outputs.languages }} + project_folders: ${{ steps.find-folders.outputs.projects }} + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + + - id: find-folders + run: | + language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') + project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') + echo "languages=$language_folders" >> "$GITHUB_OUTPUT" + echo "projects=$project_folders" >> "$GITHUB_OUTPUT" package_base_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml with: @@ -18,31 +32,29 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base base_folder: "." - package_language_docker_image: + package_language_docker_images: needs: - package_base_docker_image + - discover_folders strategy: fail-fast: false matrix: - include: - - container_name: node_24_python_3_14 - - container_name: node_24_python_3_13 - - container_name: node_24_python_3_12 - - container_name: python_3_10 + container_name: ${{ fromJson(needs.discover_folders.outputs.language_folders) }} uses: ./.github/workflows/build_multi_arch_image.yml with: tag_latest: ${{ inputs.tag_latest }} docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "languages" - package_project_docker_image: + package_project_docker_images: needs: - - package_language_docker_image + - package_language_docker_images + + - discover_folders strategy: fail-fast: false matrix: - include: - - container_name: fhir_facade_api + container_name: ${{ fromJson(needs.discover_folders.outputs.project_folders) }} uses: ./.github/workflows/build_multi_arch_image.yml with: tag_latest: ${{ inputs.tag_latest }} From 5fc96dfbc1d8dba051ee652ebef0f8244c34bf58 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 08:56:28 +0000 Subject: [PATCH 81/94] flag to push image --- .github/workflows/build_all_images.yml | 6 ++++++ .github/workflows/build_multi_arch_image.yml | 7 ++++++- .github/workflows/pull_request.yml | 1 + .github/workflows/release.yml | 1 + 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 2cde7f1..2945772 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -8,6 +8,9 @@ name: build_all_images tag_latest: required: true type: boolean + push_image: + required: true + type: boolean env: BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: @@ -32,6 +35,7 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base base_folder: "." + push_image: ${{ inputs.push_image }} package_language_docker_images: needs: - package_base_docker_image @@ -46,6 +50,7 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "languages" + push_image: ${{ inputs.push_image }} package_project_docker_images: needs: - package_language_docker_images @@ -61,3 +66,4 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "projects" + push_image: ${{ inputs.push_image }} diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index e21eaf7..9f2a459 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,6 +14,9 @@ name: Build and push docker image base_folder: required: true type: string + push_image: + required: true + type: boolean jobs: build_and_push_image: @@ -127,6 +130,7 @@ jobs: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' - name: Push tagged image + if: ${{ inputs.push_image }} run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" @@ -135,7 +139,7 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' - name: Push latest image - if: ${{ inputs.tag_latest }} + if: ${{ inputs.tag_latest && inputs.push_image }} run: | docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" echo "Pushing image..." @@ -146,6 +150,7 @@ jobs: ARCHITECTURE: '${{ matrix.arch }}' publish_combined_image: + if: ${{ inputs.push_image }} name: Publish image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 needs: build_and_push_image diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 3e39073..e5703d8 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,3 +92,4 @@ jobs: with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' tag_latest: false + push_image: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0a4876c..8b316b6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,3 +45,4 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: true + push_image: true From 6e98ca0be59800497ce159bb275919f6c23106cc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 08:59:37 +0000 Subject: [PATCH 82/94] fix workflows --- .github/workflows/ci.yml | 48 +++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 7 ++--- 2 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..80d9df1 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,48 @@ +name: merge to main workflow +on: + push: + branches: [main] + +jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Get asdf version + id: asdf-version + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 + needs: + - get_asdf_version + with: + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' + secrets: + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + tag_release: + needs: [quality_checks, get_asdf_version] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + with: + dry_run: false + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + branch_name: main + tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + secrets: inherit + build_all_images: + needs: tag_release + uses: ./.github/workflows/build_all_images.yml + with: + docker_tag: '${{ needs.tag_release.outputs.version_tag }}' + tag_latest: false + push_image: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8b316b6..c156387 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,7 +1,8 @@ -name: merge to main workflow +name: release workflow on: - push: - branches: [main] + workflow_dispatch: + schedule: + - cron: "0 18 * * 4" jobs: get_asdf_version: From a53140423a94bce41cef5c17fa8034e34aaf37e1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 09:25:53 +0000 Subject: [PATCH 83/94] add output to build --- .github/workflows/build_multi_arch_image.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 9f2a459..1e30b11 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -172,6 +172,7 @@ jobs: docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' @@ -182,6 +183,7 @@ jobs: docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" + echo "## PUSHED COMBINED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" >> "$GITHUB_STEP_SUMMARY" env: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' From 0dc7db0a8d02260274aa41055cdd80529c26658f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 09:32:57 +0000 Subject: [PATCH 84/94] fix scan --- .github/workflows/build_multi_arch_image.yml | 8 ++++---- Makefile | 18 +++++++++--------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 1e30b11..333b563 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -74,9 +74,9 @@ jobs: echo "Creating combined trivy ignore file" # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist - combined="src/${CONTAINER_NAME}/.trivyignore_combined.yaml" + combined="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore_combined.yaml" common="src/common/.trivyignore.yaml" - specific="src/${CONTAINER_NAME}/.trivyignore.yaml" + specific="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore.yaml" echo "vulnerabilities:" > "$combined" if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi @@ -100,7 +100,7 @@ jobs: format: "json" output: "scan_results_docker.json" exit-code: "0" - trivy-config: src/${{ inputs.container_name }}/trivy.yaml + trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f name: Upload scan results with: @@ -117,7 +117,7 @@ jobs: format: "table" output: "scan_results_docker.txt" exit-code: "1" - trivy-config: src/${{ inputs.container_name }}/trivy.yaml + trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml - name: Show docker vulnerability output if: always() diff --git a/Makefile b/Makefile index 621fbf1..0a5af97 100644 --- a/Makefile +++ b/Makefile @@ -27,31 +27,31 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER --push false \ --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" -scan-image: guard-CONTAINER_NAME - @combined="src/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ +scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER + @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ common="src/common/.trivyignore.yaml"; \ - specific="src/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ echo "vulnerabilities:" > "$$combined"; \ if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi trivy image \ --severity HIGH,CRITICAL \ - --config src/${CONTAINER_NAME}/trivy.yaml \ + --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ --exit-code 1 \ --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" -scan-image-json: guard-CONTAINER_NAME - @combined="src/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ +scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER + @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ common="src/common/.trivyignore.yaml"; \ - specific="src/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ echo "vulnerabilities:" > "$$combined"; \ if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi mkdir -p .out trivy image \ --severity HIGH,CRITICAL \ - --config src/${CONTAINER_NAME}/trivy.yaml \ + --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ --scanners vuln \ --exit-code 1 \ --format json \ @@ -59,7 +59,7 @@ scan-image-json: guard-CONTAINER_NAME shell-image: guard-CONTAINER_NAME docker run -it \ - "${CONTAINER_PREFIX}$${CONTAINER_NAME}" \ + "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" \ bash lint: lint-githubactions From a76a6148aac7e1a45f49c6f40376d1f9ac3022c6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 10:05:26 +0000 Subject: [PATCH 85/94] fix trivyigonore for arm fhir facade --- .../fhir_facade_api/.trivyignore.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml index 4d4afb0..639428a 100644 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -45,3 +45,23 @@ vulnerabilities: purls: - "pkg:npm/tar@7.5.1" expired_at: 2026-08-12 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 From 6a1cd6d0d250b8ab137b83735ca228a7efdacb80 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 10:47:13 +0000 Subject: [PATCH 86/94] update readme --- README.md | 137 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 88 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 5174b6a..6b70dde 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,12 @@ EPS DEV CONTAINERS # Introduction This repo contains code to build a vscode devcontainers that can be used as a base image for all EPS projects. -Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures. -Images are based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 -Images contain +Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures. This is then pushed to github container registry. +Images are built using using https://github.com/devcontainers/cli. + +We build a base image based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 that other images are then based on + +The base image contains - latest os packages - asdf - aws cli @@ -24,54 +27,74 @@ asdf install and setup for these so they are available globally as vscode user - ruby (for github pages) - trivy -Install asdf plugins for all tools we use Install and setup git-secrets +# Using the images +In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. +``` +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13: + +USER root +# specify DOCKER_GID to force container docker group id to match host +RUN if [ -n "${DOCKER_GID}" ]; then \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ + fi + +USER vscode +``` + # Project structure -## base container -The base dev container is defined in src/base/.devcontainer folder. This folder contains a Dockerfile and a devcontainer.json file which is used to build the container. -As part of the dockerfile, there are scripts in the scripts folder that run as root and vscode user that setup and install various programs. +We have 3 types of dev container. These are defined under src -The dev container is built using https://github.com/devcontainers/cli +`base` - this is the base image that all others are based on. +`languages` - this installs specific versions of node and python. +`projects` - this is used for projects where more customization is needed than just a base language image -## common files -There are some common files under src/common. These include -- a Dockerfile used to build specific containers that installs poetry after python has been installed -- a .trivyignore file that contains trivy suppressions in the base image +Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this -## specific containers -There are specific containers in src/ - eg src/base/node_24_python_3_14 -These have a .devcontainer/devcontainer.json file used to built the image -These use the base container as a base and then install specific versions of tools using devcontainer features, or a customised Dockerfile -If there are specific vulnerabilities from these tools, then these should be added to the .trivyignore file in the folder +Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build -# Build process +We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude know vulnerabilities + +# Pull requests and merge to main process +For each pull request, and merge to main, images are built and scanned using trivy, but the images are not pushed to github container registry Docker images are built for each pull request, and on merges to main. Docker images are built for amd64 and arm64 architecture, and a combined manifest is created and pushed as part of the build. -The base image is built first, and then all other images are built +The base image is built first, and then language images, and finally project images. Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. -For pull requests, an image is pushed with tag `pr--` -On merges to main, a new release is created, and images are tagged with `latest` and the version of the release. + +# Release workflow +There is a release workflow that runs weekly at 18:00 on Thursday and on demand. +This creates a new release tag, builds all images, and pushes them to github container registry. +Images are tagged with the release tag, and also with latest # Local testing -For local testing, you can run this to build the base image +## Building images +You can use these commands to build images + +Base image ``` CONTAINER_NAME=base \ BASE_VERSION=latest \ BASE_FOLDER=. \ make build-image ``` -or this to build a language image +Language images ``` CONTAINER_NAME=node_24_python_3_12 \ BASE_VERSION=latest \ BASE_FOLDER=languages \ make build-image ``` -or this to build a project image +Project images ``` CONTAINER_NAME=fhir_facade_api \ BASE_VERSION=latest \ @@ -79,39 +102,55 @@ CONTAINER_NAME=fhir_facade_api \ make build-image ``` -to build a local image, and then +## Scanning images +You can use these commands to scan images +Base image ``` -CONTAINER_NAME=base BASE_VERSION=latest make scan-image +CONTAINER_NAME=base \ + BASE_FOLDER=. \ + make scan-image ``` -to scan for vulnerabilities - -# Using the images -In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. +Language images ``` -FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13: - -USER root -# specify DOCKER_GID to force container docker group id to match host -RUN if [ -n "${DOCKER_GID}" ]; then \ - if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ - else \ - groupmod -g ${DOCKER_GID} docker; \ - fi && \ - usermod -aG docker vscode; \ - fi - -USER vscode +CONTAINER_NAME=node_24_python_3_12 \ + BASE_FOLDER=languages \ + make scan-image +``` +Project images ``` +CONTAINER_NAME=fhir_facade_api \ + BASE_FOLDER=projects \ + make scan-image +``` -# Generating a .trivyignore file -You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using +## Interactive shell on image +You can use this to start an interactive shell on built images +base image +``` +CONTAINER_NAME=base \ + make shell-image +``` +Language images ``` -CONTAINER_NAME=base BASE_VERSION=latest make scan-image-json +CONTAINER_NAME=node_24_python_3_12 \ + make shell-image +``` +Project images ``` +CONTAINER_NAME=fhir_facade_api \ + make shell-image +``` + + +## Generating a .trivyignore file +You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json + If generated locally, then the output goes into .out/scan.out.json -Once you have this, use the following to generate a .trivyignore +Once you have the scan output, use the following to generate a .trivyignore ``` -poetry run python scripts/trivy_to_trivyignore.py --input .out/scan.out.json --output src/common/.trivyignore.yaml +poetry run python \ + scripts/trivy_to_trivyignore.py \ + --input .out/scan.out.json \ + --output src/common/.trivyignore.yaml ``` From 36893f23eab0cd6381083942cbcd209ce9df3916 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 10:55:31 +0000 Subject: [PATCH 87/94] work images not being pushed --- .github/workflows/build_multi_arch_image.yml | 30 +++++++++++++++++++- README.md | 1 + 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 333b563..b5fe020 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -67,6 +67,19 @@ jobs: - name: make install run: | make install-node + - name: Download images + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + if: ${{ !inputs.push_image }} + with: + pattern: eps-devcontainer-*.img + - name: Extract images + if: ${{ !inputs.push_image }} + run: | + for img in eps-devcontainer-*.img; do + echo "Loading image from $img..." + docker load -i "$img" + done + - name: Build container run: | echo "Building image..." @@ -148,7 +161,22 @@ jobs: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' - + - name: Save image for upload + if: ${{ !inputs.push_image }} + run: | + docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" + env: + ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' + CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_VERSION: ${{ inputs.docker_tag}} + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload docker images + if: ${{ !inputs.push_image }} + with: + name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" + path: | + eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img publish_combined_image: if: ${{ inputs.push_image }} name: Publish image for ${{ inputs.container_name }} diff --git a/README.md b/README.md index 6b70dde..3dbe61b 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ The base image is built first, and then language images, and finally project ima Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. +Docker images are also uploaded as artifacts of build. # Release workflow There is a release workflow that runs weekly at 18:00 on Thursday and on demand. From f55c1519d54f2a2b23e7f75ba17958b8fcb4eada Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 10:55:54 +0000 Subject: [PATCH 88/94] do not push image for pull request --- .github/workflows/pull_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index e5703d8..99cfb80 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,4 +92,4 @@ jobs: with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' tag_latest: false - push_image: true + push_image: false From ed5af5ff428aeb5e0266f69e008aa4d15326b811 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 10:56:38 +0000 Subject: [PATCH 89/94] do not tag on ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 80d9df1..672245a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: needs: [quality_checks, get_asdf_version] uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e with: - dry_run: false + dry_run: true asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} branch_name: main tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} From 85dba20f245d905977e1ec7e3e3f081f5b541af6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 11:08:37 +0000 Subject: [PATCH 90/94] handle no images --- .github/workflows/build_multi_arch_image.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b5fe020..b1deacb 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -75,10 +75,16 @@ jobs: - name: Extract images if: ${{ !inputs.push_image }} run: | - for img in eps-devcontainer-*.img; do - echo "Loading image from $img..." - docker load -i "$img" - done + shopt -s nullglob + imgs=(eps-devcontainer-*.img) + if [ ${#imgs[@]} -eq 0 ]; then + echo "No images found to load." + else + for img in "${imgs[@]}"; do + echo "Loading image from $img..." + docker load -i "$img" + done + fi - name: Build container run: | From a695541561fa399d6694afed53a88602dbdaed30 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 11:09:06 +0000 Subject: [PATCH 91/94] fix tab --- .github/workflows/build_multi_arch_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b1deacb..a36becc 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -78,7 +78,7 @@ jobs: shopt -s nullglob imgs=(eps-devcontainer-*.img) if [ ${#imgs[@]} -eq 0 ]; then - echo "No images found to load." + echo "No images found to load." else for img in "${imgs[@]}"; do echo "Loading image from $img..." From 8d11eab2f6059cd70d27d40ed954a8fa32cbfc85 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 11:12:54 +0000 Subject: [PATCH 92/94] remove downloaded images --- .github/workflows/build_multi_arch_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index a36becc..d915547 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -83,6 +83,7 @@ jobs: for img in "${imgs[@]}"; do echo "Loading image from $img..." docker load -i "$img" + rm "$img" done fi From 6738235451f70d599419da6e6e6bd8930c702d2b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 11:27:21 +0000 Subject: [PATCH 93/94] always push image --- .github/workflows/build_all_images.yml | 6 --- .github/workflows/build_multi_arch_image.yml | 44 +------------------- .github/workflows/ci.yml | 1 - .github/workflows/pull_request.yml | 1 - .github/workflows/release.yml | 1 - 5 files changed, 2 insertions(+), 51 deletions(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 2945772..2cde7f1 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -8,9 +8,6 @@ name: build_all_images tag_latest: required: true type: boolean - push_image: - required: true - type: boolean env: BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: @@ -35,7 +32,6 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base base_folder: "." - push_image: ${{ inputs.push_image }} package_language_docker_images: needs: - package_base_docker_image @@ -50,7 +46,6 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "languages" - push_image: ${{ inputs.push_image }} package_project_docker_images: needs: - package_language_docker_images @@ -66,4 +61,3 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "projects" - push_image: ${{ inputs.push_image }} diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index d915547..d930699 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,9 +14,6 @@ name: Build and push docker image base_folder: required: true type: string - push_image: - required: true - type: boolean jobs: build_and_push_image: @@ -67,25 +64,6 @@ jobs: - name: make install run: | make install-node - - name: Download images - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 - if: ${{ !inputs.push_image }} - with: - pattern: eps-devcontainer-*.img - - name: Extract images - if: ${{ !inputs.push_image }} - run: | - shopt -s nullglob - imgs=(eps-devcontainer-*.img) - if [ ${#imgs[@]} -eq 0 ]; then - echo "No images found to load." - else - for img in "${imgs[@]}"; do - echo "Loading image from $img..." - docker load -i "$img" - rm "$img" - done - fi - name: Build container run: | @@ -150,7 +128,6 @@ jobs: ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' - name: Push tagged image - if: ${{ inputs.push_image }} run: | echo "Pushing image..." docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" @@ -159,7 +136,7 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' - name: Push latest image - if: ${{ inputs.tag_latest && inputs.push_image }} + if: ${{ inputs.tag_latest }} run: | docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" echo "Pushing image..." @@ -168,25 +145,8 @@ jobs: DOCKER_TAG: ${{ inputs.docker_tag }} CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' - - name: Save image for upload - if: ${{ !inputs.push_image }} - run: | - docker save "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" -o "eps-devcontainer-${CONTAINER_NAME}-${DOCKER_TAG}-${ARCHITECTURE}.img" - env: - ARCHITECTURE: '${{ matrix.arch }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' - CONTAINER_NAME: '${{ inputs.container_name }}' - BASE_VERSION: ${{ inputs.docker_tag}} - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f - name: Upload docker images - if: ${{ !inputs.push_image }} - with: - name: "eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img" - path: | - eps-devcontainer-${{ inputs.container_name }}-${{ inputs.docker_tag }}-${{ matrix.arch }}.img publish_combined_image: - if: ${{ inputs.push_image }} - name: Publish image for ${{ inputs.container_name }} + name: Publish combined image for ${{ inputs.container_name }} runs-on: ubuntu-22.04 needs: build_and_push_image permissions: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 672245a..9702368 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,4 +45,3 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: false - push_image: false diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 99cfb80..3e39073 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,4 +92,3 @@ jobs: with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' tag_latest: false - push_image: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c156387..e9c34d5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,4 +46,3 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: true - push_image: true From 14c378dd25a90089b2938788391beb10f06e57a1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 13 Feb 2026 12:59:52 +0000 Subject: [PATCH 94/94] add labels --- Makefile | 3 ++- README.md | 3 ++- src/base/.devcontainer/Dockerfile | 4 ++++ src/common/Dockerfile | 4 ++++ src/projects/fhir_facade_api/.devcontainer/Dockerfile | 4 ++++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 0a5af97..686c788 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,8 @@ build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ - --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" + --label "org.opencontainers.image.revision=$$DOCKER_TAG" \ + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ diff --git a/README.md b/README.md index 3dbe61b..b018086 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,8 @@ The base image is built first, and then language images, and finally project ima Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. -Docker images are also uploaded as artifacts of build. +For pull requests, images are tagged with the pr--. +For merges to main, images are tagged with the # Release workflow There is a release workflow that runs weekly at 18:00 on Thursday and on demand. diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index e226d67..846d4c7 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -7,6 +7,10 @@ ARG CONTAINER_NAME ENV CONTAINER_NAME=${CONTAINER_NAME} ENV SCRIPTS_DIR=${SCRIPTS_DIR} +LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers +LABEL org.opencontainers.image.description="EPS base devcontainer" +LABEL org.opencontainers.image.licenses=MIT + ARG ASDF_VERSION COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf diff --git a/src/common/Dockerfile b/src/common/Dockerfile index fc6cca7..7b2cc33 100644 --- a/src/common/Dockerfile +++ b/src/common/Dockerfile @@ -5,6 +5,10 @@ FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} ARG CONTAINER_NAME ENV CONTAINER_NAME=${CONTAINER_NAME} +LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers +LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" +LABEL org.opencontainers.image.licenses=MIT + USER root COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile index b5d33e4..6050632 100644 --- a/src/projects/fhir_facade_api/.devcontainer/Dockerfile +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -2,6 +2,10 @@ ARG BASE_VERSION=latest FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} +LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers +LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" +LABEL org.opencontainers.image.licenses=MIT + USER root COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}