Merge pull request #504 from ansforge/fix/scan-images-lrm

fix(lrm): fix LRM high/critical CVE

Author: issam71100

.github/config/build-matrices.yaml

@@ -3,18 +3,6 @@
 # Example: lrm-1.2.3, chatbot-2.1.0-beta
 
 projects:
-  lrm:
-    description: "LRM project - includes both backend and frontend components"
-    include:
-      - name: lrm-backend
-        context: ./web/lrm/server
-        tag: hub-lrm-back
-        artifact-name: trivy-reports-lrm-backend
-      - name: lrm-frontend
-        context: ./web/lrm/client
-        tag: hub-lrm-front
-        artifact-name: trivy-reports-lrm-frontend
-
   landing:
     description: "Landing page web component"
     include:

.github/workflows/build-images.yml

@@ -1,10 +1,9 @@
-name: Build images (lrm, landing, healthcheck, chatbot, openSSL, specs, annuaire)
+name: Build images (landing, healthcheck, chatbot, openSSL, specs, annuaire)
 
 on:
   workflow_dispatch:
   push:
     tags:
-      - 'lrm-*'
       - 'landing-*'
       - 'healthcheck-*'
       - 'chatbot-*'

.github/workflows/lrm-build.yml

@@ -0,0 +1,85 @@
+name: Build LRM images
+on:
+  push:
+    tags:
+      - 'lrm-*'
+  workflow_dispatch:
+jobs:
+  get-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.extract-lrm-version.outputs.version }}
+    steps:
+      - name: Extract version from tag
+        id: extract-lrm-version
+        run: |
+          TAG_NAME="${{ github.ref_name }}"
+          VERSION=${TAG_NAME#lrm-}
+          PATTERN="^([0-9]+\.[0-9]+(\.[0-9]+)?)(-[A-Za-z0-9\.]+)*$"
+          if [[ ! "$VERSION" =~ $PATTERN ]]; then
+            echo "Invalid version number"
+            echo $VERSION
+            exit 1
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+  build-images:
+    needs: get-tag
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - name: 'hub-lrm-back'
+            context: './web/lrm/server'
+          - name: 'hub-lrm-front'
+            context: './web/lrm/client'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          platforms: linux/amd64
+          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ needs.get-tag.outputs.version }}
+          context: ${{ matrix.context }}
+
+  image-security-scan:
+    name: Scan Docker Images
+    needs: [get-tag, build-images]
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: 'hub-lrm-back'
+            folder: './web/lrm/server'
+          - name: 'hub-lrm-front'
+            folder: './web/lrm/client'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Scan Dispatcher Docker image
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: 'ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ needs.get-tag.outputs.version }}'
+          format: 'table'
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          trivyignores: '${{ matrix.folder }}/.trivyignore'

web/lrm/client/.trivyignore

@@ -0,0 +1,12 @@
+# Trivy ignore file for LRM client image
+
+# glob vulnerability - current 10.4.5 & 11.0.3 - fixed in 11.1.0, 10.5.0 (not available in the latest node 24 images)
+CVE-2025-64756
+
+# stdlib vulnerabilities - current 1.23.12 - fixed in 1.24.11, 1.25.5
+# the stdlib version corresponds to the Go version used in the esbuild package
+# it appears that versions >= 0.27 of esbuild use the correct Go version (the version correspondence is not explicit)
+# the latest release version of nitropack, which is a dependency of @nuxt/nitro-server, itself a dependency of nuxt, uses version 0.25 of esbuild
+# the latest alpha release of nitropack (v3-alpha.1) does not seem to use esbuild, so upgrading to v3 when stable should fix the issue
+CVE-2025-58183
+CVE-2025-61729

web/lrm/client/Dockerfile

@@ -16,6 +16,10 @@ COPY . .
 # Build the project
 RUN npm run build
 
+# Clean up npm and cache after build
+RUN npm cache clean --force && \
+	rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+
 # 2. Start
 FROM node:24.11-alpine AS runner
 
@@ -36,6 +40,10 @@ RUN adduser -S app -u 1001 -G app
 # Change ownership of the app directory to the non-root user
 RUN chown -R app:app /app
 
+# Remove npm from the final image to avoid shipping bundled vulnerable
+# packages (some base images include npm and its dependencies like tar)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx || true
+
 ENV NUXT_HOST=0.0.0.0
 ENV NUXT_PORT=3000
 
@@ -45,5 +53,5 @@ EXPOSE 3000
 # Switch to non-root user
 USER app
 
-# Start the web app
-CMD ["npm", "start"]
+# Start the web app directly with node (avoid runtime npm dependency)
+CMD ["node", ".output/server/index.mjs"]