Disable docker image download (#240)

* Disable docker image download

* Add tests and docs

* Add image vulnerability scanning

* Add grype scanning into workflows

* Refactoring

* Change nginx version to one with less vurnelabilities

* test docker image for jakarta.mail

* Change opengauss image and remove ryuk

* Replace runtime.exec with ExecOperations and disable Testcontainers test

* Comment whole Testcontainers test

* Disable testcontainers test

* Remove @disabled

* Add link to ryuk issue

* Replace port number

* Fix docs and grammar issues

* Enable discard service with inetd

* Add discard port to test-changed-metadata workflow

Author: dnestoro

.github/workflows/discard-port.conf

@@ -0,0 +1,2 @@
+discard   stream  tcp     nowait  root    internal
+discard   dgram   udp     wait    root    internal

.github/workflows/dockerd.service

@@ -0,0 +1,4 @@
+[Service]
+Environment="HTTP_PROXY=http://localhost:9"
+Environment="HTTPS_PROXY=https://localhost:9"
+Environment="NO_PROXY=localhost,127.0.0.1"

.github/workflows/scan-docker-images.yml

@@ -0,0 +1,22 @@
+name: "Scan docker images from the allowed docker images list"
+
+on: [push, pull_request]
+
+jobs:
+  scan-images:
+    name: "🔎 Scan docker images"
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: "☁️ Checkout repository"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: graalvm/setup-graalvm@v1
+        with:
+          version: '22.3.1'
+          java-version: '17'
+      - name: "🔎 Check docker images"
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
+          sudo apt-get install jq
+          ./gradlew checkAllowedDockerImages

.github/workflows/test-all-metadata.yml

@@ -52,6 +52,18 @@ jobs:
           components: 'native-image'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
+      - name: "Pull allowed docker images"
+        run: |
+          ./gradlew pullAllowedDockerImages --coordinates=${{ matrix.coordinates }}
+      - name: "Disable docker"
+        run: |
+          sudo apt-get install openbsd-inetd
+          sudo bash -c "cat ./.github/workflows/discard-port.conf >> /etc/inetd.conf"
+          sudo systemctl start inetd
+          sudo mkdir /etc/systemd/system/docker.service.d
+          sudo bash -c "cat ./.github/workflows/dockerd.service > /etc/systemd/system/docker.service.d/http-proxy.conf"
+          sudo systemctl daemon-reload
+          sudo systemctl restart docker
       - name: "🧪 Run '${{ matrix.coordinates }}' tests"
         run: |
           ./gradlew test -Pcoordinates=${{ matrix.coordinates }}

.github/workflows/test-changed-metadata.yml

@@ -55,6 +55,18 @@ jobs:
           components: 'native-image'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
+      - name: "Pull allowed docker images"
+        run: |
+          ./gradlew pullAllowedDockerImages --coordinates=${{ matrix.coordinates }}
+      - name: "Disable docker"
+        run: |
+          sudo apt-get install openbsd-inetd
+          sudo bash -c "cat ./.github/workflows/discard-port.conf >> /etc/inetd.conf"
+          sudo systemctl start inetd
+          sudo mkdir /etc/systemd/system/docker.service.d
+          sudo bash -c "cat ./.github/workflows/dockerd.service > /etc/systemd/system/docker.service.d/http-proxy.conf"
+          sudo systemctl daemon-reload
+          sudo systemctl restart docker
       - name: "🧪 Run '${{ matrix.coordinates }}' tests"
         run: |
           ./gradlew test -Pcoordinates=${{ matrix.coordinates }}

CONTRIBUTING.md

@@ -196,6 +196,26 @@ In this example this can be done by invoking following command from the reposito
 ```bash
 ./gradlew test -Pcoordinates=org.example:library:0.0.1
 ```
+ 
+### Providing the tests that use docker
+ 
+If your tests use docker (either with explicit docker process invocation or through some library method call), all images 
+have to be declared in `required-docker-images.txt` file. This file must be placed under `/tests/src/<groupId>/<artifactId>/<versionId>`.
+
+Only docker images that are listed [here](https://github.com/oracle/graalvm-reachability-metadata/blob/master/tests/tck-build-logic/src/main/resources/AllowedDockerImages.txt)
+can be executed. If you want to extend this list, please create separate pull request to do that, and post the result of the following command on your pull request:
+
+```shell
+grype <dockerImageName>
+```
+
+Possible scenarios:
+   * If your test uses docker image, and you didn't specify it in the `required-docker-images.txt` file, the test will fail.
+   * If your test uses docker image that is not listed in [allowed docker images list](https://github.com/oracle/graalvm-reachability-metadata/blob/master/tests/tck-build-logic/src/main/resources/AllowedDockerImages.txt),
+   the test will fail
+   * Only docker images that are in both `required-docker-images.txt` and in the `allowed docker images list`
+   can be executed. 
+
 
 ## Tested Libraries and Frameworks
 

metadata/index.json

@@ -240,5 +240,9 @@
   {
     "directory" : "jakarta.servlet/jakarta.servlet-api",
     "module" : "jakarta.servlet:jakarta.servlet-api"
+  },
+  {
+    "directory" : "samples/docker",
+    "module" : "samples:docker"
   }
 ]

metadata/samples/docker/image-pull/.gitkeep

@@ -0,0 +1,10 @@
+[
+  {
+    "latest": true,
+    "metadata-version": "image-pull",
+    "module": "samples:docker",
+    "tested-versions": [
+      "image-pull"
+    ]
+  }
+]

metadata/samples/docker/index.json

@@ -0,0 +1 @@
+mysql/mysql-server:8.0