Merge pull request #1540 from snyk/fix/resolve-vulnerabilities

fix: resolve vulnerabilities

Author: jonnyowenpowell

.circleci/config.yml

@@ -486,7 +486,9 @@ workflows:
     MERGE_TO_STAGING:
         jobs:
             - build_image:
-                context: analysis_test-enrichment
+                context:
+                  - analysis_test-enrichment
+                  - go-private-modules
                 filters:
                     branches:
                         only:
@@ -543,7 +545,9 @@ workflows:
                             - staging
                             - master
             - build_image:
-                context: analysis_test-enrichment
+                context:
+                  - analysis_test-enrichment
+                  - go-private-modules
                 requires:
                     - Scan repository for secrets
                     - Security Scans

.snyk

@@ -4,20 +4,26 @@ version: v1.25.0
 ignore: 
     SNYK-JS-BRACES-6838727:
     - '*':
-        reason: >-
-          Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
-        expires: 2024-12-19T12:00:00.000Z
-        created: 2024-05-16T12:00:00.000Z
-    SNYK-JS-MICROMATCH-6838728:
+        reason: devDependency
+        expires: 2025-12-01T12:00:00.000Z
+        created: 2024-10-23T12:00:00.000Z
+    SNYK-JS-INFLIGHT-6095116:
+    - '*':
+        reason: Waiting for upstream fix
+        expires: 2025-01-10T12:00:00.000Z
+        created: 2024-10-23T12:00:00.000Z
+    SNYK-JS-REQUEST-3361831:
     - '*':
         reason: >-
-          Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
-        expires: 2024-12-19T12:00:00.000Z
-        created: 2024-05-16T12:00:00.000Z
-    SNYK-JS-JSONPATHPLUS-7945884:
+          Waiting for @kubernetes/client-node fetch migration
+          https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md
+        expires: 2025-01-10T12:00:00.000Z
+        created: 2024-10-23T12:00:00.000Z
+    SNYK-JS-TOUGHCOOKIE-5672873:
     - '*':
         reason: >-
-          Waiting for transient dependency to update
-        expires: 2024-12-19T12:00:00.000Z
+          Waiting for @kubernetes/client-node fetch migration
+          https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md
+        expires: 2025-01-10T12:00:00.000Z
         created: 2024-10-23T12:00:00.000Z
 patch: {}

Dockerfile

@@ -1,19 +1,19 @@
 #---------------------------------------------------------------------
 # STAGE 1: Build credential helpers inside a temporary container
 #---------------------------------------------------------------------
-FROM golang:alpine AS cred-helpers-build
-
-RUN apk update
-RUN apk upgrade
-RUN apk --no-cache add git
+FROM --platform=linux/amd64 golang:1.23 AS cred-helpers-build
 
 RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@bef5bd9384b752e5c645659165746d5af23a098a
-RUN go install github.com/chrismellard/docker-credential-acr-env@82a0ddb2758901b711d9d1614755b77e401598a1
+RUN --mount=type=secret,id=gh_token,required=true \
+    git config --global url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf "https://github.com/snyk" && \
+    go env -w GOPRIVATE=github.com/snyk && \
+    go install github.com/snyk/docker-credential-acr-env@8fa416c5b20b174e9032df1899843b4ebe2adda8 && \
+    git config --global --unset url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf
 
 #---------------------------------------------------------------------
-# STAGE 2: Build the kubernetes-monitor
+# STAGE 2: Build kubernetes-monitor application
 #---------------------------------------------------------------------
-FROM node:18-alpine3.20
+FROM --platform=linux/amd64 node:18-alpine3.20
 
 LABEL name="Snyk Controller" \
       maintainer="[email protected]" \
@@ -23,7 +23,7 @@ LABEL name="Snyk Controller" \
 
 COPY LICENSE /licenses/LICENSE
 
-ENV NODE_ENV production
+ENV NODE_ENV=production
 
 RUN apk update
 RUN apk upgrade
@@ -34,7 +34,8 @@ RUN adduser -S -G snyk -h /srv/app -u 10001 snyk
 
 # Install gcloud
 RUN curl -sL https://sdk.cloud.google.com > /install.sh
-RUN bash /install.sh --disable-prompts --install-dir=/ && rm -rf /google-cloud-sdk/platform
+RUN bash /install.sh --disable-prompts --install-dir=/ && \
+    rm -rf /google-cloud-sdk/platform /google-cloud-sdk/bin/anthoscli /google-cloud-sdk/bin/gcloud-crc32c
 ENV PATH=/google-cloud-sdk/bin:$PATH
 RUN rm /install.sh
 RUN apk del curl bash

Dockerfile.ubi9

@@ -1,16 +1,19 @@
-# syntax=docker/dockerfile:1
 #---------------------------------------------------------------------
-# PRE-BUILD STAGE: Build the acr credential helper binary
-# This is due to the fact that the acr credential helper is not being actively released
+# STAGE 1: Build credential helpers inside a temporary container
 #---------------------------------------------------------------------
-FROM --platform=linux/amd64 golang:1.16 as cred-helpers-build
+FROM --platform=linux/amd64 golang:1.23 as cred-helpers-build
 
-RUN go install github.com/chrismellard/docker-credential-acr-env@82a0ddb2758901b711d9d1614755b77e401598a1    
+RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@bef5bd9384b752e5c645659165746d5af23a098a
+RUN --mount=type=secret,id=gh_token,required=true \
+    git config --global url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf "https://github.com/snyk" && \
+    go env -w GOPRIVATE=github.com/snyk && \
+    go install github.com/snyk/docker-credential-acr-env@8fa416c5b20b174e9032df1899843b4ebe2adda8 && \
+    git config --global --unset url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf
 
 #---------------------------------------------------------------------
-# STAGE 1: Build kubernetes-monitor application
+# STAGE 2: Build kubernetes-monitor application
 #---------------------------------------------------------------------
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/nodejs-18:1-84 AS build
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/nodejs-18:1-123 AS build
 
 ENV NODE_ENV production
 
@@ -26,14 +29,14 @@ COPY --chown=1001:1001 . ./
 RUN npm run build
 
 #---------------------------------------------------------------------
-# STAGE 2: Install containers-common to obtain configuration files
+# STAGE 3: Install containers-common to obtain configuration files
 #---------------------------------------------------------------------
 FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi:9.4 AS containers-common
 
 RUN dnf install -y containers-common
 
 #---------------------------------------------------------------------
-# STAGE 3: Build the kubernetes-monitor final image
+# STAGE 4: Build the kubernetes-monitor final image
 #---------------------------------------------------------------------
 FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi:9.4
 
@@ -43,14 +46,8 @@ ARG NODE_18_LATEST_VERSION_TAR_GZ_FILE_SHASUM256
 ARG DUMB_INIT_VERSION=1.2.5
 ARG DUMB_INIT_BINARY_FILE_SHASUM256=e874b55f3279ca41415d290c512a7ba9d08f98041b28ae7c2acb19a545f1c4df
 # https://github.com/lework/skopeo-binary/releases
-ARG SKOPEO_VERSION=1.13.2
-ARG SKOPEO_BINARY_FILE_SHASUM256=2f00be6ee1c4cbfa7f2452be90a1a2ce88fd92a6d0f6a2e9d901bd2087bd9092
-# https://github.com/awslabs/amazon-ecr-credential-helper/releases
-# for sha: download SHA256 for the linux-amd64/docker-credential-ecr-login, then `cat docker-credential-ecr-login.sha256`
-ARG ECR_CREDENTIAL_HELPER_VERSION=0.9.0
-ARG ECR_CREDENTIAL_HELPER_BINARY_FILE_SHASUM256=dd6bd933e439ddb33b9f005ad5575705a243d4e1e3d286b6c82928bcb70e949a
-# since this is built from a commit, you will need to build it locally to get the sha
-ARG ACR_CREDENTIAL_HELPER_BINARY_SHASUM256=598bbd4ad2741ae2e68ac55e938a4542e71952e418e6278a74baf6213ef8ce76
+ARG SKOPEO_VERSION=1.16.1
+ARG SKOPEO_BINARY_FILE_SHASUM256=8813fb7fcd7a723196ac287683dd929d280f6fe7f0782eace452fe1e3ff2b7eb
 
 LABEL name="Snyk Controller" \
     maintainer="[email protected]" \
@@ -60,7 +57,7 @@ LABEL name="Snyk Controller" \
 
 COPY LICENSE /licenses/LICENSE
 
-ENV NODE_ENV production
+ENV NODE_ENV=production
 
 RUN yum upgrade -y
 
@@ -83,17 +80,12 @@ COPY --chown=snyk:snyk --from=containers-common /etc/containers/registries.d/def
 COPY --chown=snyk:snyk --from=containers-common /etc/containers/policy.json /etc/containers/policy.json
 
 # Install credential helpers
-RUN curl -sSfLo /usr/local/bin/docker-credential-ecr-login "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login" && \
-    chmod 755 /usr/local/bin/docker-credential-ecr-login && \
-    echo "${ECR_CREDENTIAL_HELPER_BINARY_FILE_SHASUM256} /usr/local/bin/docker-credential-ecr-login" | sha256sum --check --status
+COPY --chown=snyk:snyk --from=cred-helpers-build /go/bin/docker-credential-ecr-login /usr/bin/docker-credential-ecr-login
 COPY --chown=snyk:snyk --from=cred-helpers-build /go/bin/docker-credential-acr-env /usr/local/bin/docker-credential-acr-env
-RUN echo "${ACR_CREDENTIAL_HELPER_BINARY_SHASUM256} /usr/local/bin/docker-credential-acr-env" | sha256sum --check --status
-
 
 # Install gcloud
 RUN curl -sSfL https://sdk.cloud.google.com | bash -s -- --disable-prompts --install-dir=/ && \
-    rm -f /google-cloud-sdk/bin/anthoscli && \
-    rm -rf /google-cloud-sdk/platform
+    rm -rf /google-cloud-sdk/platform /google-cloud-sdk/bin/anthoscli /google-cloud-sdk/bin/gcloud-crc32c
 ENV PATH=/google-cloud-sdk/bin:$PATH
 
 # Install node

jest-environment-fail-fast.ts

@@ -0,0 +1,19 @@
+import type { Circus } from '@jest/types';
+import { TestEnvironment } from 'jest-environment-node';
+
+class FailFastEnvironment extends TestEnvironment {
+  failedTest = false;
+
+  async handleTestEvent(event: Circus.Event, state: Circus.State) {
+    if (event.name === 'hook_failure' || event.name === 'test_fn_failure') {
+      this.failedTest = true;
+    } else if (this.failedTest && event.name === 'test_start') {
+      event.test.mode = 'skip';
+    }
+
+    // @ts-ignore
+    if (super.handleTestEvent) await super.handleTestEvent(event, state);
+  }
+}
+
+export default FailFastEnvironment;

jest.config.js

@@ -1,19 +1,16 @@
 module.exports = {
   preset: "ts-jest",
-  testEnvironment: "node",
+  testEnvironment: './jest-environment-fail-fast.ts',
+  testRunner: 'jest-circus/runner',
   testMatch: ["<rootDir>/test/**/*.spec.ts"],
   testTimeout: 900000, // 15 minutes. Must match UPSTREAM_POLLING_CONFIGURATION in test/helpers/kubernetes-upstream.ts
   bail: true,
   clearMocks: true,
   errorOnDeprecated: true,
 
-  /** https://github.com/facebook/jest/issues/2867#issuecomment-546592968 */
-  setupFilesAfterEnv: ["./jest.setup-after-env.js"],
-
-  // TODO: This is here until a bug in Jest (which in turn affects ts-jest) is resolved.
+  // This is here until a bug in Jest (which in turn affects ts-jest) is resolved.
   // It affects our CI/CD runs and makes the machine run out of memory.
   // https://github.com/facebook/jest/issues/10550
-  // https://snyk.slack.com/archives/CLW30N31V/p1602232569018000?thread_ts=1602230753.017500&cid=CLW30N31V
   globals: {
     "ts-jest": {
       isolatedModules: true,