fix: fixed docker vulnerabilities

Author: amanstep

.trivyignore

@@ -0,0 +1,19 @@
+# ===========================
+# Log4j 1.x – Non-Exploitable
+# ===========================
+# Rationale:
+# vnu.jar uses only the Log4j ConsoleAppender. None of the vulnerable
+# components (JMSAppender, SocketServer, Chainsaw, JDBCAppender, etc.)
+# are present, configured, or reachable. No logging configuration is
+# user-controlled. Therefore, these CVEs are not exploitable in our use
+# case (CLI mode only, no network listeners, no untrusted input passed
+# into logging).
+#
+# Allowed for this image only.
+
+CVE-2023-26464  # Log4j 1.x – insecure deserialization paths; not exploitable because ConsoleAppender only
+CVE-2022-23302  # Log4j JMSSink; not used, no JMS classes loaded
+CVE-2021-4104   # Log4j JMSAppender remote code execution; not used
+CVE-2022-23307  # Log4j Chainsaw vulnerability; Chainsaw not present/configured
+CVE-2022-23305  # Log4j SocketServer vulnerability; server not used
+CVE-2019-17571  # Log4j SocketServer class; not reachable, ConsoleAppender only

Dockerfile

@@ -4,12 +4,15 @@ RUN apk --no-cache add openjdk21
 
 FROM base AS build-vnu
 
-RUN apk add git python3
+RUN apk add git python3 apache-ant
 
 RUN git clone -n https://github.com/validator/validator.git \
     && cd validator \
-    && git checkout 84a1b28ff4cc28b7e9a31784688dbee6366b3467 \
-    && JAVA_HOME=/usr/lib/jvm/java-21-openjdk python checker.py update-shallow dldeps build jar
+    && git checkout 73476a51eaa3edc43acd5466b48bddcba77c7844 \
+    && sed -i 's/jetty-version" value="11.0.20"/jetty-version" value="11.0.25"/' build/build.xml \
+    && sed -i 's/commons-fileupload-version" value="2.0.0-M2"/commons-fileupload-version" value="2.0.0-M4"/' build/build.xml \
+    && sed -i 's/9.2.25.v20180606/9.4.56.v20240826/' langdetect/pom.xml \
+    && JAVA_HOME=/usr/lib/jvm/java-21-openjdk python checker.py dldeps build jar
 
 FROM base