Skip to content

Commit

Permalink
Merge branch 'release/v6.2.17-1' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
Marco Bergen authored and cesmarvin committed Jan 24, 2025
2 parents a76e003 + c397b83 commit ba767dd
Show file tree
Hide file tree
Showing 23 changed files with 285 additions and 39 deletions.
9 changes: 9 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# This zlib1g CVE is falsely detected. It is not present in the Debian 12
# package and thus ignored as "not affected". The trivy project however
# interprets this as ignored as "wont fix" and causes a detection.
# See: https://github.com/madler/zlib/pull/843#issuecomment-2130408505
CVE-2023-45853

# This CVE is contained in the upstream debian:12-slim base image.
# In this Dogu, all args to wget are static and not modifiable by the user.
CVE-2024-38428
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [v6.2.17-1] - 2025-01-24
### Changed
- [#21] Update redis to 6.2.17
- [#21] Update golang to 1.21.12 to fix CVE-2023-24538, CVE-2023-24540, CVE-2024-24790
- [#21] Update Base to 3.15.11-4
- [#21] Update ces-build-lib to 4.0.1
- [#21] Update dogu-build-lib to v3.0.0
- [#19] Update Makefiles to 9.5.3
- [#23] Add PreRelease-Build-Step

## [v6.2.14-4] - 2024-09-25
### Fixed
- Add local config volume to fix issue #16
Expand Down
47 changes: 33 additions & 14 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,31 +1,50 @@
FROM registry.cloudogu.com/official/base:3.15.11-2
# Stage 1: Base image to copy the doguctl binary
FROM registry.cloudogu.com/official/base:3.15.11-4 AS doguctlbinary

# Stage 2: Build gosu from source because of CVEs
# stdlib │ CVE-2023-24538 │ CRITICAL │ fixed │ v1.18.2 │ 1.19.8, 1.20.3 │ golang: html/template: backticks not treated as string │
# | CVE-2023-24540 │ │ │ │ 1.19.9, 1.20.4 │ Not all valid JavaScript whitespace characters are │
# │ CVE-2024-24790 │ │ │ │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
FROM golang:1.21.12 AS gosu-builder

WORKDIR /gosu-src

# Clone the `gosu` source code and build it
RUN apt-get update && apt-get install -y git \
&& git clone https://github.com/tianon/gosu.git . \
&& git checkout 1.17 \
&& go build -o /usr/local/bin/gosu . \
&& chmod +x /usr/local/bin/gosu

# Stage 3: Final Redis image
FROM redis:6.2.17
LABEL NAME="official/redis" \
VERSION="6.2.14-4" \
VERSION="6.2.17-1" \
maintainer="info@cloudogu.com"

# set environment variables
USER root

# Copy the `gosu` binary built with the latest Go version
COPY --from=gosu-builder /usr/local/bin/gosu /usr/local/bin/gosu

# Copy the `doguctl` binary from the base image
COPY --from=doguctlbinary /usr/bin/doguctl /usr/bin/

# Set environment variables
ENV SERVICE_TAGS=webapp \
CONF_DIR=/usr/local/etc/redis \
USER=redis \
USER_ID=1000 \
REDIS_VERSION="6.2.14-r0" \
STARTUP_DIR=/

RUN set -o errexit \
&& set -o nounset \
&& set -o pipefail \
&& apk update \
&& apk upgrade \
&& apk add redis="${REDIS_VERSION}" bash

# copy resources files
# Copy additional resource files (if any)
COPY resources/ /

# expose application port
# Expose Redis port
EXPOSE 6379

# Healthcheck using `doguctl`
HEALTHCHECK CMD doguctl healthy redis || exit 1

# start
# Start Redis
CMD ["/startup.sh"]
31 changes: 26 additions & 5 deletions Jenkinsfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!groovy
@Library(['github.com/cloudogu/ces-build-lib@1.48.0', 'github.com/cloudogu/dogu-build-lib@v1.5.1'])
@Library(['github.com/cloudogu/ces-build-lib@4.0.1', 'github.com/cloudogu/dogu-build-lib@v3.0.0'])
import com.cloudogu.ces.cesbuildlib.*
import com.cloudogu.ces.dogubuildlib.*

Expand All @@ -20,8 +20,12 @@ node('vagrant') {
disableConcurrentBuilds(),
// Parameter to activate dogu upgrade test on demand
parameters([
booleanParam(defaultValue: false, description: 'Test dogu upgrade from latest release or optionally from defined version below', name: 'TestDoguUpgrade'),
string(defaultValue: '', description: 'Old Dogu version for the upgrade test (optional; e.g. 3.23.0-1)', name: 'OldDoguVersionForUpgradeTest'),
booleanParam(defaultValue: false, description: 'Test dogu upgrade from latest release or optionally from defined version below', name: 'TestDoguUpgrade'),
string(defaultValue: '', description: 'Old Dogu version for the upgrade test (optional; e.g. 2.222.1-1)', name: 'OldDoguVersionForUpgradeTest'),
booleanParam(defaultValue: false, description: 'Enables the video recording during the test execution', name: 'EnableVideoRecording'),
booleanParam(defaultValue: false, description: 'Enables the screenshot recording during the test execution', name: 'EnableScreenshotRecording'),
choice(name: 'TrivySeverityLevels', choices: [TrivySeverityLevel.CRITICAL, TrivySeverityLevel.HIGH_AND_ABOVE, TrivySeverityLevel.MEDIUM_AND_ABOVE, TrivySeverityLevel.ALL], description: 'The levels to scan with trivy'),
choice(name: 'TrivyStrategy', choices: [TrivyScanStrategy.UNSTABLE, TrivyScanStrategy.FAIL, TrivyScanStrategy.IGNORE], description: 'Define whether the build should be unstable, fail or whether the error should be ignored if any vulnerability was found.'),
])
])

Expand All @@ -32,7 +36,6 @@ node('vagrant') {
}

stage('Lint') {
lintDockerfile()
shellCheck("./resources/startup.sh")
shellCheck("./resources/util.sh")
}
Expand All @@ -43,6 +46,10 @@ node('vagrant') {
}

stage('Provision') {
// change namespace to prerelease_namespace if in develop-branch
if (gitflow.isPreReleaseBranch()) {
sh "make prerelease_namespace"
}
ecoSystem.provision("/dogu")
}

Expand All @@ -55,6 +62,15 @@ node('vagrant') {
ecoSystem.build("/dogu")
}

stage('Trivy scan') {
ecoSystem.copyDoguImageToJenkinsWorker("/dogu")
Trivy trivy = new Trivy(this)
trivy.scanDogu(".", params.TrivySeverityLevels, params.TrivyStrategy)
trivy.saveFormattedTrivyReport(TrivyScanFormat.TABLE)
trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
}

stage('Verify') {
ecoSystem.verify("/dogu")
}
Expand Down Expand Up @@ -94,7 +110,12 @@ node('vagrant') {
stage ('Add Github-Release'){
github.createReleaseWithChangelog(releaseVersion, changelog)
}
}
} else if (gitflow.isPreReleaseBranch()) {
// push to registry in prerelease_namespace
stage('Push Prerelease Dogu to registry') {
ecoSystem.pushPreRelease("/dogu")
}
}

} finally {
stage('Clean') {
Expand Down
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
ARTIFACT_ID=redis

MAKEFILES_VERSION=9.2.1
MAKEFILES_VERSION=9.5.3

WORKSPACE=/workspace
ASSETS_BUILD_DIRECTORY=assets
Expand All @@ -21,6 +21,7 @@ BATS_TAG?=1.2.1
include build/make/variables.mk
include build/make/self-update.mk
include build/make/release.mk
include build/make/prerelease.mk
include build/make/k8s-dogu.mk

.PHONY unit-test-shell:
Expand Down
2 changes: 1 addition & 1 deletion build/make/build.mk
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
ADDITIONAL_LDFLAGS?=-extldflags -static
LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)"
GOIMAGE?=golang
GOTAG?=1.22
GOTAG?=1.23
GOOS?=linux
GOARCH?=amd64
PRE_COMPILE?=
Expand Down
2 changes: 1 addition & 1 deletion build/make/k8s-dogu.tpl
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: k8s.cloudogu.com/v1
apiVersion: k8s.cloudogu.com/v2
kind: Dogu
metadata:
name: NAME
Expand Down
6 changes: 3 additions & 3 deletions build/make/k8s.mk
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ K3S_LOCAL_REGISTRY_PORT?=30099

# The URL of the container-registry to use. Defaults to the registry of the local-cluster.
# If RUNTIME_ENV is "remote" it is "registry.cloudogu.com/testing"
CES_REGISTRY_HOST?="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}"
CES_REGISTRY_HOST?=${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}
CES_REGISTRY_NAMESPACE ?=
ifeq (${RUNTIME_ENV}, remote)
CES_REGISTRY_HOST="registry.cloudogu.com"
CES_REGISTRY_NAMESPACE="/testing"
CES_REGISTRY_HOST=registry.cloudogu.com
CES_REGISTRY_NAMESPACE=/testing
endif
$(info CES_REGISTRY_HOST=$(CES_REGISTRY_HOST))

Expand Down
6 changes: 6 additions & 0 deletions build/make/prerelease.mk
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# used to create switch the dogu to a prerelease namespace
# e.g. official/usermgmt -> prerelease_official/usermgmt

.PHONY: prerelease_namespace
prerelease_namespace:
build/make/prerelease.sh prerelease_namespace
41 changes: 41 additions & 0 deletions build/make/prerelease.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail

prerelease_namespace() {

TIMESTAMP=$(date +"%Y%m%d%H%M%S")

# Update version in dogu.json
if [ -f "dogu.json" ]; then
echo "Updating name in dogu.json..."
ORIG_NAME="$(jq -r ".Name" ./dogu.json)"
ORIG_VERSION="$(jq -r ".Version" ./dogu.json)"
PRERELEASE_NAME="prerelease_${ORIG_NAME}"
PRERELEASE_VERSION="${ORIG_VERSION}${TIMESTAMP}"
jq ".Name = \"${PRERELEASE_NAME}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json
jq ".Version = \"${PRERELEASE_VERSION}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json
jq ".Image = \"registry.cloudogu.com/${PRERELEASE_NAME}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json
fi

# Update version in Dockerfile
if [ -f "Dockerfile" ]; then
echo "Updating version in Dockerfile..."
ORIG_NAME="$(grep -oP ".*[ ]*NAME=\"([^\"]*)" Dockerfile | awk -F "\"" '{print $2}')"
ORIG_VERSION="$(grep -oP ".*[ ]*VERSION=\"([^\"]*)" Dockerfile | awk -F "\"" '{print $2}')"
PRERELEASE_NAME="prerelease_$( echo -e "$ORIG_NAME" | sed 's/\//\\\//g' )"
PRERELEASE_VERSION="${ORIG_VERSION}${TIMESTAMP}"
sed -i "s/\(.*[ ]*NAME=\"\)\([^\"]*\)\(.*$\)/\1${PRERELEASE_NAME}\3/" Dockerfile
sed -i "s/\(.*[ ]*VERSION=\"\)\([^\"]*\)\(.*$\)/\1${PRERELEASE_VERSION}\3/" Dockerfile
fi

}


TYPE="${1}"

echo ${TYPE}
if [[ "${TYPE}" == "prerelease_namespace" ]];then
prerelease_namespace
fi
2 changes: 1 addition & 1 deletion build/make/release.mk
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

.PHONY: dogu-release
dogu-release: ## Start a dogu release
build/make/release.sh dogu
build/make/release.sh dogu "${FIXED_CVE_LIST}" $(DRY_RUN)

.PHONY: node-release
node-release: ## Start a node package release
Expand Down
1 change: 1 addition & 0 deletions build/make/release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ fi

update_versions "${NEW_RELEASE_VERSION}"
update_changelog "${NEW_RELEASE_VERSION}" "${FIXED_CVE_LIST}"
update_releasenotes "${NEW_RELEASE_VERSION}"
show_diff

if [[ -n "${DRY_RUN}" ]]; then
Expand Down
44 changes: 44 additions & 0 deletions build/make/release_functions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,50 @@ update_changelog() {
git commit -m "Update changelog"
}

update_releasenotes() {
local NEW_RELEASE_VERSION="${1}"

# ReleaseNotes update
local CURRENT_DATE
CURRENT_DATE=$(date --rfc-3339=date)
local NEW_RELEASENOTE_TITLE="## [v${NEW_RELEASE_VERSION}] - ${CURRENT_DATE}"
rm -rf ".rn_changed"
find . -name "*release_notes*.md" -print0 | while read -d $'\0' file
do
# Check if "Unreleased" tag exists
while ! grep --silent "## \[Unreleased\]" "${file}"; do
echo ""
echo -e "\e[31mYour ${file} does not contain a \"## [Unreleased]\" line!\e[0m"
echo "Please add one to make it comply to https://keepachangelog.com/en/1.0.0/"
wait_for_ok "Please insert a \"## [Unreleased]\" line into ${file} now."
done

# Add new title line to changelog
sed -i "s|## \[Unreleased\]|## \[Unreleased\]\n\n${NEW_RELEASENOTE_TITLE}|g" "${file}"
echo "Processed ${file}"
echo true > ".rn_changed"
done

if test -f ".rn_changed" ; then
# Wait for user to validate changelog changes
wait_for_ok "Please make sure your release notes looks as desired."

find . -name "*release_notes*.md" -print0 | while read -d $'\0' file
do
# Check if new version tag still exists
while ! grep --silent "$(echo $NEW_RELEASENOTE_TITLE | sed -e 's/[]\/$*.^[]/\\&/g')" "${file}"; do
echo ""
echo -e "\e[31mYour ${file} does not contain \"${NEW_RELEASENOTE_TITLE}\"!\e[0m"
wait_for_ok "Please update your ${file} now."
done
git add "${file}"
done

git commit -m "Update ReleaseNotes"
fi
rm -rf ".rn_changed"
}

# addFixedCVEListFromReRelease is used in dogu cve releases. The method adds the fixed CVEs under the ### Fixed header
# in the unreleased section.
addFixedCVEListFromReRelease() {
Expand Down
7 changes: 6 additions & 1 deletion build/make/self-update.mk
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,9 @@ remove-old-files:

.PHONY: copy-new-files
copy-new-files:
@cp -r $(TMP_DIR)/makefiles-$(MAKEFILES_VERSION)/build/make $(BUILD_DIR)
@cp -r $(TMP_DIR)/makefiles-$(MAKEFILES_VERSION)/build/make $(BUILD_DIR)

.PHONY: update-build-libs
update-build-libs:
@echo "Check for newer Build-Lib versions"
build/make/self-update.sh buildlibs
48 changes: 48 additions & 0 deletions build/make/self-update.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail

TYPE="${1}"

update_build_libs() {
echo "Get newest version of ces-build-lib and dogu-build-lib"
update_jenkinsfile
echo "Newest Versions set. Please check your Jenkinsfile"
}

get_highest_version() {
local target="${1}"
local gitCesBuildLib
# getting tags from ces-build.libs OR dogu-build-libs
gitCesBuildLib="$(git ls-remote --tags --refs https://github.com/cloudogu/${target}-build-lib)"
local highest
# Flagfile for getting results out of while-loop
rm -rf .versions
while IFS= read -r line; do
local version
version="$(awk -F'/tags/' '{ for(i=1;i<=NF;i++) print $i }' <<< $line | tail -n 1 | sed 's/[^0-9\.]*//g')"
if [[ $version == *"."* ]] ; then
echo $version >> ".versions"
fi
done <<< "$gitCesBuildLib"
highest=$(sort .versions | tail -n 1)
rm -rf .versions
echo "${highest}"
}

# Patch Jenkinsfile
update_jenkinsfile() {
sed -i "s/ces-build-lib@[[:digit:]].[[:digit:]].[[:digit:]]/ces-build-lib@$(get_highest_version ces)/g" Jenkinsfile
sed -i "s/dogu-build-lib@v[[:digit:]].[[:digit:]].[[:digit:]]/dogu-build-lib@v$(get_highest_version dogu)/g" Jenkinsfile
}

# switch for script entrypoint
if [[ "${TYPE}" == "buildlibs" ]];then
update_build_libs
else
echo "Unknown target ${TYPE}"
fi



Loading

0 comments on commit ba767dd

Please sign in to comment.