From 7caed3de4dffee394c93a12aaa4960463636dbbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sat, 24 Aug 2024 00:53:57 +0300 Subject: [PATCH 01/27] Updated PHP, nvm, Node.js and mlocati/php-extension-installer versions --- Dockerfile | 4 ++-- Dockerfile_dev | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index c66b451c0..cbf1ebe15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM php:8.3.9-fpm +FROM php:8.3.10-fpm ENV APP_ENV prod ENV APP_DEBUG 0 @@ -18,7 +18,7 @@ RUN apt-get update \ && rm -rf /var/lib/apt/lists/* # Copy the install-php-extensions (Easily install PHP extension in official PHP Docker containers) -COPY --from=mlocati/php-extension-installer:2.2.18 /usr/bin/install-php-extensions /usr/local/bin/ +COPY --from=mlocati/php-extension-installer:2.4.0 /usr/bin/install-php-extensions /usr/local/bin/ # Install and enable all necessary PHP extensions RUN install-php-extensions \ diff --git a/Dockerfile_dev b/Dockerfile_dev index d347aea9d..ba82a98c5 100644 --- a/Dockerfile_dev +++ b/Dockerfile_dev @@ -1,4 +1,4 @@ -FROM php:8.3.9-fpm +FROM php:8.3.10-fpm # Let's use bash as a default shell with login each time SHELL ["/bin/bash", "--login", "-c"] @@ -9,8 +9,8 @@ ARG HOST_GID # Declare constants ENV PATH "$PATH:/home/dev/.composer/vendor/bin:/app/vendor/bin" -ENV NVM_VERSION v0.39.7 -ENV NODE_VERSION 22.4.0 +ENV NVM_VERSION v0.40.0 +ENV NODE_VERSION 22.7.0 # Update package list and install necessary libraries RUN apt-get update \ @@ -56,7 +56,7 @@ ENV LANGUAGE en_US:en ENV LC_ALL en_US.UTF-8 # Copy the install-php-extensions (Easily install PHP extension in official PHP Docker containers) -COPY --from=mlocati/php-extension-installer:2.2.18 /usr/bin/install-php-extensions /usr/local/bin/ +COPY --from=mlocati/php-extension-installer:2.4.0 /usr/bin/install-php-extensions /usr/local/bin/ # Enable all necessary PHP packages RUN install-php-extensions \ From e0649cb6de357e70edd0fe40770d4540a4310eb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sat, 24 Aug 2024 01:06:06 +0300 Subject: [PATCH 02/27] IDE settings --- .idea/php-test-framework.xml | 14 -------------- .idea/php.xml | 4 ++-- .idea/symfony-flex-backend.iml | 6 ++++++ 3 files changed, 8 insertions(+), 16 deletions(-) delete mode 100644 .idea/php-test-framework.xml diff --git a/.idea/php-test-framework.xml b/.idea/php-test-framework.xml deleted file mode 100644 index a14326636..000000000 --- a/.idea/php-test-framework.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - - - - - - \ No newline at end of file diff --git a/.idea/php.xml b/.idea/php.xml index f24ea9cf0..4f230da1b 100644 --- a/.idea/php.xml +++ b/.idea/php.xml @@ -214,8 +214,8 @@ + - @@ -224,7 +224,7 @@ - + /usr/local/etc/php/conf.d/docker-fpm.ini, /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini, /usr/local/etc/php/conf.d/docker-php-ext-bcmath.ini, /usr/local/etc/php/conf.d/docker-php-ext-igbinary.ini, /usr/local/etc/php/conf.d/docker-php-ext-intl.ini, /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini, /usr/local/etc/php/conf.d/docker-php-ext-pdo_mysql.ini, /usr/local/etc/php/conf.d/docker-php-ext-sodium.ini, /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini, /usr/local/etc/php/conf.d/docker-php-ext-zip.ini /usr/local/etc/php/php.ini diff --git a/.idea/symfony-flex-backend.iml b/.idea/symfony-flex-backend.iml index 056748941..9e3746605 100644 --- a/.idea/symfony-flex-backend.iml +++ b/.idea/symfony-flex-backend.iml @@ -15,6 +15,12 @@ + + + + + + From 3ccc129264ed09258ba5b1ea90685118397cf346 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 19:34:10 +0300 Subject: [PATCH 03/27] Chore(CI) - Added Trivy to scan Docker image --- .github/workflows/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e2af306a4..e490280da 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -360,3 +360,13 @@ jobs: - name: Build the Docker image run: docker build . --file Dockerfile --tag symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }} + + - name: Scan Docker image with Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: 'symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' From 7e164b1f95d038d3b46a086149e2def3f849b530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 19:51:56 +0300 Subject: [PATCH 04/27] Added `docker` directory to Docker ignore list --- .dockerignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.dockerignore b/.dockerignore index b668af4aa..db4876219 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,6 +2,7 @@ /.env.local /.env.*.local /.env.local.php +/docker/ /public/bundles/ /var/ /vendor/ From abccf67cde39119737091229ee25f915080d412b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:11:11 +0300 Subject: [PATCH 05/27] Use specific ignore directory --- .dockerignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index db4876219..b0bdbc6ad 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,7 +2,7 @@ /.env.local /.env.*.local /.env.local.php -/docker/ +/docker/nginx/ssl/ /public/bundles/ /var/ /vendor/ From a939895e2decaa8995a5f2ae7394d6c2bd2dd0e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:19:50 +0300 Subject: [PATCH 06/27] Remove `docker` folder in build process --- .dockerignore | 1 - Dockerfile | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index b0bdbc6ad..b668af4aa 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,7 +2,6 @@ /.env.local /.env.*.local /.env.local.php -/docker/nginx/ssl/ /public/bundles/ /var/ /vendor/ diff --git a/Dockerfile b/Dockerfile index cbf1ebe15..65e018948 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,6 +56,7 @@ RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/relea RUN rm -rf /app/var \ && mkdir -p /app/var \ + && rm -rf /app/docker \ && rm -rf /app/public/check.php \ && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader From 50739f0d8dc4d607725caefd9b91e820afec4a64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:41:31 +0300 Subject: [PATCH 07/27] Add some debug --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 65e018948..57bf68f21 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,7 +58,8 @@ RUN rm -rf /app/var \ && mkdir -p /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ - && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader + && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ + && ls -la /app EXPOSE 9000 From c788019a7aad4f462379001d39d752749739dbf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:55:21 +0300 Subject: [PATCH 08/27] Hmm, something weird is happeing here --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 57bf68f21..e98fa962b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,7 +59,7 @@ RUN rm -rf /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ - && ls -la /app + && ls -la /app/docker EXPOSE 9000 From 5b0902f07ec8c9534a0eebd1e38595b6aa7961de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:59:55 +0300 Subject: [PATCH 09/27] Another try --- .dockerignore | 2 ++ Dockerfile | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index b668af4aa..ef09f076d 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,6 +2,8 @@ /.env.local /.env.*.local /.env.local.php +/app/docker/nginx/ssl/rootCA.key +/app/docker/nginx/ssl/tls.key /public/bundles/ /var/ /vendor/ diff --git a/Dockerfile b/Dockerfile index e98fa962b..65e018948 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,8 +58,7 @@ RUN rm -rf /app/var \ && mkdir -p /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ - && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ - && ls -la /app/docker + && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader EXPOSE 9000 From 5eccb53db565265a3ff500ed6e146819fa04654c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 21:15:13 +0300 Subject: [PATCH 10/27] Typo fix --- .dockerignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index ef09f076d..a1fd2406c 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,8 +2,8 @@ /.env.local /.env.*.local /.env.local.php -/app/docker/nginx/ssl/rootCA.key -/app/docker/nginx/ssl/tls.key +/docker/nginx/ssl/rootCA.key +/docker/nginx/ssl/tls.key /public/bundles/ /var/ /vendor/ From d5f888aa75d30c373b8cc9dd0a8078d7777793ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 21:25:37 +0300 Subject: [PATCH 11/27] Yet another try --- .dockerignore | 2 -- Dockerfile | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.dockerignore b/.dockerignore index a1fd2406c..b668af4aa 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,8 +2,6 @@ /.env.local /.env.*.local /.env.local.php -/docker/nginx/ssl/rootCA.key -/docker/nginx/ssl/tls.key /public/bundles/ /var/ /vendor/ diff --git a/Dockerfile b/Dockerfile index 65e018948..5e0a01409 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,7 @@ RUN composer completion bash > /etc/bash_completion.d/composer WORKDIR /app -COPY . /app +COPY --exclude=./docker . /app COPY ./docker/php/php.ini /usr/local/etc/php/php.ini COPY ./docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf From 69abb1aaf696bf8037e5df989d3f90ac06697139 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 22:24:10 +0300 Subject: [PATCH 12/27] Another try --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5e0a01409..af0b335a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,7 @@ RUN composer completion bash > /etc/bash_completion.d/composer WORKDIR /app -COPY --exclude=./docker . /app +COPY --exclude=./docker/* . /app COPY ./docker/php/php.ini /usr/local/etc/php/php.ini COPY ./docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf From 97433131b277e5f763ea99e0242c4aa93555317b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 19:34:10 +0300 Subject: [PATCH 13/27] Chore(CI) - Added Trivy to scan Docker image --- .github/workflows/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e2af306a4..e490280da 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -360,3 +360,13 @@ jobs: - name: Build the Docker image run: docker build . --file Dockerfile --tag symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }} + + - name: Scan Docker image with Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: 'symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' From 018b4dd81fd7951c74e773456926915f405bc20a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 19:51:56 +0300 Subject: [PATCH 14/27] Added `docker` directory to Docker ignore list --- .dockerignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.dockerignore b/.dockerignore index b668af4aa..db4876219 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,6 +2,7 @@ /.env.local /.env.*.local /.env.local.php +/docker/ /public/bundles/ /var/ /vendor/ From aa8b96cdff52abfb40d534caed4892448e110225 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:11:11 +0300 Subject: [PATCH 15/27] Use specific ignore directory --- .dockerignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index db4876219..b0bdbc6ad 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,7 +2,7 @@ /.env.local /.env.*.local /.env.local.php -/docker/ +/docker/nginx/ssl/ /public/bundles/ /var/ /vendor/ From bfdb45d9ea17dc89888a6ea33e495c7599699463 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:19:50 +0300 Subject: [PATCH 16/27] Remove `docker` folder in build process --- .dockerignore | 1 - Dockerfile | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index b0bdbc6ad..b668af4aa 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,7 +2,6 @@ /.env.local /.env.*.local /.env.local.php -/docker/nginx/ssl/ /public/bundles/ /var/ /vendor/ diff --git a/Dockerfile b/Dockerfile index cbf1ebe15..65e018948 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,6 +56,7 @@ RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/relea RUN rm -rf /app/var \ && mkdir -p /app/var \ + && rm -rf /app/docker \ && rm -rf /app/public/check.php \ && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader From 95961894f2c0c77d99a0ec66163e12fe8199ba52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:41:31 +0300 Subject: [PATCH 17/27] Add some debug --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 65e018948..57bf68f21 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,7 +58,8 @@ RUN rm -rf /app/var \ && mkdir -p /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ - && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader + && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ + && ls -la /app EXPOSE 9000 From 2bd61ef139c420354c0e381067d994a29f70a204 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:55:21 +0300 Subject: [PATCH 18/27] Hmm, something weird is happeing here --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 57bf68f21..e98fa962b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,7 +59,7 @@ RUN rm -rf /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ - && ls -la /app + && ls -la /app/docker EXPOSE 9000 From f4ca11aa5aa3b5574135210f4eeb3e7e9c6b8b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 20:59:55 +0300 Subject: [PATCH 19/27] Another try --- .dockerignore | 2 ++ Dockerfile | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index b668af4aa..ef09f076d 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,6 +2,8 @@ /.env.local /.env.*.local /.env.local.php +/app/docker/nginx/ssl/rootCA.key +/app/docker/nginx/ssl/tls.key /public/bundles/ /var/ /vendor/ diff --git a/Dockerfile b/Dockerfile index e98fa962b..65e018948 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,8 +58,7 @@ RUN rm -rf /app/var \ && mkdir -p /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ - && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ - && ls -la /app/docker + && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader EXPOSE 9000 From 558a1ef6cf7f104f6c7b162d0ffda4cfcd9c64ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 21:15:13 +0300 Subject: [PATCH 20/27] Typo fix --- .dockerignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index ef09f076d..a1fd2406c 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,8 +2,8 @@ /.env.local /.env.*.local /.env.local.php -/app/docker/nginx/ssl/rootCA.key -/app/docker/nginx/ssl/tls.key +/docker/nginx/ssl/rootCA.key +/docker/nginx/ssl/tls.key /public/bundles/ /var/ /vendor/ From 9c8a7d8b34971f85528eb5f0e7ad5807a98afbf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 21:25:37 +0300 Subject: [PATCH 21/27] Yet another try --- .dockerignore | 2 -- Dockerfile | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.dockerignore b/.dockerignore index a1fd2406c..b668af4aa 100755 --- a/.dockerignore +++ b/.dockerignore @@ -2,8 +2,6 @@ /.env.local /.env.*.local /.env.local.php -/docker/nginx/ssl/rootCA.key -/docker/nginx/ssl/tls.key /public/bundles/ /var/ /vendor/ diff --git a/Dockerfile b/Dockerfile index 65e018948..5e0a01409 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,7 @@ RUN composer completion bash > /etc/bash_completion.d/composer WORKDIR /app -COPY . /app +COPY --exclude=./docker . /app COPY ./docker/php/php.ini /usr/local/etc/php/php.ini COPY ./docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf From fc371e670b470b6b6e2d28911f4000a515aaab58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Thu, 29 Aug 2024 22:24:10 +0300 Subject: [PATCH 22/27] Another try --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5e0a01409..af0b335a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,7 @@ RUN composer completion bash > /etc/bash_completion.d/composer WORKDIR /app -COPY --exclude=./docker . /app +COPY --exclude=./docker/* . /app COPY ./docker/php/php.ini /usr/local/etc/php/php.ini COPY ./docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf From 16ada13568b60ceaa98528a65228817a9bcac8bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sat, 31 Aug 2024 12:37:37 +0300 Subject: [PATCH 23/27] Use `composer audit` --- Dockerfile | 11 ++--------- Dockerfile_dev | 8 -------- docker-entrypoint-dev.sh | 18 +++++++++++------- 3 files changed, 13 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index af0b335a5..d63fed07d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,19 +46,12 @@ RUN chmod +x /app/bin/console RUN chmod +x /app/docker-entrypoint.sh RUN chmod +x /usr/bin/composer -RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | \ - grep -E "browser_download_url(.+)linux_amd64" | \ - cut -d : -f 2,3 | \ - tr -d \" | \ - xargs -I{} wget -O local-php-security-checker {} \ - && mv local-php-security-checker /usr/bin/local-php-security-checker \ - && chmod +x /usr/bin/local-php-security-checker - RUN rm -rf /app/var \ && mkdir -p /app/var \ && rm -rf /app/docker \ && rm -rf /app/public/check.php \ - && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader + && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ + && php /usr/bin/composer audit EXPOSE 9000 diff --git a/Dockerfile_dev b/Dockerfile_dev index ba82a98c5..56372462a 100644 --- a/Dockerfile_dev +++ b/Dockerfile_dev @@ -85,14 +85,6 @@ COPY ./docker/php/www-dev.conf /usr/local/etc/php-fpm.d/www.conf RUN chmod -R o+s+w /usr/local/etc/php -RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | \ - grep -E "browser_download_url(.+)linux_amd64" | \ - cut -d : -f 2,3 | \ - tr -d \" | \ - xargs -I{} wget -O local-php-security-checker {} \ - && mv local-php-security-checker /usr/bin/local-php-security-checker \ - && chmod +x /usr/bin/local-php-security-checker - RUN groupadd --gid ${HOST_GID} dev \ && useradd \ -p $(perl -e 'print crypt($ARGV[0], "password")' 'dev') \ diff --git a/docker-entrypoint-dev.sh b/docker-entrypoint-dev.sh index b5b42d10e..948f23167 100755 --- a/docker-entrypoint-dev.sh +++ b/docker-entrypoint-dev.sh @@ -6,10 +6,11 @@ set -e # 0) Basic linting of current JSON configuration file # 1) Export needed environment variables # 2) Install all dependencies -# 3) Generate JWT encryption keys -# 4) Create database if it not exists yet -# 5) Run possible migrations, so that database is always up to date -# 6) Add needed symfony console autocomplete for bash +# 3) Check if there are any security issues in dependencies +# 4) Generate JWT encryption keys +# 5) Create database if it not exists yet +# 6) Run possible migrations, so that database is always up to date +# 7) Add needed symfony console autocomplete for bash # # Step 0 @@ -25,15 +26,18 @@ export XDEBUG_SESSION=PHPSTORM COMPOSER_MEMORY_LIMIT=-1 composer install --optimize-autoloader # Step 3 -make generate-jwt-keys +composer audit # Step 4 -./bin/console doctrine:database:create --no-interaction --if-not-exists +make generate-jwt-keys # Step 5 -./bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration --all-or-nothing +./bin/console doctrine:database:create --no-interaction --if-not-exists # Step 6 +./bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration --all-or-nothing + +# Step 7 ./bin/console completion bash >> /home/dev/.bashrc exec "$@" From 50e4e707bfb3cc96a1e202a2c70d233e90f2a304 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sat, 31 Aug 2024 12:49:50 +0300 Subject: [PATCH 24/27] Force to new Docker syntax --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index d63fed07d..8ad31966c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,4 @@ +# syntax=docker/dockerfile:1.7-labs FROM php:8.3.10-fpm ENV APP_ENV prod From 7edabf6c7dc05f94503f8637d6cba295f5be690c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sat, 31 Aug 2024 13:03:42 +0300 Subject: [PATCH 25/27] Remove obsolete `rm` command --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8ad31966c..0e198318e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,7 +49,6 @@ RUN chmod +x /usr/bin/composer RUN rm -rf /app/var \ && mkdir -p /app/var \ - && rm -rf /app/docker \ && rm -rf /app/public/check.php \ && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \ && php /usr/bin/composer audit From 34b335e2e0afbdfd7a850045f55bc53123ed98dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Wed, 4 Sep 2024 20:56:36 +0300 Subject: [PATCH 26/27] Apply available security updates --- Dockerfile | 8 ++++++++ Dockerfile_dev | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/Dockerfile b/Dockerfile index 0e198318e..3c2acd87c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,6 +31,14 @@ RUN install-php-extensions \ pdo_mysql \ zip +# Install security updates +RUN apt-get update \ + && apt-get install -y \ + debsecan \ + && apt-get install --no-install-recommends -y \ + $(debsecan --suite bookworm --format packages --only-fixed) \ + && rm -rf /var/lib/apt/lists/* + # Copy the Composer PHAR from the Composer image into the PHP image COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer diff --git a/Dockerfile_dev b/Dockerfile_dev index 56372462a..879359420 100644 --- a/Dockerfile_dev +++ b/Dockerfile_dev @@ -69,6 +69,14 @@ RUN install-php-extensions \ xdebug \ zip +# Install security updates +RUN apt-get update \ + && apt-get install -y \ + debsecan \ + && apt-get install --no-install-recommends -y \ + $(debsecan --suite bookworm --format packages --only-fixed) \ + && rm -rf /var/lib/apt/lists/* + # Copy the Composer PHAR from the Composer image into the PHP image COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer From 597f47a72ffe6aeae468456bbb452026ebcf2f77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Wed, 4 Sep 2024 21:02:00 +0300 Subject: [PATCH 27/27] Fixed indentations --- Dockerfile | 4 ++-- Dockerfile_dev | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3c2acd87c..8ec3b7059 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,9 +34,9 @@ RUN install-php-extensions \ # Install security updates RUN apt-get update \ && apt-get install -y \ - debsecan \ + debsecan \ && apt-get install --no-install-recommends -y \ - $(debsecan --suite bookworm --format packages --only-fixed) \ + $(debsecan --suite bookworm --format packages --only-fixed) \ && rm -rf /var/lib/apt/lists/* # Copy the Composer PHAR from the Composer image into the PHP image diff --git a/Dockerfile_dev b/Dockerfile_dev index 879359420..ba2c6c79b 100644 --- a/Dockerfile_dev +++ b/Dockerfile_dev @@ -72,9 +72,9 @@ RUN install-php-extensions \ # Install security updates RUN apt-get update \ && apt-get install -y \ - debsecan \ + debsecan \ && apt-get install --no-install-recommends -y \ - $(debsecan --suite bookworm --format packages --only-fixed) \ + $(debsecan --suite bookworm --format packages --only-fixed) \ && rm -rf /var/lib/apt/lists/* # Copy the Composer PHAR from the Composer image into the PHP image