diff --git a/.gitignore b/.gitignore index 7061e3a..35bc1fd 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ node_modules/ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml .out/ +.envrc diff --git a/README.md b/README.md index ac47623..388b233 100644 --- a/README.md +++ b/README.md @@ -62,9 +62,9 @@ USER root # specify DOCKER_GID to force container docker group id to match host RUN if [ -n "${DOCKER_GID}" ]; then \ if ! getent group docker; then \ - groupadd -g ${DOCKER_GID} docker; \ + groupadd -g "${DOCKER_GID}" docker; \ else \ - groupmod -g ${DOCKER_GID} docker; \ + groupmod -g "${DOCKER_GID}" docker; \ fi && \ usermod -aG docker vscode; \ fi @@ -108,40 +108,26 @@ IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. You should not need to add any features as these are already baked into the image ## Getting image name and version in GitHub Actions -This job should be used in GitHub Actions wherever you need to get the dev container name or tag +This shared workflow should be used in GitHub Actions wherever you need to get the dev container name or tag. + +verify_published_from_main_image should be set to false for testing pull request images. ``` get_config_values: - runs-on: ubuntu-22.04 - outputs: - devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }} - devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }} - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Load config value - id: load-config - run: | - DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json) - DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json) - echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT" - echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815 + with: + verify_published_from_main_image: false ``` ## Using images in GitHub Actions To use the image in GitHub Actions, you should first verify the attestation of the image and reference the image by the digest For CI and release pipelines, you should set verify_published_from_main_image to ensure that only images published from main are used. ``` jobs: - verify_attestation: - uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@ - with: - runtime_docker_image: "${{ inputs.runtime_docker_image }}" - verify_published_from_main_image: false my_job_name: runs-on: ubuntu-22.04 - needs: verify_attestation + needs: get_config_values container: - image: ${{ needs.verify_attestation.outputs.pinned_image }} + image: ${{ needs.get_config_values.outputs.pinned_image }} options: --user 1001:1001 --group-add 128 defaults: run: @@ -153,7 +139,6 @@ jobs: ... other steps .... ``` It is important that: -- the image specified uses the tag starting githubactions- - there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group - the default shell is set to be bash - the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index bd4d87e..3ed5c49 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -2,28 +2,44 @@ vulnerabilities: - id: CVE-2024-35870 statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2024-53179 statement: "kernel: smb: client: fix use-after-free of signing key" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2025-37849 statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2025-37899 statement: "kernel: ksmbd: fix use-after-free in session logoff" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2025-38118 statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-12 + - id: CVE-2026-23111 + statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-26 + - id: CVE-2025-61594 + statement: "uri: URI module: Credential exposure via URI + operator" + purls: + - "pkg:gem/uri@0.13.0" + expired_at: 2026-08-26 - id: CVE-2026-26007 statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" purls: diff --git a/src/projects/eps-storage-terraform/.devcontainer/.tool-versions b/src/projects/eps-storage-terraform/.devcontainer/.tool-versions new file mode 100644 index 0000000..209b802 --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/.tool-versions @@ -0,0 +1 @@ +terraform 1.14.2 diff --git a/src/projects/eps-storage-terraform/.devcontainer/Dockerfile b/src/projects/eps-storage-terraform/.devcontainer/Dockerfile new file mode 100644 index 0000000..8226af2 --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/Dockerfile @@ -0,0 +1,39 @@ +ARG BASE_VERSION_TAG=latest +ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG} + +FROM ${BASE_IMAGE} + +ARG SCRIPTS_DIR=/usr/local/share/eps +ARG CONTAINER_NAME +ARG MULTI_ARCH_TAG +ARG BASE_VERSION_TAG +ARG IMAGE_TAG +ARG TARGETARCH + +ENV SCRIPTS_DIR=${SCRIPTS_DIR} +ENV CONTAINER_NAME=${CONTAINER_NAME} +ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG} +ENV BASE_VERSION_TAG=${BASE_VERSION_TAG} +ENV IMAGE_TAG=${IMAGE_TAG} +ENV TARGETARCH=${TARGETARCH} + +LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}" +LABEL org.opencontainers.image.version=${IMAGE_TAG} +LABEL org.opencontainers.image.base.name=${BASE_IMAGE} +LABEL org.opencontainers.image.containerName=${CONTAINER_NAME} + +USER root +COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh + +USER vscode + +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh + +# Switch back to root to install the devcontainer CLI globally +USER root diff --git a/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json new file mode 100644 index 0000000..95c0a22 --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json @@ -0,0 +1,18 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "Dockerfile", + "args": { + "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}", + "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}", + "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}", + "IMAGE_TAG": "${localEnv:IMAGE_TAG}" + }, + "context": "." + }, + "features": {} + } + diff --git a/src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh b/src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..474c45b --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -e + +# clean up +apt-get clean +rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh b/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..d47719f --- /dev/null +++ b/src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -e + +# install terraform using asdf +asdf plugin add terraform +asdf install diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml new file mode 100644 index 0000000..4443daa --- /dev/null +++ b/src/projects/eps-storage-terraform/.trivyignore.yaml @@ -0,0 +1,107 @@ +vulnerabilities: + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 diff --git a/src/projects/eps-storage-terraform/trivy.yaml b/src/projects/eps-storage-terraform/trivy.yaml new file mode 100644 index 0000000..06fd4b7 --- /dev/null +++ b/src/projects/eps-storage-terraform/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/projects/eps-storage-terraform/.trivyignore_combined.yaml" diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml index 4443daa..d8a3458 100644 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -3,21 +3,29 @@ vulnerabilities: statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2022-25236 statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2022-26485 statement: "Mozilla: Use-after-free in XSLT parameter processing" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2022-26486 statement: "Mozilla: Use-after-free in WebGPU IPC Framework" purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04" + - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-08-12 - id: CVE-2026-25547 statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion"