common vulns

Author: anthony-nhs

.github/workflows/build_all_images.yml

@@ -18,19 +18,19 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       base_node_folders: ${{ steps.find-folders.outputs.base_node }}
-      language_folders: ${{ steps.find-folders.outputs.languages }}
+      node_24_language_folders: ${{ steps.find-folders.outputs.node_24_languages }}
       project_folders: ${{ steps.find-folders.outputs.projects }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - id: find-folders
         run: |
           base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
-          language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
+          node_24_language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -name 'node_24*' -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
           project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
           {
             echo "base_node=$base_node_folders"
-            echo "languages=$language_folders"
+            echo "node_24_languages=$node_24_language_folders"
             echo "projects=$project_folders"
           } >> "$GITHUB_OUTPUT"
   package_base_docker_image:
@@ -56,25 +56,26 @@ jobs:
       container_name: ${{ matrix.container_name }}
       base_folder: "base_node"
       NO_CACHE: ${{ inputs.NO_CACHE }}
-  package_language_docker_images:
+  package_node_24_language_docker_images:
     needs:
       - package_base_docker_image
       - package_base_node_images
       - discover_folders
     strategy:
       fail-fast: false
       matrix:
-            container_name: ${{ fromJson(needs.discover_folders.outputs.language_folders) }}
+            container_name: ${{ fromJson(needs.discover_folders.outputs.node_24_language_folders) }}
     uses: ./.github/workflows/build_multi_arch_image.yml
     with:
       tag_latest: ${{ inputs.tag_latest }}
       docker_tag: ${{ inputs.docker_tag }}
       container_name: ${{ matrix.container_name }}
       base_folder: "languages"
       NO_CACHE: ${{ inputs.NO_CACHE }}
+      EXTRA_COMMON: "common_node_24"
   package_project_docker_images:
     needs:
-      - package_language_docker_images
+      - package_node_24_language_docker_images
       - discover_folders
     strategy:
       fail-fast: false

.github/workflows/build_multi_arch_image.yml

@@ -17,6 +17,9 @@ name: Build and push docker image
       NO_CACHE:
         required: true
         type: boolean
+      EXTRA_COMMON:
+        required: false
+        type: string
 
 jobs:
   build_and_push_image:
@@ -88,6 +91,7 @@ jobs:
           BASE_FOLDER: "${{ inputs.base_folder }}"
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
           EXIT_CODE: 0
+          EXTRA_COMMON: "${{ inputs.extra_common }}"
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         name: Upload scan results
         with:
@@ -101,7 +105,7 @@ jobs:
           BASE_FOLDER: "${{ inputs.base_folder }}"
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
           EXIT_CODE: "1"
-
+          EXTRA_COMMON: "${{ inputs.extra_common }}"
       - name: Show docker vulnerability output
         if: always()
         run: |

Makefile

@@ -41,30 +41,35 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG
 		.
 
 scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
+	mkdir -p .out
 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
 	common="src/common/.trivyignore.yaml"; \
+	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
 	exit_code="$${EXIT_CODE:-1}"; \
 	echo "vulnerabilities:" > "$$combined"; \
 	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
-	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi
+	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
+	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
 	trivy image \
 		--severity HIGH,CRITICAL \
 		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
 		--scanners vuln \
-		--exit-code "$$exit_code" \
+		--exit-code $$exit_code \
 		--format table \
 		--output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 
 scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
+	mkdir -p .out
 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
 	common="src/common/.trivyignore.yaml"; \
+	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
 	exit_code="$${EXIT_CODE:-1}"; \
 	echo "vulnerabilities:" > "$$combined"; \
 	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
-	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi
-	mkdir -p .out
+	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
+	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
 	trivy image \
 		--severity HIGH,CRITICAL \
 		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \

README.md

@@ -230,9 +230,10 @@ CONTAINER_NAME=node_24 \
 ```
 Language images
 ```
-CONTAINER_NAME=node_24_python_3_12 \
+CONTAINER_NAME=node_24_python_3_14 \
   BASE_FOLDER=languages \
   IMAGE_TAG=local-build \
+  EXTRA_COMMON=common_node_24 \
   make scan-image
 ``` 
 Project images