From 34146b4aabfb7d5ba94eec753d77c9449b18b165 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Jan 2025 05:58:13 +0000 Subject: [PATCH 1/6] Bump eslint-plugin-react in /frontend-react in the react group Bumps the react group in /frontend-react with 1 update: [eslint-plugin-react](https://github.com/jsx-eslint/eslint-plugin-react). Updates `eslint-plugin-react` from 7.37.3 to 7.37.4 - [Release notes](https://github.com/jsx-eslint/eslint-plugin-react/releases) - [Changelog](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/CHANGELOG.md) - [Commits](https://github.com/jsx-eslint/eslint-plugin-react/compare/v7.37.3...v7.37.4) --- updated-dependencies: - dependency-name: eslint-plugin-react dependency-type: direct:development update-type: version-update:semver-patch dependency-group: react ... Signed-off-by: dependabot[bot] --- frontend-react/package.json | 2 +- frontend-react/yarn.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/frontend-react/package.json b/frontend-react/package.json index 827d1e0ca55..3edebe13f1b 100644 --- a/frontend-react/package.json +++ b/frontend-react/package.json @@ -161,7 +161,7 @@ "eslint-plugin-jest-dom": "^5.5.0", "eslint-plugin-jsx-a11y": "^6.10.2", "eslint-plugin-playwright": "^2.1.0", - "eslint-plugin-react": "^7.37.3", + "eslint-plugin-react": "^7.37.4", "eslint-plugin-react-hooks": "^5.1.0", "eslint-plugin-react-refresh": "^0.4.18", "eslint-plugin-storybook": "^0.11.2", diff --git a/frontend-react/yarn.lock b/frontend-react/yarn.lock index 9b93c313d1a..fbe5748b4f8 100644 --- a/frontend-react/yarn.lock +++ b/frontend-react/yarn.lock @@ -5781,9 +5781,9 @@ __metadata: languageName: node linkType: hard -"eslint-plugin-react@npm:^7.37.3": - version: 7.37.3 - resolution: "eslint-plugin-react@npm:7.37.3" +"eslint-plugin-react@npm:^7.37.4": + version: 7.37.4 + resolution: "eslint-plugin-react@npm:7.37.4" dependencies: array-includes: ^3.1.8 array.prototype.findlast: ^1.2.5 @@ -5805,7 +5805,7 @@ __metadata: string.prototype.repeat: ^1.0.0 peerDependencies: eslint: ^3 || ^4 || ^5 || ^6 || ^7 || ^8 || ^9.7 - checksum: 670dcee215f560a394b8b9966aecfc3c5ee5c15603a690f5333b0e16863275958f9c1853b12355eb0e36ef74dfac8bf645e4f440cb9b985a3bae2ac09d5ed55a + checksum: 8a37bdc9b347bf3a1273fef73dfbc39279cc3e58441940a5e13b3ba4e82b34132d1d1172db9d6746f153ee981280bd6bd06a9065fb453388c68f4bebe0d9f839 languageName: node linkType: hard @@ -10004,7 +10004,7 @@ __metadata: eslint-plugin-jest-dom: ^5.5.0 eslint-plugin-jsx-a11y: ^6.10.2 eslint-plugin-playwright: ^2.1.0 - eslint-plugin-react: ^7.37.3 + eslint-plugin-react: ^7.37.4 eslint-plugin-react-hooks: ^5.1.0 eslint-plugin-react-refresh: ^0.4.18 eslint-plugin-storybook: ^0.11.2 From e7605d23cfd5cc75b8b075a65b32ac98660a04c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Jan 2025 05:58:28 +0000 Subject: [PATCH 2/6] Bump the ui group in /frontend-react with 2 updates Bumps the ui group in /frontend-react with 2 updates: [focus-trap-react](https://github.com/focus-trap/focus-trap-react) and [react-toastify](https://github.com/fkhadra/react-toastify). Updates `focus-trap-react` from 11.0.2 to 11.0.3 - [Release notes](https://github.com/focus-trap/focus-trap-react/releases) - [Changelog](https://github.com/focus-trap/focus-trap-react/blob/master/CHANGELOG.md) - [Commits](https://github.com/focus-trap/focus-trap-react/compare/v11.0.2...v11.0.3) Updates `react-toastify` from 11.0.2 to 11.0.3 - [Release notes](https://github.com/fkhadra/react-toastify/releases) - [Commits](https://github.com/fkhadra/react-toastify/compare/v11.0.2...v11.0.3) --- updated-dependencies: - dependency-name: focus-trap-react dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ui - dependency-name: react-toastify dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ui ... Signed-off-by: dependabot[bot] --- frontend-react/package.json | 4 ++-- frontend-react/yarn.lock | 30 +++++++++++++++--------------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/frontend-react/package.json b/frontend-react/package.json index 827d1e0ca55..f2023413ec8 100644 --- a/frontend-react/package.json +++ b/frontend-react/package.json @@ -20,7 +20,7 @@ "date-fns-tz": "^3.2.0", "dompurify": "^3.2.3", "export-to-csv-fix-source-map": "^0.2.1", - "focus-trap-react": "^11.0.2", + "focus-trap-react": "^11.0.3", "history": "^5.3.0", "html-to-text": "^9.0.5", "lodash": "^4.17.21", @@ -35,7 +35,7 @@ "react-router": "^6.28.0", "react-router-dom": "^6.28.0", "react-scroll-sync": "^0.11.2", - "react-toastify": "^11.0.2", + "react-toastify": "^11.0.3", "rehype-raw": "^7.0.0", "rehype-slug": "^5.1.0", "rest-hooks": "^6.1.7", diff --git a/frontend-react/yarn.lock b/frontend-react/yarn.lock index 9b93c313d1a..b0c3ec615aa 100644 --- a/frontend-react/yarn.lock +++ b/frontend-react/yarn.lock @@ -6269,27 +6269,27 @@ __metadata: languageName: node linkType: hard -"focus-trap-react@npm:^11.0.2": - version: 11.0.2 - resolution: "focus-trap-react@npm:11.0.2" +"focus-trap-react@npm:^11.0.3": + version: 11.0.3 + resolution: "focus-trap-react@npm:11.0.3" dependencies: - focus-trap: ^7.6.2 + focus-trap: ^7.6.4 tabbable: ^6.2.0 peerDependencies: "@types/react": ^18.0.0 || ^19.0.0 "@types/react-dom": ^18.0.0 || ^19.0.0 react: ^18.0.0 || ^19.0.0 react-dom: ^18.0.0 || ^19.0.0 - checksum: 992b6330101ff71abba01c0ea0c85104a0bbf3bf91f335ca004776e77c7d700d8f1e8a12425cb7a1bc8a041169c2b0d4c25c9ac0db5b5bdf8d17c21d66085ab8 + checksum: 36150d76545a8c758201648263bc04c71a84d086b20702896ca034f1ef793821121ed548d236724202b435e352a7c1cf96b12951c66ee4f38058eb185586a78e languageName: node linkType: hard -"focus-trap@npm:^7.6.2": - version: 7.6.2 - resolution: "focus-trap@npm:7.6.2" +"focus-trap@npm:^7.6.4": + version: 7.6.4 + resolution: "focus-trap@npm:7.6.4" dependencies: tabbable: ^6.2.0 - checksum: b5873f8e506d3f466d9823d2f144612d3938f3c74c3be3db922052e5e54fd41a3a46889f8219f16f60d1ce5aff9e0a7fef9dea03ca0da96820c2ea36243236f7 + checksum: 8a71f21ff165fac9f9e79d117233392903a36f30ee03ce0970c8739ea66f7f9bb6c0f2b8da648221daa915fdb90ffb808565e8c31086909fbc02f6de8e08a0df languageName: node linkType: hard @@ -10011,7 +10011,7 @@ __metadata: eslint-plugin-testing-library: ^7.1.1 eslint-plugin-vitest: ^0.5.4 export-to-csv-fix-source-map: ^0.2.1 - focus-trap-react: ^11.0.2 + focus-trap-react: ^11.0.3 globals: ^15.14.0 history: ^5.3.0 html-to-text: ^9.0.5 @@ -10038,7 +10038,7 @@ __metadata: react-router: ^6.28.0 react-router-dom: ^6.28.0 react-scroll-sync: ^0.11.2 - react-toastify: ^11.0.2 + react-toastify: ^11.0.3 rehype-raw: ^7.0.0 rehype-slug: ^5.1.0 remark-frontmatter: ^5.0.0 @@ -10205,15 +10205,15 @@ __metadata: languageName: node linkType: hard -"react-toastify@npm:^11.0.2": - version: 11.0.2 - resolution: "react-toastify@npm:11.0.2" +"react-toastify@npm:^11.0.3": + version: 11.0.3 + resolution: "react-toastify@npm:11.0.3" dependencies: clsx: ^2.1.1 peerDependencies: react: ^18 || ^19 react-dom: ^18 || ^19 - checksum: b951638b517e110f09a60f8164d759d29d480132832d574a57b5724ed6887ec728401f6fe9bf00d4a70ec5edb5a7871fc45f18ddeffdecf677b1dbbdddc55b2c + checksum: 72d771a7a780c86860350908e6adaf431b681c69ceb09726f3e572a20e361f9fc690906dd5953650e9a4964f0d240d7742d20bce4c86637487772714490c305e languageName: node linkType: hard From dddd6f40e5e6d613d74b827da412e2a90f9152ee Mon Sep 17 00:00:00 2001 From: matts <22215332+devopsmatt@users.noreply.github.com> Date: Mon, 27 Jan 2025 14:13:18 -0800 Subject: [PATCH 3/6] frontend dockerization (#17151) * frontend dockerized * run nginx as unprivileged user * bump node to bugfix version 20.15.1, as per Chainguard requirement * add Dockerfile * re-add run.container.sh script * update dpendabot to include Dockerfile in updates * resolve new CVE in glibc * update nginx.conf --------- Co-authored-by: Joseph Andersen <12385932+jpandersen87@users.noreply.github.com> --- .github/dependabot.yml | 5 +++ frontend-react/.dockerignore | 4 +- frontend-react/.nvmrc | 2 +- frontend-react/Dockerfile | 56 ++++++++++++++++++++++++++ frontend-react/nginx.conf | 18 +++++++++ frontend-react/run.container.sh | 0 frontend-react/scripts/build-docker.sh | 1 + 7 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 frontend-react/Dockerfile create mode 100644 frontend-react/nginx.conf mode change 100644 => 100755 frontend-react/run.container.sh create mode 100755 frontend-react/scripts/build-docker.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index acfe600ce32..30c0ec7a53e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,6 +19,11 @@ updates: directory: "/.environment/docker/docker-compose" schedule: interval: "weekly" + - package-ecosystem: "docker" + directory: "/frontend-react" + schedule: + interval: "weekly" + versioning-strategy: digest # slack-boltjs-app (chatops) - package-ecosystem: "gitsubmodule" diff --git a/frontend-react/.dockerignore b/frontend-react/.dockerignore index dcab0d2aa7b..85d1efee756 100644 --- a/frontend-react/.dockerignore +++ b/frontend-react/.dockerignore @@ -1,5 +1,5 @@ .dockerignore -*.sh build Dockerfile* -node_modules \ No newline at end of file +node_modules +**/.DS_Store \ No newline at end of file diff --git a/frontend-react/.nvmrc b/frontend-react/.nvmrc index cecb9362895..b8e593f5210 100644 --- a/frontend-react/.nvmrc +++ b/frontend-react/.nvmrc @@ -1 +1 @@ -20.15 +20.15.1 diff --git a/frontend-react/Dockerfile b/frontend-react/Dockerfile new file mode 100644 index 00000000000..69378fd4f09 --- /dev/null +++ b/frontend-react/Dockerfile @@ -0,0 +1,56 @@ +# Start with the latest version of hardened builder image +FROM cgr.dev/chainguard/wolfi-base:latest AS builder + +# Install required dependencies +RUN apk add --no-cache bash curl git ca-certificates libstdc++ coreutils && \ + update-ca-certificates && \ + touch ~/.bash_profile + +# Get desired Node.js version and install it +COPY .nvmrc /tmp/.nvmrc +RUN export NODE_VERSION=$(cat /tmp/.nvmrc | tr -d '[:space:]') && \ + ARCH=$(uname -m) && \ + echo $ARCH && \ + case $ARCH in \ + x86_64) ARCH_NAME="x64";; \ + aarch64) ARCH_NAME="arm64";; \ + *) echo "Unsupported architecture: $ARCH" && exit 1;; \ + esac && \ + echo "Architecture: $ARCH_NAME" && \ + PLATFORM_ARCH="linux-${ARCH_NAME}" && \ + echo "Platform architecture: $PLATFORM_ARCH https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-${PLATFORM_ARCH}.tar.gz" && \ + echo "Installing Node.js version: ${NODE_VERSION} for $ARCH_NAME" && \ + DOWNLOAD_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-${PLATFORM_ARCH}.tar.gz" && \ + echo "Downloading from: $DOWNLOAD_URL" && \ + curl -fsSL --retry 3 "$DOWNLOAD_URL" -o /tmp/node.tar.gz && \ + tar -xzf /tmp/node.tar.gz -C /usr/local --strip-components=1 && \ + rm /tmp/node.tar.gz /tmp/.nvmrc && \ + echo -n "Node.js installed version: " && node -v && \ + echo -n "npm installed version: " && npm -v && \ + apk del glibc # Remove glibc package to resolve CVE CVE-2025-0395 + + +# Install yarn and resolve vulnerability in cross-spawn, by upgrading it to a version with resolved CVE +# Newly found CVEs can be resolved in similar manner - by upgrading to the closest fixed version +RUN apk add --no-cache yarn && \ + npm install -g cross-spawn@7.0.3 +# Extract Node.js version from the image +SHELL ["/bin/ash", "-o", "pipefail", "-c"] +RUN node --version | awk -F'v' '{print $2}' +WORKDIR /app +# Prep package manager as root and drop privileges +USER root +COPY --chown=nonroot . . +RUN chown nonroot:nonroot ./ && npm install -g corepack +# Run install/buiuld as unprivileged user +USER nonroot +RUN yarn install --immutable && yarn build:production + +# Web server stage +# This image runs as a unprivileged user by default, so there's no need to explicitly set user - see the Note block in the link below for more context +# https://edu.chainguard.dev/chainguard/chainguard-images/getting-started/nginx/#advanced-usage +FROM cgr.dev/chainguard/nginx AS server +COPY nginx.conf /etc/nginx/nginx.conf +COPY --from=builder /app/build /usr/share/nginx/html +EXPOSE 8080 +CMD ["nginx", "-g", "daemon off;"] diff --git a/frontend-react/nginx.conf b/frontend-react/nginx.conf new file mode 100644 index 00000000000..091a4d77682 --- /dev/null +++ b/frontend-react/nginx.conf @@ -0,0 +1,18 @@ +pid /var/run/nginx.pid; + +http { + include mime.types; + + server { + listen 8080; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + try_files $uri /index.html; # Pass all non-files to our react app + } + } +} + +events {} \ No newline at end of file diff --git a/frontend-react/run.container.sh b/frontend-react/run.container.sh old mode 100644 new mode 100755 diff --git a/frontend-react/scripts/build-docker.sh b/frontend-react/scripts/build-docker.sh new file mode 100755 index 00000000000..6fd396c028f --- /dev/null +++ b/frontend-react/scripts/build-docker.sh @@ -0,0 +1 @@ +docker build . --build-arg NODE_VERSION=$(cat .nvmrc) -t rs-frontend:latest \ No newline at end of file From 0c891342f55b2bf8297e36e9997b509714db78f3 Mon Sep 17 00:00:00 2001 From: matts <22215332+devopsmatt@users.noreply.github.com> Date: Mon, 27 Jan 2025 15:05:28 -0800 Subject: [PATCH 4/6] Update dependabot.yml (#17185) fixed versioning strategy --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 30c0ec7a53e..2ca170e6481 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,7 +23,7 @@ updates: directory: "/frontend-react" schedule: interval: "weekly" - versioning-strategy: digest + versioning-strategy: increase-if-necessary # slack-boltjs-app (chatops) - package-ecosystem: "gitsubmodule" From 2d2df65d2560a96d7e5790d04af7d49124cf20d5 Mon Sep 17 00:00:00 2001 From: matts <22215332+devopsmatt@users.noreply.github.com> Date: Mon, 27 Jan 2025 15:34:10 -0800 Subject: [PATCH 5/6] Update changelog_config.json (#17187) Change label from 'DevOps' to 'DevSecOps' --- .github/changelog_config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/changelog_config.json b/.github/changelog_config.json index b9a84bf1d4e..cd572e56495 100644 --- a/.github/changelog_config.json +++ b/.github/changelog_config.json @@ -25,7 +25,7 @@ "automated", "checks", "deployment", - "DevOps", + "DevSecOps", "pipeline", "scan", "workflow" From 10ff87d451988000fa2437f0ed8ce1c4f10e13eb Mon Sep 17 00:00:00 2001 From: Eduardo Valdes <1084551+emvaldes@users.noreply.github.com> Date: Mon, 27 Jan 2025 16:40:49 -0700 Subject: [PATCH 6/6] devsecops/emvaldes/export-azure-resources (#17184) * Shell/Bash, PowerShell and Python scripts to export Azure Resources into CSV format --- .../terraform/scripts/export-resources.ps1 | 17 ++++++++ .../app/terraform/scripts/export-resources.py | 39 +++++++++++++++++++ .../terraform/scripts/export-resources.shell | 13 +++++++ 3 files changed, 69 insertions(+) create mode 100755 operations/app/terraform/scripts/export-resources.ps1 create mode 100755 operations/app/terraform/scripts/export-resources.py create mode 100755 operations/app/terraform/scripts/export-resources.shell diff --git a/operations/app/terraform/scripts/export-resources.ps1 b/operations/app/terraform/scripts/export-resources.ps1 new file mode 100755 index 00000000000..878ab3d7cba --- /dev/null +++ b/operations/app/terraform/scripts/export-resources.ps1 @@ -0,0 +1,17 @@ +#!/usr/bin/env pwsh + +# Define parameters +param ( + [string]$OutputFile = "azure-resources--powershell.csv" +) + +# Output header +"Location,Name,Resource Group" | Out-File -FilePath "azure-resources.csv" -Encoding utf8 ; + +# Fetch Azure resources and append to CSV +az resource list --query '[].{"Location":location,"Name":name,"Resource Group":resourceGroup}' --output tsv | + ForEach-Object { $_ -replace "`t", "," } | + Out-File -FilePath $OutputFile -Append -Encoding utf8 ; + +# Display the contents of the generated CSV +Get-Content -Path $OutputFile ; diff --git a/operations/app/terraform/scripts/export-resources.py b/operations/app/terraform/scripts/export-resources.py new file mode 100755 index 00000000000..84644db2727 --- /dev/null +++ b/operations/app/terraform/scripts/export-resources.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python + +import subprocess +import csv +import argparse + +# Set up argument parser +parser = argparse.ArgumentParser( description="Fetch Azure resources and export them to a CSV file." ) ; +parser.add_argument( + "--output-file", + type=str, + default="azure-resources--python.csv", + help="Path to the output CSV file (default: azure-resources--python.csv)" +) ; + +# Parse arguments +args = parser.parse_args() ; +output_file = args.output_file ; + +# Command to fetch Azure resources +cmd = [ + "az", "resource", "list", + "--query", "[].{\"Location\":location, \"Name\":name, \"Resource Group\":resourceGroup}", + "--output", "tsv" +] ; + +# Run the Azure CLI command +result = subprocess.run( cmd, stdout=subprocess.PIPE, text=True ) ; + +# Write header and data to CSV file +with open( output_file, "w", newline="" ) as csvfile: + writer = csv.writer( csvfile ) ; + writer.writerow( ["Location", "Name", "Resource Group"] ) ; + for line in result.stdout.splitlines(): + writer.writerow( line.split( "\t" ) ) ; + +# Print the contents of the generated CSV +with open( output_file, "r" ) as csvfile: + print( csvfile.read() ) ; diff --git a/operations/app/terraform/scripts/export-resources.shell b/operations/app/terraform/scripts/export-resources.shell new file mode 100755 index 00000000000..a96e549e35a --- /dev/null +++ b/operations/app/terraform/scripts/export-resources.shell @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +if [[ ${#1} -gt 0 ]]; then + OutputFile="${1}" ; + else OutputFile="azure-resources--shell.csv" ; +fi ; + +echo "Location,Name,Resource Group" \ +| cat - <( az resource list --query "[].{\"Location\":location, \"Name\":name, \"Resource Group\":resourceGroup}" --output tsv \ +| sed 's/\t/,/g' ) \ +> ${OutputFile} ; + +cat ${OutputFile} ;