📌 22/10/24 Patching (#36)

Signed-off-by: Jacob Woffenden <[email protected]>
ministryofjustice · Oct 22, 2024 · bf042c7 · bf042c7
1 parent c5c896d
commit bf042c7
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 13 deletions.
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -19,4 +19,4 @@
       "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
     }
   }
-}
+}
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -11,8 +11,7 @@
       "extensions": [
         "EditorConfig.EditorConfig",
         "GitHub.vscode-github-actions",
-        "GitHub.vscode-pull-request-github",
-        "ms-vsliveshare.vsliveshare"
+        "GitHub.vscode-pull-request-github"
       ]
     }
   }

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
 
       - name: Install cosign
         id: install_cosign
-        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Log in to GitHub Container Registry
         id: ghcr_login
@@ -37,7 +37,7 @@ jobs:
 
       - name: Build and Push
         id: build_and_push
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           push: true
           tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
@@ -50,7 +50,7 @@ jobs:
 
       - name: Generate SBOM
         id: generate_sbom
-        uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+        uses: anchore/sbom-action@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
         with:
           image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
           format: cyclonedx-json

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -30,7 +30,10 @@ jobs:
 
       - name: Scan
         id: scan
-        uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9578b45609c99d7eb # v0.26.0
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
         with:
           image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
           severity: HIGH,CRITICAL

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
 
       - name: Set Up Container Structure Test
         id: setup_container_structure_test
-        uses: ministryofjustice/github-actions/setup-container-structure-test@eaec2bb18f6dd19dd0fcb3cc48f7803a3731b7e5 # v18.1.5
+        uses: ministryofjustice/github-actions/setup-container-structure-test@9f2e1064389dae6ca4098470b933da7042675e59 # v18.3.1
 
       - name: Test
         id: test

diff --git a/.trivyignore b/.trivyignore
@@ -1,3 +1,2 @@
-# In the Linux kernel, the following vulnerability has been resolved:
-# exec: Fix ToCToU between perm check and set-uid/gid usage
+# Ubuntu
 CVE-2024-43882
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 #checkov:skip=CKV_DOCKER_2: HEALTHCHECK not required - Health checks are implemented downstream of this image
 
-FROM public.ecr.aws/ubuntu/ubuntu@sha256:5b2fc4131b3c134a019c3ea815811de70e6ad9ee1626f59bf302558a95b436e5
+FROM public.ecr.aws/ubuntu/ubuntu@sha256:fb95efe0d22be277f10250f15e5172ec0fe22c37eca2ba55e78b526c447eec23
 
 LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.authors="Analytical Platform ([email protected])" \
@@ -17,7 +17,7 @@ ENV CONTAINER_USER="analyticalplatform" \
     PIP_BREAK_SYSTEM_PACKAGES="1" \
     CUDA_VERSION="12.6.1" \
     NVIDIA_DISABLE_REQUIRE="true" \
-    NVIDIA_CUDA_CUDART_VERSION="12.6.68-1" \
+    NVIDIA_CUDA_CUDART_VERSION="12.6.77-1" \
     NVIDIA_CUDA_COMPAT_VERSION="560.35.03-1" \
     NVIDIA_VISIBLE_DEVICES="all" \
     NVIDIA_DRIVER_CAPABILITIES="compute,utility" \

diff --git a/Makefile b/Makefile
@@ -1,14 +1,20 @@
-.PHONY: test build run
+.PHONY: build scan test run
 
 IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-airflow-python-base
 IMAGE_TAG  ?= local
 
+TRIVY_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-db:2
+TRIVY_JAVA_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-java-db:1
+
 run: build
 	docker run --rm -it $(IMAGE_NAME):$(IMAGE_TAG)
 
 test: build
 	container-structure-test test --platform linux/amd64 --config test/container-structure-test.yml --image $(IMAGE_NAME):$(IMAGE_TAG)
 
+scan: build
+	trivy image --platform linux/amd64 --severity HIGH,CRITICAL $(IMAGE_NAME):$(IMAGE_TAG)
+
 build:
 	@ARCH=`uname --machine`; \
 	case $$ARCH in \

diff --git a/README.md b/README.md
@@ -57,3 +57,31 @@ apt-get update
 
 apt-cache policy ${PACKAGE} # for example curl, git or gpg
 ```
+
+### NVIDIA CUDA
+
+The latest version of NVIDIA can be obtained by running:
+
+```bash
+docker run -it --rm --platform linux/amd64 public.ecr.aws/ubuntu/ubuntu:24.04
+
+apt-get update
+
+apt-get install --yes curl gpg
+
+curl --location --fail-with-body \
+  "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/3bf863cc.pub" \
+  --output "3bf863cc.pub"
+
+cat 3bf863cc.pub | gpg --dearmor --output nvidia.gpg
+
+install -D --owner root --group root --mode 644 nvidia.gpg /etc/apt/keyrings/nvidia.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/nvidia.gpg] https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64 /" > /etc/apt/sources.list.d/cuda.list
+
+apt-get update --yes
+
+apt-cache policy cuda-cudart-12-6
+
+apt-cache policy cuda-compat-12-6
+```
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,4 +19,4 @@ @@
           "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
         }
       }
-    }
+    }