chore: fix Dockerfile so that renovate works correctly

cloudrun-malware-scanner/Dockerfile

@@ -12,26 +12,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-# Copy Node from node's container:
+# Use node's container as a source for the NodeJS runtime.
 FROM node:22.11.0-bookworm-slim AS node
 
-# Base image is the ClamAV image
-FROM clamav/clamav-debian:1.4.1_base
+# Base image is the ClamAV image.
+FROM clamav/clamav-debian:1.4.1
+
+# Define version of cvdupdate to use in a way that renovate can recognise
+# and update it.
+# renovate: datasource=pypi packageName=cvdupdate versioning=pep440
+ARG CVDUPDATE_VERSION=1.1.2
 
-# renovate: datasource=python packageName=cvdupdate versioning=python
-ARG CVDUPDATE_VERISION=1.1.2
+# remove all existing virus definitions.
+# we will download the update ones from the mirror
+# and it is better to fail startup than to have outdated virus defs.
+RUN rm /var/lib/clamav/*.cvd
 
-# Update all pkgs
+# Update all debian packages.
+#
+# Install all dpkg dependencies:
 #
-# Install all dpkg dependencies
 # Combination of the packages required by NodeJS
 #  (see https://github.com/nodejs/docker-node/blob/main/22/bookworm-slim/Dockerfile)
 # gcloud cli
 #   (https://cloud.google.com/sdk/docs/install#deb)
 # The cvdupdater
 #   (https://pypi.org/project/cvdupdate/)
-# and the malware scanner service
+# and by the malware scanner nodejs service
 ENV PATH="$PATH:/opt/google-cloud-sdk/bin:/usr/local/bin:/root/.local/bin"
 ENV DEBIAN_FRONTEND=noninteractive
 
@@ -42,25 +49,25 @@ RUN set -x \
       apt-transport-https \
       ca-certificates \
       curl \
-      python3-pip \
-      pipx \
-      lsb-release \
-      openssh-client \
-      gnupg \
-      jq \
+      dirmngr \
       gawk \
       gettext-base \
+      git \
+      gnupg \
+      jq \
+      libatomic1 \
+      lsb-release \
+      make \
+      openssh-client \
+      pipx \
       python3-crcmod \
       python3-dev \
+      python3-pip \
       wget \
-      dirmngr \
       xz-utils \
-      libatomic1 \
-      git \
-      make \
-    && pipx install "cvdupdate==${CVDUPDATE_VERISION}"
+    && pipx install "cvdupdate==${CVDUPDATE_VERSION}"
 
-# Install node by copying from container.
+# Install node by copying binaries from nodejs container.
 COPY --from=node /usr/local /usr/local
 
 # Install cloud SDK
@@ -75,8 +82,7 @@ RUN set -x \
     && gcloud config set component_manager/disable_update_check true \
     && gcloud config set metrics/environment docker_image_latest
 
-# Sanity check that required binaries are installed by checking versions
-#
+# Sanity check that required binaries are installed and runnable by checking versions
 RUN set -x \
     && node --version \
     && npm --version \
@@ -86,11 +92,11 @@ RUN set -x \
     && gsutil --version \
     && cvdupdate --help
 
-# Copy the source code
+# Copy the source code for the scanner service
 WORKDIR /app
 COPY .  /app
 
-# Install NPM modules
+# Install required NPM modules
 RUN npm install --omit=dev
 
 CMD ["bash", "bootstrap.sh"]

renovate.json5

@@ -19,7 +19,11 @@
         "(^|/).*\\.sh$",
       ],
       matchStrings: [
-        '# renovate: datasource=(?<datasource>[a-z-]+?)(?: depName=(?<depName>.+?))? packageName=(?<packageName>.+?)(?: versioning=(?<versioning>[a-z-]+?))?\\s(?:ENV|ARG)?\\s*.+?_VERSION="?(?<currentValue>.+?)"?\\s',
+        // for Dockerfiles and shell script files, match the renovate: specially formatted comment line followed by a capitalized variable with a _VERSION suffix eg:
+        // # renovate: datasource=somesource packageName=somename versioning=someversioning
+        // ARG PACKAGENAME_VERSION=1.2.3
+        // https://regex101.com/r/ntfy3f/1
+        '# renovate: datasource=(?<datasource>\\S+?)(?:\\s+depName=(?<depName>\\S+?))?\\s+packageName=(?<packageName>\\S+?)\\s+(?:versioning=(?<versioning>\\S+))\\s(?:(?:ARG|ENV)\\s+)?\\S+_VERSION="?(?<currentValue>\\S+)"?'
       ],
     },
   ],