diff --git a/cloudrun-malware-scanner/Dockerfile b/cloudrun-malware-scanner/Dockerfile index 2529cf1..fea91ba 100644 --- a/cloudrun-malware-scanner/Dockerfile +++ b/cloudrun-malware-scanner/Dockerfile @@ -12,26 +12,33 @@ # See the License for the specific language governing permissions and # limitations under the License. - -# Copy Node from node's container: +# Use node's container as a source for the NodeJS runtime. FROM node:22.11.0-bookworm-slim AS node -# Base image is the ClamAV image -FROM clamav/clamav-debian:1.4.1_base +# Base image is the ClamAV image. +FROM clamav/clamav-debian:1.4.1 + +# Define version of cvdupdate to use in a way that renovate can recognise +# and update it. +# renovate: datasource=pypi packageName=cvdupdate versioning=pep440 +ARG CVDUPDATE_VERSION=1.1.2 -# renovate: datasource=python packageName=cvdupdate versioning=python -ARG CVDUPDATE_VERISION=1.1.2 +# remove all existing virus definitions. +# we will download the update ones from the mirror +# and it is better to fail startup than to have outdated virus defs. +RUN rm /var/lib/clamav/*.cvd -# Update all pkgs +# Update all debian packages. +# +# Install all dpkg dependencies: # -# Install all dpkg dependencies # Combination of the packages required by NodeJS # (see https://github.com/nodejs/docker-node/blob/main/22/bookworm-slim/Dockerfile) # gcloud cli # (https://cloud.google.com/sdk/docs/install#deb) # The cvdupdater # (https://pypi.org/project/cvdupdate/) -# and the malware scanner service +# and by the malware scanner nodejs service ENV PATH="$PATH:/opt/google-cloud-sdk/bin:/usr/local/bin:/root/.local/bin" ENV DEBIAN_FRONTEND=noninteractive @@ -42,25 +49,25 @@ RUN set -x \ apt-transport-https \ ca-certificates \ curl \ - python3-pip \ - pipx \ - lsb-release \ - openssh-client \ - gnupg \ - jq \ + dirmngr \ gawk \ gettext-base \ + git \ + gnupg \ + jq \ + libatomic1 \ + lsb-release \ + make \ + openssh-client \ + pipx \ python3-crcmod \ python3-dev \ + python3-pip \ wget \ - dirmngr \ xz-utils \ - libatomic1 \ - git \ - make \ - && pipx install "cvdupdate==${CVDUPDATE_VERISION}" + && pipx install "cvdupdate==${CVDUPDATE_VERSION}" -# Install node by copying from container. +# Install node by copying binaries from nodejs container. COPY --from=node /usr/local /usr/local # Install cloud SDK @@ -75,8 +82,7 @@ RUN set -x \ && gcloud config set component_manager/disable_update_check true \ && gcloud config set metrics/environment docker_image_latest -# Sanity check that required binaries are installed by checking versions -# +# Sanity check that required binaries are installed and runnable by checking versions RUN set -x \ && node --version \ && npm --version \ @@ -86,11 +92,11 @@ RUN set -x \ && gsutil --version \ && cvdupdate --help -# Copy the source code +# Copy the source code for the scanner service WORKDIR /app COPY . /app -# Install NPM modules +# Install required NPM modules RUN npm install --omit=dev CMD ["bash", "bootstrap.sh"] diff --git a/renovate.json5 b/renovate.json5 index 6313575..eb07098 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -19,7 +19,11 @@ "(^|/).*\\.sh$", ], matchStrings: [ - '# renovate: datasource=(?[a-z-]+?)(?: depName=(?.+?))? packageName=(?.+?)(?: versioning=(?[a-z-]+?))?\\s(?:ENV|ARG)?\\s*.+?_VERSION="?(?.+?)"?\\s', + // for Dockerfiles and shell script files, match the renovate: specially formatted comment line followed by a capitalized variable with a _VERSION suffix eg: + // # renovate: datasource=somesource packageName=somename versioning=someversioning + // ARG PACKAGENAME_VERSION=1.2.3 + // https://regex101.com/r/ntfy3f/1 + '# renovate: datasource=(?\\S+?)(?:\\s+depName=(?\\S+?))?\\s+packageName=(?\\S+?)\\s+(?:versioning=(?\\S+))\\s(?:(?:ARG|ENV)\\s+)?\\S+_VERSION="?(?\\S+)"?' ], }, ],