Merge pull request #321 from RADAR-base/feature/docker-image-scans

Update docker image scans

.github/bin/external_docker_image_matrix

@@ -29,6 +29,15 @@ cat images.tmp1 | grep ".*\/.*\/.*" > images.tmp2
 cat images.tmp1 | grep -v ".*\/.*\/.*" | sed "s/^/docker.io\//g" > images.tmp3
 cat images.tmp2 images.tmp3 | sort | uniq > images.txt
 
+# Exclude images refs that match any of the patterns passed in with the EXCLUDE_PATTERNS environment variable.
+if [ -n "$EXCLUDE_PATTERNS" ]; then
+  for pattern in $EXCLUDE_PATTERNS
+  do
+    grep -v $pattern images.txt > images.tmp
+    mv images.tmp images.txt
+  done
+fi
+
 # Generate the JSON array
 echo "{ \"include\": [" > $output_file
 while IFS= read -r line; do

.github/workflows/scheduled-snyk-docker.yaml

@@ -27,6 +27,9 @@ jobs:
 
       - id: set-matrix
         name: Generate image matrix of current master branch
+        env:
+          # Any image that matches any of these patterns will be ignored for scanning.
+          EXCLUDE_PATTERNS: mockserver bats busybox
         working-directory: .github/bin
         run: ./external_docker_image_matrix
 

.pre-commit-config.yaml

@@ -88,6 +88,6 @@ repos:
   rev: v4.1.0
   hooks:
   - id: commitizen
-  - id: commitizen-branch
-    stages: [pre-push]
-    args: [--rev-range, 212b99ff174eaaa16895299d64317ab40bce200d..HEAD]
+#  - id: commitizen-branch
+#    stages: [pre-push]
+#    args: [--rev-range, HEAD^1..HEAD]

.snyk

@@ -1,6 +1,33 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.25.0
+version: v1.25.1
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
+  SNYK-UBUNTU2004-OPENSSL-2426343:
+    - '*':
+        reason: >-
+          We will not update the elasticsearch version because other other
+          activities take priority (by Keyvan).
+        expires: 2025-06-01T00:00:00.000Z
+        created: 2025-02-19T13:31:54.411Z
+  SNYK-UBUNTU2004-OPENSSL-3314788:
+    - '*':
+        reason: >-
+          We will not update the elasticsearch version because other other
+          activities take priority (by Keyvan).
+        expires: 2025-06-01T00:00:00.000Z
+        created: 2025-02-19T13:31:57.376Z
+  SNYK-UBUNTU2004-NGHTTP2-5954795:
+    - '*':
+        reason: >-
+          We will not update the elasticsearch version because other other
+          activities take priority (by Keyvan).
+        expires: 2025-06-01T00:00:00.000Z
+        created: 2025-02-19T13:32:00.023Z
+  SNYK-UBUNTU2004-CYRUSSASL2-2408941:
+    - '*':
+        reason: >-
+          We will not update the elasticsearch version because other other
+          activities take priority (by Keyvan).
+        expires: 2025-06-01T00:00:00.000Z
+        created: 2025-02-19T13:32:02.710Z
 patch: {}
-exclude:

charts/radar-gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "0.8.0"
 description: A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming participant data. It performs authentication, authorization, content validation and decompression. For more details of the configurations, see https://github.com/RADAR-base/RADAR-Gateway/blob/master/gateway.yml.
 name: radar-gateway
-version: 1.4.3
+version: 1.4.4
 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png"
 sources:
 - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-gateway

charts/radar-gateway/README.md

@@ -3,7 +3,7 @@
 # radar-gateway
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-gateway)](https://artifacthub.io/packages/helm/radar-base/radar-gateway)
 
-![Version: 1.4.3](https://img.shields.io/badge/Version-1.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
+![Version: 1.4.4](https://img.shields.io/badge/Version-1.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
 
 A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming participant data. It performs authentication, authorization, content validation and decompression. For more details of the configurations, see https://github.com/RADAR-base/RADAR-Gateway/blob/master/gateway.yml.
 
@@ -46,7 +46,7 @@ A Helm chart for RADAR-base gateway. REST Gateway to Kafka, for incoming partici
 | image_exporter.registry | string | `"docker.io"` | Image registry |
 | image_exporter.repository | string | `"sscaling/jmx-prometheus-exporter"` | Image repository |
 | image_exporter.tag | string | `nil` | Image tag (immutable tags are recommended) Overrides the image tag whose default is the chart appVersion. |
-| image_exporter.digest | string | `"48e3bd31f132"` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
+| image_exporter.digest | string | `"sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d"` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
 | image_exporter.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image_exporter.pullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. e.g: pullSecrets:   - myRegistryKeySecretName  |
 | nameOverride | string | `""` | String to partially override radar-gateway.fullname template with a string (will prepend the release name) |

charts/radar-gateway/values.yaml

@@ -34,7 +34,7 @@ image_exporter:
   # Overrides the image tag whose default is the chart appVersion.
   tag:
   # -- Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
-  digest: "48e3bd31f132"
+  digest: "sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d"
   # -- Image pull policy
   pullPolicy: IfNotPresent
   # -- Optionally specify an array of imagePullSecrets.

charts/radar-push-endpoint/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "0.3.2"
 description: A Helm chart for RADAR-base Push Endpoint. REST Gateway to Kafka, for incoming data from Push or Subscription based WEB APIs. It performs authentication, authorization and content validation. For more details of the configurations, see https://github.com/RADAR-base/RADAR-PushEndpoint.
 name: radar-push-endpoint
-version: 0.4.1
+version: 0.4.2
 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png"
 sources:
 - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-push-endpoint

charts/radar-push-endpoint/README.md

@@ -3,7 +3,7 @@
 # radar-push-endpoint
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-push-endpoint)](https://artifacthub.io/packages/helm/radar-base/radar-push-endpoint)
 
-![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.2](https://img.shields.io/badge/AppVersion-0.3.2-informational?style=flat-square)
+![Version: 0.4.2](https://img.shields.io/badge/Version-0.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.2](https://img.shields.io/badge/AppVersion-0.3.2-informational?style=flat-square)
 
 A Helm chart for RADAR-base Push Endpoint. REST Gateway to Kafka, for incoming data from Push or Subscription based WEB APIs. It performs authentication, authorization and content validation. For more details of the configurations, see https://github.com/RADAR-base/RADAR-PushEndpoint.
 
@@ -43,6 +43,12 @@ A Helm chart for RADAR-base Push Endpoint. REST Gateway to Kafka, for incoming d
 | image.digest | string | `""` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.pullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. e.g: pullSecrets:   - myRegistryKeySecretName  |
+| image_exporter.registry | string | `"docker.io"` | Image registry |
+| image_exporter.repository | string | `"sscaling/jmx-prometheus-exporter"` | Image repository |
+| image_exporter.tag | string | `nil` | Image tag (immutable tags are recommended) Overrides the image tag whose default is the chart appVersion. |
+| image_exporter.digest | string | `"sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d"` | Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
+| image_exporter.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image_exporter.pullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. e.g: pullSecrets:   - myRegistryKeySecretName  |
 | nameOverride | string | `""` | String to partially override radar-push-endpoint.fullname template with a string (will prepend the release name) |
 | fullnameOverride | string | `""` | String to fully override radar-push-endpoint.fullname template with a string |
 | podSecurityContext | object | `{}` | Configure radar-push-endpoint pods' Security Context |

charts/radar-push-endpoint/templates/_helpers.tpl

@@ -13,6 +13,12 @@ Return the proper image name
 {{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global "chart" .Chart ) }}
 {{- end -}}
 
+Return the proper exporter image name
+*/}}
+{{- define "radar-push-endpoint.image-exporter" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.image_exporter "global" .Values.global "chart" .Chart ) }}
+{{- end -}}
+
 {{/*
 Return the proper Docker Image Registry Secret Names
 */}}

charts/radar-push-endpoint/templates/deployment.yaml

@@ -43,10 +43,10 @@ spec:
               topologyKey: "kubernetes.io/hostname"
       containers:
       {{- if .Values.serviceMonitor.enabled }}
-        - image: sscaling/jmx-prometheus-exporter
+        - image: {{ template "radar-push-endpoint.image-exporter" . }}
+          imagePullPolicy: {{ .Values.image_exporter.pullPolicy | quote }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          imagePullPolicy: IfNotPresent
           name: prometheus-jmx-exporter
           env:
             - name: "CONFIG_YML"

charts/radar-push-endpoint/values.yaml

@@ -25,6 +25,26 @@ image:
   #
   pullSecrets: []
 
+image_exporter:
+  # -- Image registry
+  registry: docker.io
+  # -- Image repository
+  repository: sscaling/jmx-prometheus-exporter
+  # -- Image tag (immutable tags are recommended)
+  # Overrides the image tag whose default is the chart appVersion.
+  tag:
+  # -- Image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+  digest: "sha256:48e3bd31f132146751e449429a3e8a260b141f2acd587878fc50b3eda4466c5d"
+  # -- Image pull policy
+  pullPolicy: IfNotPresent
+  # -- Optionally specify an array of imagePullSecrets.
+  # Secrets must be manually created in the namespace.
+  # e.g:
+  # pullSecrets:
+  #   - myRegistryKeySecretName
+  #
+  pullSecrets: []
+
 # -- String to partially override radar-push-endpoint.fullname template with a string (will prepend the release name)
 nameOverride: ""
 # -- String to fully override radar-push-endpoint.fullname template with a string

external/grafana/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/grafana/grafana
 apiVersion: v2
-appVersion: 11.1.0
+appVersion: 11.2.2-security-01
 description: The leading tool for querying and visualizing time series and metrics.
 home: https://grafana.com
 icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116