diff --git a/.circleci/.anchore/policy_bundle.json b/.circleci/.anchore/policy_bundle.json new file mode 100644 index 0000000..9d58e61 --- /dev/null +++ b/.circleci/.anchore/policy_bundle.json @@ -0,0 +1,33 @@ +{ + "id": "default0", + "version": "1_0", + "name": "My Default bundle", + "comment": "My system's default bundle", + "whitelisted_images": [], + "blacklisted_images": [], + "mappings": [], + "whitelists": [], + "policies": [ + { + "name": "IgnoreUnfixablePkgs", + "version": "1_0", + "comment": "Policy for basic checks", + "id": "ba6daa06-da3b-46d3-9e22-f01f07b0489a", + "rules": [ + { + "action": "STOP", + "gate": "vulnerabilities", + "id": "80569900-d6b3-4391-b2a0-bf34cf6d813d", + "params": [ + { "name": "package_type", "value": "all" }, + { "name": "severity_comparison", "value": ">=" }, + { "name": "severity", "value": "medium" }, + { "name": "fix_available", "value": "true"} + ], + "trigger": "package" + } + ] + } + + ] +} diff --git a/.circleci/config.yml b/.circleci/config.yml index 8d9d7ae..ffb15e7 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,22 +1,21 @@ -version: 2 +version: 2.1 +orbs: + anchore: anchore/anchore-engine@1.3.0 jobs: - build: - machine: true - working_directory: ~/go/src/github.com/fnproject/fdk-node - # docker: - # - image: node:9 + + "test": + docker: + - image: circleci/node:9-stretch + working_directory: ~/fdk-node steps: - - run: - name: "Checking Versions" - command: | - node --version - npm --version + - setup_remote_docker: + docker_layer_caching: true - checkout - run: name: "test" command: | - ./test.sh - # TODO: run npm test + npm install + npm run test - deploy: command: | if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then @@ -27,4 +26,83 @@ jobs: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc ./release.sh rm -f .npmrc + ./build-images.sh 9 + ./build-images.sh 10 + ./build-images.sh 11 + ./release_images.sh fi + + "node9_security_check": + executor: anchore/anchore_engine + working_directory: ~/fdk-node + steps: + - setup_remote_docker: + docker_layer_caching: true + - checkout + - run: + name: Node.JS 9 build + command: | + apk add bash + ./build-images.sh 9 + - anchore/analyze_local_image: + image_name: "fnproject/node:9-dev fnproject/node:9" + timeout: '500' + policy_failure: true + policy_bundle_file_path: .circleci/.anchore/policy_bundle.json + - anchore/parse_reports + + "node10_security_check": + executor: anchore/anchore_engine + working_directory: ~/fdk-node + steps: + - setup_remote_docker: + docker_layer_caching: true + - checkout + - run: + name: Node.JS 10 build + command: | + apk add bash + ./build-images.sh 10 + - anchore/analyze_local_image: + image_name: "fnproject/node:10-dev fnproject/node:10" + timeout: '500' + policy_failure: true + policy_bundle_file_path: .circleci/.anchore/policy_bundle.json + - anchore/parse_reports + + "node11_security_check": + executor: anchore/anchore_engine + working_directory: ~/fdk-node + steps: + - setup_remote_docker: + docker_layer_caching: true + - checkout + - run: + name: Node.JS 11 build + command: | + apk add bash + ./build-images.sh 11 + - anchore/analyze_local_image: + image_name: "fnproject/node:11-dev fnproject/node:11" + timeout: '500' + policy_failure: true + policy_bundle_file_path: .circleci/.anchore/policy_bundle.json + - anchore/parse_reports + +workflows: + version: 2 + build: + jobs: + - "test" + nightly: + triggers: + - schedule: + cron: "0 0 * * *" + filters: + branches: + only: + - master + jobs: + - "node9_security_check" + - "node10_security_check" + - "node11_security_check" diff --git a/build-images.sh b/build-images.sh new file mode 100755 index 0000000..02579cf --- /dev/null +++ b/build-images.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -ex + +nodeversion=${1:-"9"} +pushd images && \ + pushd build-stage && \ + pushd ${nodeversion} && docker build -t fnproject/node:${nodeversion}-dev .; popd && \ + popd && \ + + pushd runtime && \ + pushd ${nodeversion} && docker build -t fnproject/node:${nodeversion} .; popd && \ + popd && \ +popd diff --git a/images/build-stage/10/Dockerfile b/images/build-stage/10/Dockerfile new file mode 100644 index 0000000..34f48b1 --- /dev/null +++ b/images/build-stage/10/Dockerfile @@ -0,0 +1,3 @@ +FROM node:10-stretch + +RUN apt-get update && apt-get upgrade -qy && apt-get clean diff --git a/images/build-stage/11/Dockerfile b/images/build-stage/11/Dockerfile new file mode 100644 index 0000000..d8808bf --- /dev/null +++ b/images/build-stage/11/Dockerfile @@ -0,0 +1,3 @@ +FROM node:11-stretch + +RUN apt-get update && apt-get upgrade -qy && apt-get clean diff --git a/images/build-stage/9/Dockerfile b/images/build-stage/9/Dockerfile new file mode 100644 index 0000000..e2723a0 --- /dev/null +++ b/images/build-stage/9/Dockerfile @@ -0,0 +1,3 @@ +FROM node:9-stretch + +RUN apt-get update && apt-get upgrade -qy && apt-get clean diff --git a/images/runtime/10/Dockerfile b/images/runtime/10/Dockerfile new file mode 100644 index 0000000..ad03b7e --- /dev/null +++ b/images/runtime/10/Dockerfile @@ -0,0 +1,6 @@ +FROM node:10-stretch-slim + +RUN apt-get update && apt-get upgrade -qy && apt-get clean +# for some reason i see this: +# addgroup: The GID `1000' is already in use. +RUN addgroup --system --gid 1001 --system fn && adduser --system --uid 1001 --ingroup fn fn diff --git a/images/runtime/11/Dockerfile b/images/runtime/11/Dockerfile new file mode 100644 index 0000000..572ea99 --- /dev/null +++ b/images/runtime/11/Dockerfile @@ -0,0 +1,6 @@ +FROM node:11-stretch-slim + +RUN apt-get update && apt-get upgrade -qy && apt-get clean +# for some reason i see this: +# addgroup: The GID `1000' is already in use. +RUN addgroup --system --gid 1001 --system fn && adduser --system --uid 1001 --ingroup fn fn diff --git a/images/runtime/9/Dockerfile b/images/runtime/9/Dockerfile new file mode 100644 index 0000000..099ee21 --- /dev/null +++ b/images/runtime/9/Dockerfile @@ -0,0 +1,6 @@ +FROM node:9-stretch-slim + +RUN apt-get update && apt-get upgrade -qy && apt-get clean +# for some reason i see this: +# addgroup: The GID `1000' is already in use. +RUN addgroup --system --gid 1001 --system fn && adduser --system --uid 1001 --ingroup fn fn diff --git a/package-lock.json b/package-lock.json index 52827d8..a6c89b7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "@fnproject/fdk", - "version": "0.0.14", + "version": "0.0.15", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -494,7 +494,7 @@ "imurmurhash": "0.1.4", "inquirer": "3.3.0", "is-resolvable": "1.1.0", - "js-yaml": "3.12.0", + "js-yaml": "3.13.1", "json-stable-stringify-without-jsonify": "1.0.1", "levn": "0.3.0", "lodash": "4.17.11", @@ -532,7 +532,7 @@ "dev": true, "requires": { "debug": "2.6.9", - "resolve": "1.8.1" + "resolve": "1.11.1" }, "dependencies": { "debug": { @@ -553,13 +553,13 @@ } }, "eslint-module-utils": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.2.0.tgz", - "integrity": "sha1-snA2LNiLGkitMIl2zn+lTphBF0Y=", + "version": "2.4.0", + "resolved": "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.4.0.tgz", + "integrity": "sha512-14tltLm38Eu3zS+mt0KvILC3q8jyIAH518MlG+HO0p+yK885Lb1UHTY/UgR91eOyGdmxAPb+OLoW4znqIT6Ndw==", "dev": true, "requires": { "debug": "2.6.9", - "pkg-dir": "1.0.0" + "pkg-dir": "2.0.0" }, "dependencies": { "debug": { @@ -590,7 +590,7 @@ "debug": "2.6.9", "doctrine": "1.5.0", "eslint-import-resolver-node": "0.3.2", - "eslint-module-utils": "2.2.0", + "eslint-module-utils": "2.4.0", "has": "1.0.3", "lodash": "4.17.11", "minimatch": "3.0.4", @@ -632,7 +632,7 @@ "requires": { "ignore": "3.3.10", "minimatch": "3.0.4", - "resolve": "1.8.1", + "resolve": "1.11.1", "semver": "5.5.1" } }, @@ -650,8 +650,8 @@ "requires": { "doctrine": "2.1.0", "has": "1.0.3", - "jsx-ast-utils": "2.0.1", - "prop-types": "15.6.2" + "jsx-ast-utils": "2.1.0", + "prop-types": "15.7.2" } }, "eslint-plugin-standard": { @@ -777,13 +777,12 @@ "dev": true }, "find-up": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/find-up/-/find-up-1.1.2.tgz", - "integrity": "sha1-ay6YIrGizgpgq2TWEOzK1TyyTQ8=", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-2.1.0.tgz", + "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=", "dev": true, "requires": { - "path-exists": "2.1.0", - "pinkie-promise": "2.0.1" + "locate-path": "2.0.0" } }, "flat-cache": { @@ -972,15 +971,6 @@ "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=", "dev": true }, - "is-builtin-module": { - "version": "1.0.0", - "resolved": "http://registry.npmjs.org/is-builtin-module/-/is-builtin-module-1.0.0.tgz", - "integrity": "sha1-VAVy0096wxGfj3bDDLwbHgN6/74=", - "dev": true, - "requires": { - "builtin-modules": "1.1.1" - } - }, "is-callable": { "version": "1.1.4", "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.1.4.tgz", @@ -1072,9 +1062,9 @@ "dev": true }, "js-yaml": { - "version": "3.12.0", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz", - "integrity": "sha512-PIt2cnwmPfL4hKNwqeiuz4bKfnzHTBv6HyVgjahA6mPLwPDzjDWrplJBMjHUFxku/N3FlmrbyPclad+I+4mJ3A==", + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", "dev": true, "requires": { "argparse": "1.0.10", @@ -1100,9 +1090,9 @@ "dev": true }, "jsx-ast-utils": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/jsx-ast-utils/-/jsx-ast-utils-2.0.1.tgz", - "integrity": "sha1-6AGxs5mF4g//yHtA43SAgOLcrH8=", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/jsx-ast-utils/-/jsx-ast-utils-2.1.0.tgz", + "integrity": "sha512-yDGDG2DS4JcqhA6blsuYbtsT09xL8AoLuUR2Gb5exrw7UEM19sBcOTq+YBBhrNbl0PUC4R4LnFu+dHg2HKeVvA==", "dev": true, "requires": { "array-includes": "3.0.3" @@ -1144,14 +1134,6 @@ "requires": { "p-locate": "2.0.0", "path-exists": "3.0.0" - }, - "dependencies": { - "path-exists": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz", - "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=", - "dev": true - } } }, "lodash": { @@ -1255,13 +1237,13 @@ } }, "normalize-package-data": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.4.0.tgz", - "integrity": "sha512-9jjUFbTPfEy3R/ad/2oNbKtW9Hgovl5O1FvFWKkKblNXoN/Oou6+9+KKohPK13Yc3/TyunyWhJp6gvRNR/PPAw==", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", + "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dev": true, "requires": { "hosted-git-info": "2.7.1", - "is-builtin-module": "1.0.0", + "resolve": "1.11.1", "semver": "5.5.1", "validate-npm-package-license": "3.0.4" } @@ -1356,13 +1338,10 @@ } }, "path-exists": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-2.1.0.tgz", - "integrity": "sha1-D+tsZPD8UY2adU3V77YscCJ2H0s=", - "dev": true, - "requires": { - "pinkie-promise": "2.0.1" - } + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz", + "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=", + "dev": true }, "path-is-absolute": { "version": "1.0.1", @@ -1439,15 +1418,6 @@ "load-json-file": "4.0.0" }, "dependencies": { - "find-up": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/find-up/-/find-up-2.1.0.tgz", - "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=", - "dev": true, - "requires": { - "locate-path": "2.0.0" - } - }, "load-json-file": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-4.0.0.tgz", @@ -1490,12 +1460,12 @@ } }, "pkg-dir": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-1.0.0.tgz", - "integrity": "sha1-ektQio1bstYp1EcFb/TpyTFM89Q=", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-2.0.0.tgz", + "integrity": "sha1-9tXREJ4Z1j7fQo4L1X4Sd3YVM0s=", "dev": true, "requires": { - "find-up": "1.1.2" + "find-up": "2.1.0" } }, "pluralize": { @@ -1523,13 +1493,14 @@ "dev": true }, "prop-types": { - "version": "15.6.2", - "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.6.2.tgz", - "integrity": "sha512-3pboPvLiWD7dkI3qf3KbUe6hKFKa52w+AE0VCqECtf+QHAKgOL37tTaNCnuX1nAAQ4ZhyP+kYVKf8rLmJ/feDQ==", + "version": "15.7.2", + "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.7.2.tgz", + "integrity": "sha512-8QQikdH7//R2vurIJSutZ1smHYTcLpRWEOlHnzcWHmBYrOGUysKwSsrC89BCiFj3CbrfJ/nXFdJepOVrY1GCHQ==", "dev": true, "requires": { "loose-envify": "1.4.0", - "object-assign": "4.1.1" + "object-assign": "4.1.1", + "react-is": "16.8.6" } }, "pseudomap": { @@ -1538,6 +1509,12 @@ "integrity": "sha1-8FKijacOYYkX7wqKw0wa5aaChrM=", "dev": true }, + "react-is": { + "version": "16.8.6", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.8.6.tgz", + "integrity": "sha512-aUk3bHfZ2bRSVFFbbeVS4i+lNPZr3/WM5jT2J5omUVV1zzcs1nAaf3l51ctA5FFvCRbhrH0bdAsRRQddFJZPtA==", + "dev": true + }, "read-pkg": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-2.0.0.tgz", @@ -1545,7 +1522,7 @@ "dev": true, "requires": { "load-json-file": "2.0.0", - "normalize-package-data": "2.4.0", + "normalize-package-data": "2.5.0", "path-type": "2.0.0" } }, @@ -1557,17 +1534,6 @@ "requires": { "find-up": "2.1.0", "read-pkg": "2.0.0" - }, - "dependencies": { - "find-up": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/find-up/-/find-up-2.1.0.tgz", - "integrity": "sha1-RdG35QbHF93UgndaK3eSCjwMV6c=", - "dev": true, - "requires": { - "locate-path": "2.0.0" - } - } } }, "readable-stream": { @@ -1596,9 +1562,9 @@ } }, "resolve": { - "version": "1.8.1", - "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.8.1.tgz", - "integrity": "sha512-AicPrAC7Qu1JxPCZ9ZgCZlY35QgFnNqc+0LtbRNxnVw4TXvjQ72wnuL9JQcEBgXkI9JM8MsT9kaQoHcpCRJOYA==", + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.11.1.tgz", + "integrity": "sha512-vIpgF6wfuJOZI7KKKSP+HmiKggadPQAdsp5HiC1mvqnfp0gF1vdwgBWZIdrVft9pgqoMFQN+R7BSWZiBxx+BBw==", "dev": true, "requires": { "path-parse": "1.0.6" @@ -1710,7 +1676,7 @@ "imurmurhash": "0.1.4", "inquirer": "3.3.0", "is-resolvable": "1.1.0", - "js-yaml": "3.12.0", + "js-yaml": "3.13.1", "json-stable-stringify-without-jsonify": "1.0.1", "levn": "0.3.0", "lodash": "4.17.11", @@ -1926,19 +1892,19 @@ } }, "spdx-correct": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.0.0.tgz", - "integrity": "sha512-N19o9z5cEyc8yQQPukRCZ9EUmb4HUpnrmaL/fxS2pBo2jbfcFRVuFZ/oFC+vZz0MNNk0h80iMn5/S6qGZOL5+g==", + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.1.0.tgz", + "integrity": "sha512-lr2EZCctC2BNR7j7WzJ2FpDznxky1sjfxvvYEyzxNyb6lZXHODmEoJeFu4JupYlkfha1KZpJyoqiJ7pgA1qq8Q==", "dev": true, "requires": { "spdx-expression-parse": "3.0.0", - "spdx-license-ids": "3.0.1" + "spdx-license-ids": "3.0.4" } }, "spdx-exceptions": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.1.0.tgz", - "integrity": "sha512-4K1NsmrlCU1JJgUrtgEeTVyfx8VaYea9J9LvARxhbHtVtohPs/gFGG5yy49beySjlIMhhXZ4QqujIZEfS4l6Cg==", + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.2.0.tgz", + "integrity": "sha512-2XQACfElKi9SlVb1CYadKDXvoajPgBVPn/gOQLrTvHdElaVhr7ZEbqJaRnJLVNeaI4cMEAgVCeBMKF6MWRDCRA==", "dev": true }, "spdx-expression-parse": { @@ -1947,14 +1913,14 @@ "integrity": "sha512-Yg6D3XpRD4kkOmTpdgbUiEJFKghJH03fiC1OPll5h/0sO6neh2jqRDVHOQ4o/LMea0tgCkbMgea5ip/e+MkWyg==", "dev": true, "requires": { - "spdx-exceptions": "2.1.0", - "spdx-license-ids": "3.0.1" + "spdx-exceptions": "2.2.0", + "spdx-license-ids": "3.0.4" } }, "spdx-license-ids": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.1.tgz", - "integrity": "sha512-TfOfPcYGBB5sDuPn3deByxPhmfegAhpDYKSOXZQN81Oyrrif8ZCodOLzK3AesELnCx03kikhyDwh0pfvvQvF8w==", + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.4.tgz", + "integrity": "sha512-7j8LYJLeY/Yb6ACbQ7F76qy5jHkp0U6jgBfJsk97bwWlVUnUWsAgpyaCvo17h0/RQGnQ036tVDomiwoI4pDkQA==", "dev": true }, "sprintf-js": { @@ -1965,7 +1931,7 @@ }, "standard": { "version": "11.0.1", - "resolved": "http://registry.npmjs.org/standard/-/standard-11.0.1.tgz", + "resolved": "https://registry.npmjs.org/standard/-/standard-11.0.1.tgz", "integrity": "sha512-nu0jAcHiSc8H+gJCXeiziMVZNDYi8MuqrYJKxTgjP4xKXZMKm311boqQIzDrYI/ktosltxt2CbDjYQs9ANC8IA==", "dev": true, "requires": { @@ -2177,7 +2143,7 @@ "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dev": true, "requires": { - "spdx-correct": "3.0.0", + "spdx-correct": "3.1.0", "spdx-expression-parse": "3.0.0" } }, diff --git a/package.json b/package.json index 7d9c6ae..e8fb36d 100644 --- a/package.json +++ b/package.json @@ -25,7 +25,7 @@ "devDependencies": { "rewire": "4.0.1", "sinon": "^7.3.2", - "standard": "11.0.1", + "standard": "^11.0.1", "tape": "^4.9.1", "tmp": "0.0.33" } diff --git a/release_images.sh b/release_images.sh new file mode 100755 index 0000000..8968710 --- /dev/null +++ b/release_images.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +user="fnproject" +image="node" +runtime9="9" +runtime10="10" +runtime11="11" + +docker push ${user}/${image}:${runtime9} +docker push ${user}/${image}:${runtime9}-dev + +docker push ${user}/${image}:${runtime10} +docker push ${user}/${image}:${runtime10}-dev + +docker push ${user}/${image}:${runtime11} +docker push ${user}/${image}:${runtime11}-dev