From aaab0473800df835814318fe31a884e3759d4522 Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 13 Jul 2023 08:44:45 -0700
Subject: [PATCH 1/6] Try scanning base image

---
 app/Dockerfile | 80 --------------------------------------------------
 1 file changed, 80 deletions(-)

diff --git a/app/Dockerfile b/app/Dockerfile
index 8cf2ac45..43476406 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,84 +1,4 @@
 # This file is largely based on the template-application-flask Dockerfile and
 # Next.js Docker example: https://github.com/vercel/next.js/blob/canary/examples/with-docker-compose
 # =============================================================================
-FROM node:18-alpine AS base
-WORKDIR /app
-
-# Install dependencies
-COPY package.json package-lock.json ./
-COPY public ./public
-COPY scripts ./scripts
-RUN npm ci --no-audit
-
-# =============================================================================
-# Development stage
-# =============================================================================
-FROM base AS dev
-WORKDIR /app
-
-COPY tsconfig.json .
-COPY *.config.js .
-COPY *.d.ts .
-COPY src ./src
-COPY stories ./stories
-COPY .storybook ./.storybook
-
-ENV NEXT_TELEMETRY_DISABLED 1
-
-CMD ["npm", "run", "dev"]
-
-# =============================================================================
-# Release stage
-# =============================================================================
-
-# Build the Next.js app
-# =====================================
-FROM base AS builder
-WORKDIR /app
-
-COPY tsconfig.json .
-COPY *.config.js .
-COPY *.d.ts .
-COPY src ./src
-
-# Environment variables must be present at build time
-# https://github.com/vercel/next.js/discussions/14030
-# ARG ENV_VARIABLE
-# ENV ENV_VARIABLE=${ENV_VARIABLE}
-# ARG NEXT_PUBLIC_ENV_VARIABLE
-# ENV NEXT_PUBLIC_ENV_VARIABLE=${NEXT_PUBLIC_ENV_VARIABLE}
-
-ENV NEXT_TELEMETRY_DISABLED 1
-
-# Skip lint because it should have happened in the CI already
-RUN npm run build -- --no-lint
-
-# Run the Next.js server
-# =====================================
-# Use clean image for release, excluding any unnecessary files or dependencies
 FROM node:18-alpine AS release
-WORKDIR /app
-
-# Don't run production as root
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
-USER nextjs
-
-COPY --from=builder /app/public ./public
-
-# Automatically leverage output traces to reduce image size
-# https://nextjs.org/docs/advanced-features/output-file-tracing
-COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
-COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
-
-# Environment variables must be redefined at run time
-# ARG ENV_VARIABLE
-# ENV ENV_VARIABLE=${ENV_VARIABLE}
-# ARG NEXT_PUBLIC_ENV_VARIABLE
-# ENV NEXT_PUBLIC_ENV_VARIABLE=${NEXT_PUBLIC_ENV_VARIABLE}
-ENV NEXT_TELEMETRY_DISABLED 1
-ENV PORT 3000
-
-EXPOSE 3000
-
-CMD ["node", "server.js"]
\ No newline at end of file

From 0ff9f589de7719b703b4369f32db70b8561864df Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 13 Jul 2023 08:52:24 -0700
Subject: [PATCH 2/6] Revert "Try scanning base image"

This reverts commit aaab0473800df835814318fe31a884e3759d4522.
---
 app/Dockerfile | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/app/Dockerfile b/app/Dockerfile
index 43476406..8cf2ac45 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,4 +1,84 @@
 # This file is largely based on the template-application-flask Dockerfile and
 # Next.js Docker example: https://github.com/vercel/next.js/blob/canary/examples/with-docker-compose
 # =============================================================================
+FROM node:18-alpine AS base
+WORKDIR /app
+
+# Install dependencies
+COPY package.json package-lock.json ./
+COPY public ./public
+COPY scripts ./scripts
+RUN npm ci --no-audit
+
+# =============================================================================
+# Development stage
+# =============================================================================
+FROM base AS dev
+WORKDIR /app
+
+COPY tsconfig.json .
+COPY *.config.js .
+COPY *.d.ts .
+COPY src ./src
+COPY stories ./stories
+COPY .storybook ./.storybook
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+CMD ["npm", "run", "dev"]
+
+# =============================================================================
+# Release stage
+# =============================================================================
+
+# Build the Next.js app
+# =====================================
+FROM base AS builder
+WORKDIR /app
+
+COPY tsconfig.json .
+COPY *.config.js .
+COPY *.d.ts .
+COPY src ./src
+
+# Environment variables must be present at build time
+# https://github.com/vercel/next.js/discussions/14030
+# ARG ENV_VARIABLE
+# ENV ENV_VARIABLE=${ENV_VARIABLE}
+# ARG NEXT_PUBLIC_ENV_VARIABLE
+# ENV NEXT_PUBLIC_ENV_VARIABLE=${NEXT_PUBLIC_ENV_VARIABLE}
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+# Skip lint because it should have happened in the CI already
+RUN npm run build -- --no-lint
+
+# Run the Next.js server
+# =====================================
+# Use clean image for release, excluding any unnecessary files or dependencies
 FROM node:18-alpine AS release
+WORKDIR /app
+
+# Don't run production as root
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+USER nextjs
+
+COPY --from=builder /app/public ./public
+
+# Automatically leverage output traces to reduce image size
+# https://nextjs.org/docs/advanced-features/output-file-tracing
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+# Environment variables must be redefined at run time
+# ARG ENV_VARIABLE
+# ENV ENV_VARIABLE=${ENV_VARIABLE}
+# ARG NEXT_PUBLIC_ENV_VARIABLE
+# ENV NEXT_PUBLIC_ENV_VARIABLE=${NEXT_PUBLIC_ENV_VARIABLE}
+ENV NEXT_TELEMETRY_DISABLED 1
+ENV PORT 3000
+
+EXPOSE 3000
+
+CMD ["node", "server.js"]
\ No newline at end of file

From cceff5838127cb59a58f4dbfbc85c373919d007f Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 13 Jul 2023 08:53:10 -0700
Subject: [PATCH 3/6] Run e2e tests on Dockerfile changes

---
 .github/workflows/ci-infra.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci-infra.yml b/.github/workflows/ci-infra.yml
index 13333a4f..e0087bd3 100644
--- a/.github/workflows/ci-infra.yml
+++ b/.github/workflows/ci-infra.yml
@@ -5,10 +5,12 @@ on:
     branches:
       - main
     paths:
+      - app/Dockerfile
       - infra/**
       - .github/workflows/ci-infra.yml
   pull_request:
     paths:
+      - app/Dockerfile
       - infra/**
       - test/**
       - .github/workflows/ci-infra.yml

From 05b7240f92991cc7a784bf3ef10ebd1706806859 Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 13 Jul 2023 09:04:23 -0700
Subject: [PATCH 4/6] Use bullseye as base image

---
 app/Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Dockerfile b/app/Dockerfile
index 8cf2ac45..3118140d 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,7 +1,7 @@
 # This file is largely based on the template-application-flask Dockerfile and
 # Next.js Docker example: https://github.com/vercel/next.js/blob/canary/examples/with-docker-compose
 # =============================================================================
-FROM node:18-alpine AS base
+FROM node:18-bullseye-slim AS base
 WORKDIR /app
 
 # Install dependencies
@@ -56,7 +56,7 @@ RUN npm run build -- --no-lint
 # Run the Next.js server
 # =====================================
 # Use clean image for release, excluding any unnecessary files or dependencies
-FROM node:18-alpine AS release
+FROM node:18-bullseye-slim AS release
 WORKDIR /app
 
 # Don't run production as root
@@ -81,4 +81,4 @@ ENV PORT 3000
 
 EXPOSE 3000
 
-CMD ["node", "server.js"]
\ No newline at end of file
+CMD ["node", "server.js"]

From 7a135795721ed230d89675af1b3650e4e15a884e Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 13 Jul 2023 09:18:53 -0700
Subject: [PATCH 5/6] Target release in release-build

---
 app/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Makefile b/app/Makefile
index 42e09670..84b4cdbb 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -27,6 +27,7 @@ export RUN_UID
 ##################################################
 release-build:
 	docker buildx build \
+	  --target release \
 		--platform=linux/amd64 \
 		--build-arg RUN_USER=$(RUN_USER) \
 		--build-arg RUN_UID=$(RUN_UID) \
@@ -45,4 +46,4 @@ storybook: # Run the Storybook local dev server in Docker
 	docker compose logs --follow storybook
 
 stop:
-	docker-compose down
\ No newline at end of file
+	docker-compose down

From 1fd9de55b53607fa79b9fb4fb233c03546129943 Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 13 Jul 2023 09:50:38 -0700
Subject: [PATCH 6/6] Update npm to fix vulnerability in base image

---
 app/Dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/Dockerfile b/app/Dockerfile
index 3118140d..5e63acd0 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -59,6 +59,11 @@ RUN npm run build -- --no-lint
 FROM node:18-bullseye-slim AS release
 WORKDIR /app
 
+# As of July 13, 2023, 18-bullseye-slim has a vulnerability in the version of
+# semver that it uses (GHSA-c2qf-rxjj-qqgw). Update npm to avoid the vulnerability
+# being caught in vulnerability scans.
+RUN npm install -g npm@latest
+
 # Don't run production as root
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs