oxsecurity
diff --git a/‎.automation/build.py‎
Lines changed: 25 additions & 7 deletions b/‎.automation/build.py‎
Lines changed: 25 additions & 7 deletions
diff --git a/‎flavors/ci_light/Dockerfile‎
Lines changed: 41 additions & 7 deletions b/‎flavors/ci_light/Dockerfile‎
Lines changed: 41 additions & 7 deletions
diff --git a/‎flavors/documentation/Dockerfile‎
Lines changed: 57 additions & 15 deletions b/‎flavors/documentation/Dockerfile‎
Lines changed: 57 additions & 15 deletions
@@ -519,35 +519,53 @@ def build_dockerfile(
     replace_in_file(dockerfile, "#PIP__START", "#PIP__END", pip_install_command)
     # Python packages in venv
     if len(pipvenv_packages.items()) > 0:
-        pipenv_install_command = (
+        pipenv_download_command = (
             "RUN PYTHONDONTWRITEBYTECODE=1 pip3 install"
-            " --no-cache-dir --upgrade pip virtualenv \\\n"
+            " --no-cache-dir --upgrade pip crossenv \\\n"
+        )
+        pipenv_install_command = (
+            "RUN echo \\\n"
         )
-        env_path_command = 'ENV PATH="${PATH}"'
+        pipenv_path_command = 'ENV PATH="${PATH}"'
         for pip_linter, pip_linter_packages in pipvenv_packages.items():
+            pipenv_download_command += (
+                f'    && mkdir -p "/download/{pip_linter}" '
+                + f'&& pip download -d "/download/{pip_linter}" '
+                + (" ".join(pip_linter_packages))
+                + " \\\n"
+            )
             pipenv_install_command += (
                 f'    && mkdir -p "/venvs/{pip_linter}" '
                 + f'&& cd "/venvs/{pip_linter}" '
-                + "&& virtualenv . "
+                + "&& python3 -m crossenv /usr/local/bin/target-python3 . "
                 + "&& source bin/activate "
-                + "&& PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir "
+                + f"&& PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/{pip_linter} --no-cache-dir "
                 + (" ".join(pip_linter_packages))
                 + " "
                 + "&& deactivate "
                 + "&& cd ./../.. \\\n"
             )
-            env_path_command += f":/venvs/{pip_linter}/bin"
+            pipenv_path_command += f":/venvs/{pip_linter}/bin"
         pipenv_install_command = pipenv_install_command[:-2]  # remove last \
+        pipenv_download_command = pipenv_download_command[:-2]  # remove last \
         pipenv_install_command += (
             ' \\\n    && find . | grep -E "(/__pycache__$|\\.pyc$|\\.pyo$)" | xargs rm -rf '
             + "&& rm -rf /root/.cache\n"
-            + env_path_command
         )
+        pipenv_download_command += "\n"
     else:
         pipenv_install_command = ""
+        pipenv_download_command = ""
+        pipenv_path_command = ""
     replace_in_file(
         dockerfile, "#PIPVENV__START", "#PIPVENV__END", pipenv_install_command
     )
+    replace_in_file(
+        dockerfile, "#PIPVENV_DOWNLOAD__START", "#PIPVENV_DOWNLOAD__END", pipenv_download_command
+    )
+    replace_in_file(
+        dockerfile, "#PIPVENV_PATH__START", "#PIPVENV_PATH__END", pipenv_path_command
+    )
 
     # Ruby gem packages
     gem_install_command = ""
 
@@ -43,12 +43,12 @@ RUN rustup-init -y --target $([[ "${TARGETARCH}" == "amd64" ]] && echo "x86_64-u
 
 RUN --mount=type=cache,id=cargo-${TARGETARCH},sharing=locked,target=/cargo/.cargo/registry/,uid=63425 \
      . /cargo/.cargo/env \
- && cargo install sarif-fmt shellcheck-sarif --root /tmp --target $([[ "${TARGETARCH}" == "amd64" ]] && echo "x86_64-unknown-linux-musl" || echo "aarch64-unknown-linux-musl") 
+ && cargo install shellcheck-sarif sarif-fmt --root /tmp --target $([[ "${TARGETARCH}" == "amd64" ]] && echo "x86_64-unknown-linux-musl" || echo "aarch64-unknown-linux-musl") 
 
 FROM scratch AS cargo
 COPY --link --from=cargo-build /tmp/bin/* /bin/
-RUN ["/bin/sarif-fmt", "--help"]
 RUN ["/bin/shellcheck-sarif", "--help"]
+RUN ["/bin/sarif-fmt", "--help"]
 
 #FROM__END
 
@@ -69,6 +69,41 @@ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
 COPY --link --from=cargo /bin/* /usr/bin/
 #COPY__END
 
+FROM --platform=$TARGETPLATFORM python:3.11.2-alpine3.17 AS target-python-arm64
+RUN mkdir /export-libs && cp /lib/ld-musl-aarch64.so.1 /export-libs
+FROM --platform=$TARGETPLATFORM python:3.11.2-alpine3.17 AS target-python-amd64
+RUN mkdir /export-libs && cp /lib/ld-musl-x86_64.so.1 /export-libs
+FROM target-python-${TARGETARCH} AS target-python
+FROM --platform=$BUILDPLATFORM python:3.11.2-alpine3.17 AS python-venv
+
+
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+
+RUN apk add --update --no-cache gcc musl-dev libffi-dev rust cargo cmake make g++ openssl-dev
+
+#PIPVENV_DOWNLOAD__START
+RUN PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir --upgrade pip crossenv \
+    && mkdir -p "/download/yamllint" && pip download -d "/download/yamllint" yamllint 
+
+#PIPVENV_DOWNLOAD__END
+
+RUN mkdir /venvs
+
+COPY --link --from=target-python /usr/local/bin/python3 /usr/local/bin/target-python3
+#COPY --link --from=target-python /export-libs/* /lib
+
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+
+#PIPVENV__START
+RUN echo \
+    && mkdir -p "/venvs/yamllint" && cd "/venvs/yamllint" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/yamllint --no-cache-dir yamllint && deactivate && cd ./../..  \
+    && find . | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf && rm -rf /root/.cache
+
+#PIPVENV__END
 
 ##################
 # Get base image #
@@ -142,19 +177,18 @@ RUN mkdir -p ${GOPATH}/src ${GOPATH}/bin || true && \
     # Ignore npm package issues
     yarn config set ignore-engines true || true
 
+COPY --link --from=python-venv /venv /venv
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
 #PIP__START
 
 #PIP__END
 
-#PIPVENV__START
-RUN PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir --upgrade pip virtualenv \
-    && mkdir -p "/venvs/yamllint" && cd "/venvs/yamllint" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir yamllint && deactivate && cd ./../..  \
-    && find . | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf && rm -rf /root/.cache
+#PIPVENV_PATH__START
 ENV PATH="${PATH}":/venvs/yamllint/bin
-#PIPVENV__END
+#PIPVENV_PATH__END
 
 ############################
 # Install NPM dependencies #
 
@@ -50,12 +50,12 @@ RUN rustup-init -y --target $([[ "${TARGETARCH}" == "amd64" ]] && echo "x86_64-u
 
 RUN --mount=type=cache,id=cargo-${TARGETARCH},sharing=locked,target=/cargo/.cargo/registry/,uid=63425 \
      . /cargo/.cargo/env \
- && cargo install sarif-fmt shellcheck-sarif --root /tmp --target $([[ "${TARGETARCH}" == "amd64" ]] && echo "x86_64-unknown-linux-musl" || echo "aarch64-unknown-linux-musl") 
+ && cargo install shellcheck-sarif sarif-fmt --root /tmp --target $([[ "${TARGETARCH}" == "amd64" ]] && echo "x86_64-unknown-linux-musl" || echo "aarch64-unknown-linux-musl") 
 
 FROM scratch AS cargo
 COPY --link --from=cargo-build /tmp/bin/* /bin/
-RUN ["/bin/sarif-fmt", "--help"]
 RUN ["/bin/shellcheck-sarif", "--help"]
+RUN ["/bin/sarif-fmt", "--help"]
 
 #FROM__END
 
@@ -83,6 +83,57 @@ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
 COPY --link --from=cargo /bin/* /usr/bin/
 #COPY__END
 
+FROM --platform=$TARGETPLATFORM python:3.11.2-alpine3.17 AS target-python-arm64
+RUN mkdir /export-libs && cp /lib/ld-musl-aarch64.so.1 /export-libs
+FROM --platform=$TARGETPLATFORM python:3.11.2-alpine3.17 AS target-python-amd64
+RUN mkdir /export-libs && cp /lib/ld-musl-x86_64.so.1 /export-libs
+FROM target-python-${TARGETARCH} AS target-python
+FROM --platform=$BUILDPLATFORM python:3.11.2-alpine3.17 AS python-venv
+
+
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+
+RUN apk add --update --no-cache gcc musl-dev libffi-dev rust cargo cmake make g++ openssl-dev
+
+#PIPVENV_DOWNLOAD__START
+RUN PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir --upgrade pip crossenv \
+    && mkdir -p "/download/ansible-lint" && pip download -d "/download/ansible-lint" ansible-lint \
+    && mkdir -p "/download/djlint" && pip download -d "/download/djlint" djlint \
+    && mkdir -p "/download/checkov" && pip download -d "/download/checkov" packaging checkov \
+    && mkdir -p "/download/semgrep" && pip download -d "/download/semgrep" semgrep \
+    && mkdir -p "/download/snakemake" && pip download -d "/download/snakemake" snakemake \
+    && mkdir -p "/download/snakefmt" && pip download -d "/download/snakefmt" snakefmt \
+    && mkdir -p "/download/proselint" && pip download -d "/download/proselint" proselint \
+    && mkdir -p "/download/sqlfluff" && pip download -d "/download/sqlfluff" sqlfluff \
+    && mkdir -p "/download/yamllint" && pip download -d "/download/yamllint" yamllint 
+
+#PIPVENV_DOWNLOAD__END
+
+RUN mkdir /venvs
+
+COPY --link --from=target-python /usr/local/bin/python3 /usr/local/bin/target-python3
+#COPY --link --from=target-python /export-libs/* /lib
+
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+
+#PIPVENV__START
+RUN echo \
+    && mkdir -p "/venvs/ansible-lint" && cd "/venvs/ansible-lint" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/ansible-lint --no-cache-dir ansible-lint && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/djlint" && cd "/venvs/djlint" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/djlint --no-cache-dir djlint && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/checkov" && cd "/venvs/checkov" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/checkov --no-cache-dir packaging checkov && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/semgrep" && cd "/venvs/semgrep" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/semgrep --no-cache-dir semgrep && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/snakemake" && cd "/venvs/snakemake" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/snakemake --no-cache-dir snakemake && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/snakefmt" && cd "/venvs/snakefmt" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/snakefmt --no-cache-dir snakefmt && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/proselint" && cd "/venvs/proselint" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/proselint --no-cache-dir proselint && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/sqlfluff" && cd "/venvs/sqlfluff" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/sqlfluff --no-cache-dir sqlfluff && deactivate && cd ./../.. \
+    && mkdir -p "/venvs/yamllint" && cd "/venvs/yamllint" && python3 -m crossenv /usr/local/bin/target-python3 . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --find-links /download/yamllint --no-cache-dir yamllint && deactivate && cd ./../..  \
+    && find . | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf && rm -rf /root/.cache
+
+#PIPVENV__END
 
 ##################
 # Get base image #
@@ -158,27 +209,18 @@ RUN mkdir -p ${GOPATH}/src ${GOPATH}/bin || true && \
     # Ignore npm package issues
     yarn config set ignore-engines true || true
 
+COPY --link --from=python-venv /venv /venv
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
 #PIP__START
 
 #PIP__END
 
-#PIPVENV__START
-RUN PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir --upgrade pip virtualenv \
-    && mkdir -p "/venvs/ansible-lint" && cd "/venvs/ansible-lint" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir ansible-lint && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/djlint" && cd "/venvs/djlint" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir djlint && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/checkov" && cd "/venvs/checkov" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir packaging checkov && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/semgrep" && cd "/venvs/semgrep" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir semgrep && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/snakemake" && cd "/venvs/snakemake" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir snakemake && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/snakefmt" && cd "/venvs/snakefmt" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir snakefmt && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/proselint" && cd "/venvs/proselint" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir proselint && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/sqlfluff" && cd "/venvs/sqlfluff" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir sqlfluff && deactivate && cd ./../.. \
-    && mkdir -p "/venvs/yamllint" && cd "/venvs/yamllint" && virtualenv . && source bin/activate && PYTHONDONTWRITEBYTECODE=1 pip3 install --no-cache-dir yamllint && deactivate && cd ./../..  \
-    && find . | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf && rm -rf /root/.cache
+#PIPVENV_PATH__START
 ENV PATH="${PATH}":/venvs/ansible-lint/bin:/venvs/djlint/bin:/venvs/checkov/bin:/venvs/semgrep/bin:/venvs/snakemake/bin:/venvs/snakefmt/bin:/venvs/proselint/bin:/venvs/sqlfluff/bin:/venvs/yamllint/bin
-#PIPVENV__END
+#PIPVENV_PATH__END
 
 ############################
 # Install NPM dependencies #