Fix CI, CVEs

Author: mistraloz

.github/workflows/workflow.yml

@@ -18,7 +18,7 @@ jobs:
         php_version: ['8.4', '8.3','8.2','8.1']
         variant: ['apache','cli','fpm']
 #        builder: [ {arch: "amd64", os: "ubuntu-latest"}, {arch: "arm64", os: "macos-latest"}]
-        builder: [ {arch: "amd64", os: "ubuntu-latest"}, {arch: "arm64", os: "ubuntu-latest"}]
+        builder: [ {arch: "amd64", os: "ubuntu-24.04"}, {arch: "arm64", os: "ubuntu-24.04"}]
     runs-on: ${{ matrix.builder.os }}
     name: Test ${{ matrix.php_version }}-${{ matrix.variant }} ${{ matrix.builder.arch }} only
     steps:
@@ -110,7 +110,7 @@ jobs:
             --set "*.output=type=registry" \
             php${PHP_VERSION//.}-${{ matrix.variant }}-all
       - name: Push artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.php_version }}-${{ matrix.variant }}
           path: /tmp/tags.log

CHANGELOG.md

@@ -1,4 +1,9 @@
 # Change Log
+## Version 5
+
+**2025-01-27**
+  * Upgrade the base version from Ubuntu 20.04 to 24.04
+  * Default blackfire version is now the version 2 (v1 is still available with BLACKFIRE_VERSION=1 at buildtime but with securities issues)
 
 ## Version 4
 

Dockerfile.apache

@@ -14,7 +14,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ARG TARGETOS
 ARG TARGETARCH
-ARG BLACKFIRE_VERSION=1
+ARG BLACKFIRE_VERSION=2
 
 # |--------------------------------------------------------------------------
 # | Main PHP extensions

Dockerfile.apache.node

@@ -1,8 +1,10 @@
 #syntax=docker/dockerfile-upstream:1
 # DO NOT EDIT THIS FILE : Make yours changes in /utils/Dockerfile.*.blueprint)
+ARG PHP_VERSION="8.4"
+ARG GLOBAL_VERSION="v5"
 ARG REPO="thecodingmachine/php"
 ARG TAG_PREFIX=""
-ARG FROM_IMAGE="${REPO}:${TAG_PREFIX}:${PHP_VERSION}-${GLOBAL_VERSION}-apache"
+ARG FROM_IMAGE="${REPO}:${TAG_PREFIX}${PHP_VERSION}-${GLOBAL_VERSION}-apache"
 FROM $FROM_IMAGE
 LABEL authors="Julien Neuhart <[email protected]>, David Négrier <[email protected]>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

Dockerfile.cli

@@ -14,7 +14,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ARG TARGETOS
 ARG TARGETARCH
-ARG BLACKFIRE_VERSION=1
+ARG BLACKFIRE_VERSION=2
 
 # |--------------------------------------------------------------------------
 # | Main PHP extensions

Dockerfile.cli.node

@@ -1,8 +1,10 @@
 #syntax=docker/dockerfile-upstream:1
 # DO NOT EDIT THIS FILE : Make yours changes in /utils/Dockerfile.*.blueprint)
+ARG PHP_VERSION="8.4"
+ARG GLOBAL_VERSION="v5"
 ARG REPO="thecodingmachine/php"
 ARG TAG_PREFIX=""
-ARG FROM_IMAGE="${REPO}:${TAG_PREFIX}:${PHP_VERSION}-${GLOBAL_VERSION}-cli"
+ARG FROM_IMAGE="${REPO}:${TAG_PREFIX}${PHP_VERSION}-${GLOBAL_VERSION}-cli"
 FROM $FROM_IMAGE
 LABEL authors="Julien Neuhart <[email protected]>, David Négrier <[email protected]>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

Dockerfile.fpm

@@ -14,7 +14,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ARG TARGETOS
 ARG TARGETARCH
-ARG BLACKFIRE_VERSION=1
+ARG BLACKFIRE_VERSION=2
 
 # |--------------------------------------------------------------------------
 # | Main PHP extensions

Dockerfile.fpm.node

@@ -1,8 +1,10 @@
 #syntax=docker/dockerfile-upstream:1
 # DO NOT EDIT THIS FILE : Make yours changes in /utils/Dockerfile.*.blueprint)
+ARG PHP_VERSION="8.4"
+ARG GLOBAL_VERSION="v5"
 ARG REPO="thecodingmachine/php"
 ARG TAG_PREFIX=""
-ARG FROM_IMAGE="${REPO}:${TAG_PREFIX}:${PHP_VERSION}-${GLOBAL_VERSION}-fpm"
+ARG FROM_IMAGE="${REPO}:${TAG_PREFIX}${PHP_VERSION}-${GLOBAL_VERSION}-fpm"
 FROM $FROM_IMAGE
 LABEL authors="Julien Neuhart <[email protected]>, David Négrier <[email protected]>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

Dockerfile.slim.apache

@@ -1,8 +1,9 @@
 #syntax=docker/dockerfile-upstream:1
 # DO NOT EDIT THIS FILE : Make yours changes in /utils/Dockerfile.*.blueprint)
-FROM ubuntu:24.04
+FROM ubuntu:24.04 as base1
 LABEL authors="Julien Neuhart <[email protected]>, David Négrier <[email protected]>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+FROM base1 as base
 
 # Fixes some weird terminal issues such as broken clear / CTRL+L
 #ENV TERM=linux
@@ -13,7 +14,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 ARG PHP_VERSION
 ARG TARGETOS
 ARG TARGETARCH
-ARG BLACKFIRE_VERSION=1
+ARG BLACKFIRE_VERSION=2
 ONBUILD ARG TARGETOS=${TARGETOS}
 ONBUILD ARG TARGETARCH=${TARGETARCH}
 ONBUILD ARG BLACKFIRE_VERSION=${BLACKFIRE_VERSION}
@@ -32,26 +33,32 @@ ENV PHP_VERSION=${PHP_VERSION}
 
 # Install php an other packages
 RUN apt update \
-    && apt install -y software-properties-common \
+    && apt upgrade -y \
+    && apt install -y software-properties-common --no-install-recommends \
     && add-apt-repository ppa:ondrej/php \
+    && apt remove --purge -y software-properties-common \
+    && apt autoremove -y \
     && apt install -y --no-install-recommends \
-        git \
         nano \
         sudo \
+        git \
         iproute2 \
-        openssh-client \
         procps \
+        curl \
         unzip \
         ca-certificates \
-        curl \
+        openssh-client \
+    && apt clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
+RUN apt update \
+    && apt install -y --no-install-recommends \
         php${PHP_VERSION}-cli \
         php${PHP_VERSION}-curl \
         php${PHP_VERSION}-mbstring \
         php${PHP_VERSION}-opcache \
         php${PHP_VERSION}-readline \
         php${PHP_VERSION}-xml \
         php${PHP_VERSION}-zip \
-    && if [[ "${PHP_VERSION}" =~ ^7 ]]; then apt install -y --no-install-recommends php${PHP_VERSION}-json; fi \
     && apt clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
 
@@ -403,3 +410,6 @@ ONBUILD RUN if [ -n "$NODE_VERSION" ]; then \
     sudo apt clean && \
     sudo rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*; \
     fi;
+
+FROM base as step4
+FROM step4 as final

Dockerfile.slim.cli

@@ -1,8 +1,9 @@
 #syntax=docker/dockerfile-upstream:1
 # DO NOT EDIT THIS FILE : Make yours changes in /utils/Dockerfile.*.blueprint)
-FROM ubuntu:24.04
+FROM ubuntu:24.04 as base1
 LABEL authors="Julien Neuhart <[email protected]>, David Négrier <[email protected]>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+FROM base1 as base
 
 # Fixes some weird terminal issues such as broken clear / CTRL+L
 #ENV TERM=linux
@@ -13,7 +14,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 ARG PHP_VERSION
 ARG TARGETOS
 ARG TARGETARCH
-ARG BLACKFIRE_VERSION=1
+ARG BLACKFIRE_VERSION=2
 ONBUILD ARG TARGETOS=${TARGETOS}
 ONBUILD ARG TARGETARCH=${TARGETARCH}
 ONBUILD ARG BLACKFIRE_VERSION=${BLACKFIRE_VERSION}
@@ -32,26 +33,32 @@ ENV PHP_VERSION=${PHP_VERSION}
 
 # Install php an other packages
 RUN apt update \
-    && apt install -y software-properties-common \
+    && apt upgrade -y \
+    && apt install -y software-properties-common --no-install-recommends \
     && add-apt-repository ppa:ondrej/php \
+    && apt remove --purge -y software-properties-common \
+    && apt autoremove -y \
     && apt install -y --no-install-recommends \
-        git \
         nano \
         sudo \
+        git \
         iproute2 \
-        openssh-client \
         procps \
+        curl \
         unzip \
         ca-certificates \
-        curl \
+        openssh-client \
+    && apt clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
+RUN apt update \
+    && apt install -y --no-install-recommends \
         php${PHP_VERSION}-cli \
         php${PHP_VERSION}-curl \
         php${PHP_VERSION}-mbstring \
         php${PHP_VERSION}-opcache \
         php${PHP_VERSION}-readline \
         php${PHP_VERSION}-xml \
         php${PHP_VERSION}-zip \
-    && if [[ "${PHP_VERSION}" =~ ^7 ]]; then apt install -y --no-install-recommends php${PHP_VERSION}-json; fi \
     && apt clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
 
@@ -308,3 +315,6 @@ ONBUILD RUN if [ -n "$NODE_VERSION" ]; then \
     sudo apt clean && \
     sudo rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*; \
     fi;
+
+FROM base as step4
+FROM step4 as final

Dockerfile.slim.fpm

@@ -1,8 +1,9 @@
 #syntax=docker/dockerfile-upstream:1
 # DO NOT EDIT THIS FILE : Make yours changes in /utils/Dockerfile.*.blueprint)
-FROM ubuntu:24.04
+FROM ubuntu:24.04 as base1
 LABEL authors="Julien Neuhart <[email protected]>, David Négrier <[email protected]>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+FROM base1 as base
 
 # Fixes some weird terminal issues such as broken clear / CTRL+L
 #ENV TERM=linux
@@ -13,7 +14,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 ARG PHP_VERSION
 ARG TARGETOS
 ARG TARGETARCH
-ARG BLACKFIRE_VERSION=1
+ARG BLACKFIRE_VERSION=2
 ONBUILD ARG TARGETOS=${TARGETOS}
 ONBUILD ARG TARGETARCH=${TARGETARCH}
 ONBUILD ARG BLACKFIRE_VERSION=${BLACKFIRE_VERSION}
@@ -32,26 +33,32 @@ ENV PHP_VERSION=${PHP_VERSION}
 
 # Install php an other packages
 RUN apt update \
-    && apt install -y software-properties-common \
+    && apt upgrade -y \
+    && apt install -y software-properties-common --no-install-recommends \
     && add-apt-repository ppa:ondrej/php \
+    && apt remove --purge -y software-properties-common \
+    && apt autoremove -y \
     && apt install -y --no-install-recommends \
-        git \
         nano \
         sudo \
+        git \
         iproute2 \
-        openssh-client \
         procps \
+        curl \
         unzip \
         ca-certificates \
-        curl \
+        openssh-client \
+    && apt clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
+RUN apt update \
+    && apt install -y --no-install-recommends \
         php${PHP_VERSION}-cli \
         php${PHP_VERSION}-curl \
         php${PHP_VERSION}-mbstring \
         php${PHP_VERSION}-opcache \
         php${PHP_VERSION}-readline \
         php${PHP_VERSION}-xml \
         php${PHP_VERSION}-zip \
-    && if [[ "${PHP_VERSION}" =~ ^7 ]]; then apt install -y --no-install-recommends php${PHP_VERSION}-json; fi \
     && apt clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
 
@@ -327,3 +334,6 @@ ONBUILD RUN if [ -n "$NODE_VERSION" ]; then \
     sudo apt clean && \
     sudo rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*; \
     fi;
+
+FROM base as step4
+FROM step4 as final

MIGRATING.md

@@ -8,6 +8,7 @@ v5 is mostly fully compatible with v4, the main issue that may happen are relate
 Important changes:
 - v4 images are based on **Ubuntu 20.04**. v5 images are based on **Ubuntu 24.04**.
 - Removing of all unsupported version (not maintenance/security support : that is still possible to use the old tags/force manually the rebuild)
+- Default blackfire version is now the version 2
 
 # Migrating from v3 to v4 images
 

Makefile

@@ -69,21 +69,31 @@ clean: ## Clean dangles image after build
 
 test-manual-build:
 	docker build \
-		--build-arg PHP_VERSION="8.4" \
-		--build-arg VARIANT="cli" \
+		--build-arg PHP_VERSION="8.3" \
+		--build-arg VARIANT="apache" \
 		--build-arg GLOBAL_VERSION="v5" \
-		--file ./Dockerfile.slim.cli \
+		--file ./Dockerfile.slim.apache \
 		--tag testv5-slim \
 		.
 	docker --debug build \
-		--build-arg PHP_VERSION="8.4" \
-		--build-arg VARIANT="cli" \
+		--build-arg PHP_VERSION="8.3" \
+		--build-arg VARIANT="apache" \
 		--build-arg GLOBAL_VERSION="v5" \
 		--build-arg FROM_IMAGE="testv5-slim" \
-		--file ./Dockerfile.cli \
+		--file ./Dockerfile.apache \
 		--tag testv5 \
 		.
-#		--target=base \
+	docker --debug build \
+		--build-arg PHP_VERSION="8.3" \
+		--build-arg VARIANT="apache-node22" \
+		--build-arg NODE_VERSION="22" \
+		--build-arg GLOBAL_VERSION="v5" \
+		--build-arg FROM_IMAGE="testv5" \
+		--file ./Dockerfile.apache.node \
+		--tag testv5-node \
+		.
+	docker scout cves testv5-node --only-fixed --locations
+	#docker scout cves testv5-node --ignore-base --only-fixed --only-severity critical,high,medium,unspecified --locations
 
 test-manual-exec:
 	docker run --rm -it testv5 bash