From bdf1f1b395d558fe673a642dda36ac7a24d71a8d Mon Sep 17 00:00:00 2001 From: Charles N Wyble Date: Fri, 20 Feb 2026 10:54:34 -0500 Subject: [PATCH] fix: pin all package versions for reproducible builds (FINDING-006) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses Hadolint DL3008 warnings and ensures reproducible Docker builds by pinning all apt packages to specific Debian 13 (trixie) versions. Changes: - Dockerfile: Pin 21 packages with version constraints - tests/unit/build-iso_comprehensive_test.bats: Add 22 version pinning tests Pinned versions from Debian 13 candidate: - Base: ca-certificates, gnupg, curl, wget, git - Build: live-build, debootstrap, squashfs-tools, xorriso, grub-* - Testing: bats, shellcheck (bats-* helpers not versioned in Debian) - Security: nftables, iptables, auditd, rsyslog Fixes: FINDING-006 (Docker package versions not pinned) Reference: Hadolint DL3008, reproducible builds best practice 💘 Generated with Crush Assisted-by: Claude via Crush --- Dockerfile | 52 +++++------ tests/unit/build-iso_comprehensive_test.bats | 93 ++++++++++++++++++++ 2 files changed, 119 insertions(+), 26 deletions(-) diff --git a/Dockerfile b/Dockerfile index 59e075c..d93569f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,51 +12,51 @@ ENV LANG=C.UTF-8 ENV LC_ALL=C ENV TZ=UTC -# Install base dependencies +# Install base dependencies (versions pinned for reproducible builds - FINDING-006) RUN apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates \ - gnupg \ - curl \ - wget \ - git \ + ca-certificates=20250419 \ + gnupg=2.4.7-21+deb13u1 \ + curl=8.14.1-2+deb13u2 \ + wget=1.25.0-2 \ + git=1:2.47.3-0+deb13u1 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* # Builder stage - ISO build tools FROM base AS builder -# Install live-build and ISO creation tools +# Install live-build and ISO creation tools (versions pinned for reproducible builds - FINDING-006) RUN apt-get update && apt-get install -y --no-install-recommends \ - live-build \ - debootstrap \ - squashfs-tools \ - xorriso \ - grub-pc-bin \ - grub-efi-amd64-bin \ - grub-efi-ia32-bin \ - mtools \ - dosfstools \ - syslinux-utils \ - isolinux \ + live-build=1:20250505+deb13u1 \ + debootstrap=1.0.141 \ + squashfs-tools=1:4.6.1-1 \ + xorriso=1.5.6-1.2+b1 \ + grub-pc-bin=2.12-9 \ + grub-efi-amd64-bin=2.12-9 \ + grub-efi-ia32-bin=2.12-9 \ + mtools=4.0.48-1 \ + dosfstools=4.2-1.2 \ + syslinux-utils=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \ + isolinux=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# Install testing framework +# Install testing framework (versions pinned for reproducible builds - FINDING-006) RUN apt-get update && apt-get install -y --no-install-recommends \ - bats \ + bats=1.11.1-1 \ bats-assert \ bats-support \ bats-file \ - shellcheck \ + shellcheck=0.10.0-1 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# Install security and system tools +# Install security and system tools (versions pinned for reproducible builds - FINDING-006) RUN apt-get update && apt-get install -y --no-install-recommends \ - nftables \ - iptables \ - auditd \ - rsyslog \ + nftables=1.1.3-1 \ + iptables=1.8.11-2 \ + auditd=1:4.0.2-2+b2 \ + rsyslog=8.2504.0-1 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/tests/unit/build-iso_comprehensive_test.bats b/tests/unit/build-iso_comprehensive_test.bats index 7828680..e894834 100644 --- a/tests/unit/build-iso_comprehensive_test.bats +++ b/tests/unit/build-iso_comprehensive_test.bats @@ -291,3 +291,96 @@ @test "run.sh exits if host FDE check fails" { grep -q "check_host_fde || exit 1" /workspace/run.sh } + +# ============================================================================= +# Package Version Pinning (FINDING-006 - Reproducible Builds) +# ============================================================================= + +@test "Dockerfile pins ca-certificates version" { + grep -q "ca-certificates=" /workspace/Dockerfile +} + +@test "Dockerfile pins gnupg version" { + grep -q "gnupg=" /workspace/Dockerfile +} + +@test "Dockerfile pins curl version" { + grep -q "curl=" /workspace/Dockerfile +} + +@test "Dockerfile pins wget version" { + grep -q "wget=" /workspace/Dockerfile +} + +@test "Dockerfile pins git version" { + grep -q "git=" /workspace/Dockerfile +} + +@test "Dockerfile pins live-build version" { + grep -q "live-build=" /workspace/Dockerfile +} + +@test "Dockerfile pins debootstrap version" { + grep -q "debootstrap=" /workspace/Dockerfile +} + +@test "Dockerfile pins squashfs-tools version" { + grep -q "squashfs-tools=" /workspace/Dockerfile +} + +@test "Dockerfile pins xorriso version" { + grep -q "xorriso=" /workspace/Dockerfile +} + +@test "Dockerfile pins grub-pc-bin version" { + grep -q "grub-pc-bin=" /workspace/Dockerfile +} + +@test "Dockerfile pins grub-efi-amd64-bin version" { + grep -q "grub-efi-amd64-bin=" /workspace/Dockerfile +} + +@test "Dockerfile pins mtools version" { + grep -q "mtools=" /workspace/Dockerfile +} + +@test "Dockerfile pins dosfstools version" { + grep -q "dosfstools=" /workspace/Dockerfile +} + +@test "Dockerfile pins syslinux-utils version" { + grep -q "syslinux-utils=" /workspace/Dockerfile +} + +@test "Dockerfile pins isolinux version" { + grep -q "isolinux=" /workspace/Dockerfile +} + +@test "Dockerfile pins bats version" { + grep -q "bats=" /workspace/Dockerfile +} + +@test "Dockerfile pins shellcheck version" { + grep -q "shellcheck=" /workspace/Dockerfile +} + +@test "Dockerfile pins nftables version" { + grep -q "nftables=" /workspace/Dockerfile +} + +@test "Dockerfile pins iptables version" { + grep -q "iptables=" /workspace/Dockerfile +} + +@test "Dockerfile pins auditd version" { + grep -q "auditd=" /workspace/Dockerfile +} + +@test "Dockerfile pins rsyslog version" { + grep -q "rsyslog=" /workspace/Dockerfile +} + +@test "Dockerfile has at least 20 pinned packages" { + pinned=$(grep -c "=[0-9]" /workspace/Dockerfile || echo 0) + [ "$pinned" -ge 20 ] +}