fix: pin all package versions for reproducible builds (FINDING-006)

Addresses Hadolint DL3008 warnings and ensures reproducible Docker builds by pinning all apt packages to specific Debian 13 (trixie) versions. Changes: - Dockerfile: Pin 21 packages with version constraints - tests/unit/build-iso_comprehensive_test.bats: Add 22 version pinning tests Pinned versions from Debian 13 candidate: - Base: ca-certificates, gnupg, curl, wget, git - Build: live-build, debootstrap, squashfs-tools, xorriso, grub-* - Testing: bats, shellcheck (bats-* helpers not versioned in Debian) - Security: nftables, iptables, auditd, rsyslog Fixes: FINDING-006 (Docker package versions not pinned) Reference: Hadolint DL3008, reproducible builds best practice 💘 Generated with Crush Assisted-by: Claude via Crush <crush@charm.land>
2026-02-20 10:54:34 -05:00
parent 589c14833d
commit bdf1f1b395
2 changed files with 119 additions and 26 deletions
--- a/52
+++ b/52
@@ -12,51 +12,51 @@ ENV LANG=C.UTF-8
 ENV LC_ALL=C
 ENV TZ=UTC

-# Install base dependencies
+# Install base dependencies (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    gnupg \
-    curl \
-    wget \
-    git \
+    ca-certificates=20250419 \
+    gnupg=2.4.7-21+deb13u1 \
+    curl=8.14.1-2+deb13u2 \
+    wget=1.25.0-2 \
+    git=1:2.47.3-0+deb13u1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

 # Builder stage - ISO build tools
 FROM base AS builder

-# Install live-build and ISO creation tools
+# Install live-build and ISO creation tools (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    live-build \
-    debootstrap \
-    squashfs-tools \
-    xorriso \
-    grub-pc-bin \
-    grub-efi-amd64-bin \
-    grub-efi-ia32-bin \
-    mtools \
-    dosfstools \
-    syslinux-utils \
-    isolinux \
+    live-build=1:20250505+deb13u1 \
+    debootstrap=1.0.141 \
+    squashfs-tools=1:4.6.1-1 \
+    xorriso=1.5.6-1.2+b1 \
+    grub-pc-bin=2.12-9 \
+    grub-efi-amd64-bin=2.12-9 \
+    grub-efi-ia32-bin=2.12-9 \
+    mtools=4.0.48-1 \
+    dosfstools=4.2-1.2 \
+    syslinux-utils=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \
+    isolinux=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-# Install testing framework
+# Install testing framework (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    bats \
+    bats=1.11.1-1 \
    bats-assert \
    bats-support \
    bats-file \
-    shellcheck \
+    shellcheck=0.10.0-1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-# Install security and system tools
+# Install security and system tools (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    nftables \
-    iptables \
-    auditd \
-    rsyslog \
+    nftables=1.1.3-1 \
+    iptables=1.8.11-2 \
+    auditd=1:4.0.2-2+b2 \
+    rsyslog=8.2504.0-1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*