fix: pin all package versions for reproducible builds (FINDING-006)

Addresses Hadolint DL3008 warnings and ensures reproducible Docker builds
by pinning all apt packages to specific Debian 13 (trixie) versions.

Changes:
- Dockerfile: Pin 21 packages with version constraints
- tests/unit/build-iso_comprehensive_test.bats: Add 22 version pinning tests

Pinned versions from Debian 13 candidate:
- Base: ca-certificates, gnupg, curl, wget, git
- Build: live-build, debootstrap, squashfs-tools, xorriso, grub-*
- Testing: bats, shellcheck (bats-* helpers not versioned in Debian)
- Security: nftables, iptables, auditd, rsyslog

Fixes: FINDING-006 (Docker package versions not pinned)
Reference: Hadolint DL3008, reproducible builds best practice

💘 Generated with Crush

Assisted-by: Claude via Crush <crush@charm.land>

Dockerfile

@@ -12,51 +12,51 @@ ENV LANG=C.UTF-8
 ENV LC_ALL=C
 ENV TZ=UTC
 
-# Install base dependencies
+# Install base dependencies (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
+    ca-certificates=20250419 \
-    gnupg \
+    gnupg=2.4.7-21+deb13u1 \
-    curl \
+    curl=8.14.1-2+deb13u2 \
-    wget \
+    wget=1.25.0-2 \
-    git \
+    git=1:2.47.3-0+deb13u1 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # Builder stage - ISO build tools
 FROM base AS builder
 
-# Install live-build and ISO creation tools
+# Install live-build and ISO creation tools (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    live-build \
+    live-build=1:20250505+deb13u1 \
-    debootstrap \
+    debootstrap=1.0.141 \
-    squashfs-tools \
+    squashfs-tools=1:4.6.1-1 \
-    xorriso \
+    xorriso=1.5.6-1.2+b1 \
-    grub-pc-bin \
+    grub-pc-bin=2.12-9 \
-    grub-efi-amd64-bin \
+    grub-efi-amd64-bin=2.12-9 \
-    grub-efi-ia32-bin \
+    grub-efi-ia32-bin=2.12-9 \
-    mtools \
+    mtools=4.0.48-1 \
-    dosfstools \
+    dosfstools=4.2-1.2 \
-    syslinux-utils \
+    syslinux-utils=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \
-    isolinux \
+    isolinux=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-# Install testing framework
+# Install testing framework (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    bats \
+    bats=1.11.1-1 \
     bats-assert \
     bats-support \
     bats-file \
-    shellcheck \
+    shellcheck=0.10.0-1 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-# Install security and system tools
+# Install security and system tools (versions pinned for reproducible builds - FINDING-006)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    nftables \
+    nftables=1.1.3-1 \
-    iptables \
+    iptables=1.8.11-2 \
-    auditd \
+    auditd=1:4.0.2-2+b2 \
-    rsyslog \
+    rsyslog=8.2504.0-1 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

tests/unit/build-iso_comprehensive_test.bats

@@ -291,3 +291,96 @@
 @test "run.sh exits if host FDE check fails" {
     grep -q "check_host_fde || exit 1" /workspace/run.sh
 }
+
+# =============================================================================
+# Package Version Pinning (FINDING-006 - Reproducible Builds)
+# =============================================================================
+
+@test "Dockerfile pins ca-certificates version" {
+    grep -q "ca-certificates=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins gnupg version" {
+    grep -q "gnupg=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins curl version" {
+    grep -q "curl=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins wget version" {
+    grep -q "wget=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins git version" {
+    grep -q "git=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins live-build version" {
+    grep -q "live-build=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins debootstrap version" {
+    grep -q "debootstrap=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins squashfs-tools version" {
+    grep -q "squashfs-tools=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins xorriso version" {
+    grep -q "xorriso=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins grub-pc-bin version" {
+    grep -q "grub-pc-bin=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins grub-efi-amd64-bin version" {
+    grep -q "grub-efi-amd64-bin=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins mtools version" {
+    grep -q "mtools=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins dosfstools version" {
+    grep -q "dosfstools=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins syslinux-utils version" {
+    grep -q "syslinux-utils=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins isolinux version" {
+    grep -q "isolinux=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins bats version" {
+    grep -q "bats=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins shellcheck version" {
+    grep -q "shellcheck=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins nftables version" {
+    grep -q "nftables=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins iptables version" {
+    grep -q "iptables=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins auditd version" {
+    grep -q "auditd=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins rsyslog version" {
+    grep -q "rsyslog=" /workspace/Dockerfile
+}
+
+@test "Dockerfile has at least 20 pinned packages" {
+    pinned=$(grep -c "=[0-9]" /workspace/Dockerfile || echo 0)
+    [ "$pinned" -ge 20 ]
+}