Add ignore-scripts argument sonarqube (#244)

* Fixing sonar hotspot

* More sonar security hotspots

* Use dummy transport proxy for the anms-core integration test

Author: BrianSipos

.github/workflows/anms-core.yaml

@@ -35,29 +35,29 @@ jobs:
     env:
       ANMS_COMPOSE_OPTS: -f docker-compose.yml --profile light
       TEST_COMPOSE_OPTS: -f anms-core/integration_test/docker-compose.yml
-      HOST_SOCKDIR: sockdir
-      CTR_SOCKDIR: /var/tmp/nm
+      HOST_SOCKDIR: /run/anms
       DOCKER_CMD: docker
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Build ANMS
-        run: docker compose ${ANMS_COMPOSE_OPTS} build
+        run: ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} build
       - name: Build TEST
-        run: docker compose ${TEST_COMPOSE_OPTS} build
+        run: ${DOCKER_CMD} compose ${TEST_COMPOSE_OPTS} build
       - name: Build Volume
         run: |
           ./create_volume.sh ./puppet/modules/apl_test/files/anms/tls
           sudo mkdir /run/anms
-      - name: run
+      - name: Start
         run: |
-          docker compose  ${ANMS_COMPOSE_OPTS} up -d --force-recreate --wait --wait-timeout 600
-          docker compose ${TEST_COMPOSE_OPTS} run test-fixture
-      - name: after_script
+          ${DOCKER_CMD} compose ${TEST_COMPOSE_OPTS} up -d test-transport
+          ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} up -d --force-recreate --wait --wait-timeout 600
+      - name: Test
+        run: ${DOCKER_CMD} compose ${TEST_COMPOSE_OPTS} run test-runner
+      - name: Status
+        if: failure()
         run: |
-          if [ "${CI_JOB_STATUS}" = 'failed' ]; then
-            docker logs anms-core
-          fi
-
+          ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} ps
+          ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} logs anms-core

.github/workflows/build-test.yaml

@@ -60,6 +60,7 @@ jobs:
       - name: Status
         if: always()
         run: |
+          ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} ps
           for BADSTATUS in stopped restarting; do
             ${DOCKER_CMD} compose ${ANMS_COMPOSE_OPTS} ps --services --filter status=${BADSTATUS} | tee -a /tmp/notgood
           done

anms-core/integration_test/docker-compose.yml

@@ -29,9 +29,8 @@ networks:
 
 
 services:
-  # External dependencies first
-  test-fixture:
-    hostname: test-fixture
+  test-runner:
+    hostname: test-runner
     build:
       context: ../..
       dockerfile: anms.Containerfile
@@ -40,3 +39,14 @@ services:
       - anms
     depends_on:  {}
 
+  test-transport:
+    hostname: test-transport
+    build:
+      context: ../..
+      dockerfile: testenv.Containerfile
+      target: socat-transport
+    networks: {}
+    depends_on:  {}
+    volumes:
+      - "${HOST_SOCKDIR}:/var/tmp/anms"
+    environment: {}

anms.Containerfile

@@ -91,7 +91,7 @@ ENV NODE_OPTIONS=--use-openssl-ca
 RUN --mount=type=cache,target=/var/cache/yum \
     dnf install -y https://rpm.nodesource.com/pub_16.x/el/9/x86_64/nodesource-release-el9-1.noarch.rpm && \
     dnf install -y nodejs && \
-    npm install --global yarn && \
+    npm install --ignore-scripts --global yarn && \
     yarn config set --global cafile ${PIP_CERT}
 
 
@@ -112,14 +112,14 @@ COPY --chown=${APP_USER}:${APP_USER} \
     anms-ui/server/package.json anms-ui/server/yarn.lock ${APP_WORK_DIR}/server/
 RUN --mount=type=cache,uid=9999,gid=9999,target=/home/${APP_USER}/.cache/yarn \
     cd ${APP_WORK_DIR}/server && \
-    yarn install --immutable --immutable-cache
+    yarn install --ignore-scripts --immutable --immutable-cache
 
 # Install NodeJS UI Dependencies
 COPY --chown=${APP_USER}:${APP_USER} \
     anms-ui/public/package.json anms-ui/public/yarn.lock ${APP_WORK_DIR}/public/
 RUN --mount=type=cache,uid=9999,gid=9999,target=/home/${APP_USER}/.cache/yarn \
     cd ${APP_WORK_DIR}/public && \
-    yarn install --immutable --immutable-cache
+    yarn install --ignore-scripts --immutable --immutable-cache
 
 # Build Backend/Frontend
 # These copies do not overwrite node_modules
@@ -129,7 +129,7 @@ RUN --mount=type=cache,uid=9999,gid=9999,target=/home/${APP_USER}/.cache/yarn \
     cd ${APP_WORK_DIR}/public && \
     yarn run build && \
     rm -rf ${APP_WORK_DIR}/public/node_modules && \
-    yarn install --immutable --immutable-cache --production
+    yarn install --ignore-scripts --immutable --immutable-cache --production
 
 COPY --chmod=755 anms-ui/docker-entrypoint.sh /usr/local/bin/docker-entrypoint
 ENTRYPOINT ["docker-entrypoint"]
@@ -286,9 +286,11 @@ ENV PIP_CERT=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 ENV PIP_DEFAULT_TIMEOUT=300
 
 
-RUN dnf install -y epel-release && \
+RUN --mount=type=cache,target=/var/cache/yum \
+    dnf install -y epel-release && \
     crb enable
-RUN dnf install -y \
+RUN --mount=type=cache,target=/var/cache/yum \
+    dnf install -y \
         gcc g++ \
         cmake ninja-build ruby pkg-config \
         flex libfl-static bison pcre2-devel civetweb civetweb-devel openssl-devel cjson-devel libpq-devel systemd-devel && \
@@ -350,7 +352,8 @@ RUN cd /usr/local/src/nm && \
 # Runtime image for REFDM
 FROM anms-base AS amp-manager
 
-RUN dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+RUN --mount=type=cache,target=/var/cache/yum \
+    dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
     crb enable && \
     dnf install -y \
         pcre2 civetweb openssl-libs cjson libpq

testenv.Containerfile

@@ -185,3 +185,16 @@ EXPOSE 4556/udp
 
 HEALTHCHECK --start-period=10s --interval=30s --timeout=5s --retries=5 \
     CMD ["service_is_running", "ion", "refda-ion"]
+
+
+# This image provides a very simple socat-baseed transport proxy.
+#
+FROM registry.access.redhat.com/ubi9/ubi:9.2 AS socat-transport
+
+RUN --mount=type=cache,target=/var/cache/yum \
+    dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+    crb enable && \
+    dnf install -y \
+        socat
+
+CMD ["socat", "-x", "stdio", "UNIX-LISTEN:/var/tmp/anms/proxy.sock,socktype=5,forever"]