carverauto/serviceradar

Fork 0

Update/dockerfile rbe debian #2454

Merged

mfreeman451 merged 5 commits from refs/pull/2454/head into main

2025-11-23 16:47:00 +00:00

mfreeman451 commented

2025-11-23 16:45:52 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1986
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1986
Original created: 2025-11-23T16:45:52Z
Original updated: 2025-11-23T16:47:30Z
Original head: carverauto/serviceradar:update/dockerfile_rbe_debian
Original base: main
Original merged: 2025-11-23T16:47:00Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Migrate RBE executor image from Oracle Linux 9 to Ubuntu 24.04
Update container image version to v1.0.15 across configurations
Preserve Oracle Linux variant in separate Dockerfile.rbe-ora9
Fix Bazel toolchain configuration path in release workflow

Diagram Walkthrough

flowchart LR
  OL9["Oracle Linux 9<br/>RBE Executor"] -->|"Migrate to"| Ubuntu["Ubuntu 24.04<br/>RBE Executor v1.0.15"]
  OL9 -->|"Archive as"| ORA9["Dockerfile.rbe-ora9<br/>Legacy variant"]
  Ubuntu -->|"Update references"| Config["BUILD.bazel<br/>MODULE.bazel<br/>buildbuddy.yaml"]
  Config -->|"Fix toolchain"| Release["release.yml<br/>Bazel config"]

File Walkthrough

Relevant files

Enhancement

Dockerfile.rbe

Migrate RBE executor from Oracle Linux to Ubuntu

docker/Dockerfile.rbe

Replace Oracle Linux 9 base image with Ubuntu 24.04
Refactor package installation from dnf to apt-get with Debian packages
Simplify GCC toolchain setup (Ubuntu 24.04 defaults to GCC 13+)
Update PostgreSQL library paths to Ubuntu standard locations
Maintain CNPG image preload and Rust/cosign/syft installation logic

+62/-51

Dockerfile.rbe-ora9

Add legacy Oracle Linux 9 RBE Dockerfile variant

docker/Dockerfile.rbe-ora9

New file preserving original Oracle Linux 9 RBE executor configuration
Contains complete dnf-based package installation with gcc-toolset-13
Maintains RPM building support and Oracle-specific toolchain setup
Serves as legacy variant for users requiring RHEL-compatible
environment

+123/-0

Configuration changes

BUILD.bazel `Update RBE executor image version` BUILD.bazel Update RBE platform container image from v1.0.14 to v1.0.15 Maintains all platform constraints and exec properties	+1/-1
MODULE.bazel `Update buildbuddy toolchain container version` MODULE.bazel Update buildbuddy_toolchain_ext platform container image to v1.0.15 Aligns with new Ubuntu-based RBE executor image	+1/-1
buildbuddy.yaml `Update buildbuddy execution container version` buildbuddy.yaml Update execution config container image from v1.0.14 to v1.0.15 Maintains platform properties and execution timeout settings	+1/-1

Bug fix

release.yml

Fix Bazel RPM toolchain configuration path

.github/workflows/release.yml

Fix Bazel toolchain configuration path from
@rules_pkg//toolchains/rpm:is_rpmbuild_available to
//toolchains/rpm:is_rpmbuild_available
Remove outdated comment about local RPM building
Maintains remote build configuration and package publishing logic

+1/-2

Imported from GitHub pull request. Original GitHub pull request: #1986 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1986 Original created: 2025-11-23T16:45:52Z Original updated: 2025-11-23T16:47:30Z Original head: carverauto/serviceradar:update/dockerfile_rbe_debian Original base: main Original merged: 2025-11-23T16:47:00Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Migrate RBE executor image from Oracle Linux 9 to Ubuntu 24.04 - Update container image version to v1.0.15 across configurations - Preserve Oracle Linux variant in separate Dockerfile.rbe-ora9 - Fix Bazel toolchain configuration path in release workflow ___ ### Diagram Walkthrough ```mermaid flowchart LR OL9["Oracle Linux 9 RBE Executor"] -->|"Migrate to"| Ubuntu["Ubuntu 24.04 RBE Executor v1.0.15"] OL9 -->|"Archive as"| ORA9["Dockerfile.rbe-ora9 Legacy variant"] Ubuntu -->|"Update references"| Config["BUILD.bazel MODULE.bazel buildbuddy.yaml"] Config -->|"Fix toolchain"| Release["release.yml Bazel config"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>Dockerfile.rbe<dd><code>Migrate RBE executor from Oracle Linux to Ubuntu</code>                  </dd></summary> <hr> docker/Dockerfile.rbe <ul><li>Replace Oracle Linux 9 base image with Ubuntu 24.04 <li> Refactor package installation from dnf to apt-get with Debian packages <li> Simplify GCC toolchain setup (Ubuntu 24.04 defaults to GCC 13+) <li> Update PostgreSQL library paths to Ubuntu standard locations <li> Maintain CNPG image preload and Rust/cosign/syft installation logic</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2">+62/-51</a>  </td> </tr> <tr> <td> <details> <summary>Dockerfile.rbe-ora9<dd><code>Add legacy Oracle Linux 9 RBE Dockerfile variant</code>                  </dd></summary> <hr> docker/Dockerfile.rbe-ora9 <ul><li>New file preserving original Oracle Linux 9 RBE executor configuration <li> Contains complete dnf-based package installation with gcc-toolset-13 <li> Maintains RPM building support and Oracle-specific toolchain setup <li> Serves as legacy variant for users requiring RHEL-compatible environment</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834d">+123/-0</a>  </td> </tr> </table></td></tr><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>BUILD.bazel<dd><code>Update RBE executor image version</code>                                                </dd></summary> <hr> BUILD.bazel <ul><li>Update RBE platform container image from v1.0.14 to v1.0.15 <li> Maintains all platform constraints and exec properties</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-7fc57714ef13c3325ce2a1130202edced92fcccc0c6db34a72f7b57f60d552a3">+1/-1</a>      </td> </tr> <tr> <td> <details> <summary>MODULE.bazel<dd><code>Update buildbuddy toolchain container version</code>                        </dd></summary> <hr> MODULE.bazel <ul><li>Update buildbuddy_toolchain_ext platform container image to v1.0.15 <li> Aligns with new Ubuntu-based RBE executor image</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+1/-1</a>      </td> </tr> <tr> <td> <details> <summary>buildbuddy.yaml<dd><code>Update buildbuddy execution container version</code>                        </dd></summary> <hr> buildbuddy.yaml <ul><li>Update execution config container image from v1.0.14 to v1.0.15 <li> Maintains platform properties and execution timeout settings</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-455c97ce748484a181e002949dbe70422aedc497a358e023dc162776ce940751">+1/-1</a>      </td> </tr> </table></td></tr><tr><td>Bug fix</td><td><table> <tr> <td> <details> <summary>release.yml<dd><code>Fix Bazel RPM toolchain configuration path</code>                              </dd></summary> <hr> .github/workflows/release.yml <ul><li>Fix Bazel toolchain configuration path from <code>@rules_pkg//toolchains/rpm:is_rpmbuild_available</code> to <code>//toolchains/rpm:is_rpmbuild_available</code> <li> Remove outdated comment about local RPM building <li> Maintains remote build configuration and package publishing logic</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+1/-2</a>      </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 16:46:27 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1986#issuecomment-3568143321
Original created: 2025-11-23T16:46:27Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Unsigned binary downloads Description: Downloading and installing 'cosign' and 'syft' via curl from GitHub without verifying checksums or signatures exposes the build to supply-chain attacks—add version-pinned checksums or signature verification to ensure binary integrity. Dockerfile.rbe [106-116] Referred Code `EOF # Install Rust toolchains for native builds. RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o /tmp/rustup-init \ && chmod +x /tmp/rustup-init \ && /tmp/rustup-init -y --profile minimal --default-toolchain stable --no-modify-path \ && rm -f /tmp/rustup-init \ && rustup default stable \ && cargo install --locked bpf-linker # Install cosign for container signing/attestation`
	Unsigned binary downloads Description: The Oracle Linux variant also installs 'cosign' and 'syft' using curl piping without checksum/signature verification, enabling binary tampering—pin versions and verify checksums or signatures to mitigate supply-chain risk. Dockerfile.rbe-ora9 [106-116] Referred Code `ARG COSIGN_VERSION=2.4.1 RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign \ && chmod +x /usr/local/bin/cosign \ && cosign version # Install syft for SBOM generation ARG SYFT_VERSION=1.38.0 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| \ sh -s -- -b /usr/local/bin v${SYFT_VERSION} \ && syft version`
⚪	Secret handling in build Description: The CNPG image preload step reads a GHCR token from a Docker build secret and may emit warnings or status messages; ensure that no secret values (e.g., the token or derived data) are logged or leaked via build output—verify that only presence is checked and sensitive values are never echoed. Dockerfile.rbe [91-101] Referred Code RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then
	Secret handling in build Description: The legacy Oracle Linux Dockerfile pulls a private GHCR image using a token provided as a build secret; confirm that logs never reveal credentials and that the fallback unauthenticated pull cannot leak registry paths or tags considered sensitive in your environment. Dockerfile.rbe-ora9 [80-95] Referred Code RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi EOF
	Unpinned package versions Description: Installing numerous packages via apt without pinning versions or using minimal snapshots may lead to non-reproducible builds and unexpected security regressions—consider pinning versions or using a reproducible base to control updates. Dockerfile.rbe [14-67] Referred Code RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ && install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ ... (clipped 33 lines)
	Unpinned package versions Description: DNF-installed packages are not version-pinned, reducing reproducibility and potentially introducing vulnerable updates—prefer explicit versions or a locked snapshot repository. Dockerfile.rbe-ora9 [10-55] Referred Code RUN dnf install -y oracle-epel-release-el9 oraclelinux-developer-release-el9 \ && dnf config-manager --enable ol9_codeready_builder \ && dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm \ && dnf -qy module disable postgresql \ && dnf install -y \ skopeo \ podman \ podman-docker \ slirp4netns \ fuse-overlayfs \ containernetworking-plugins \ iptables \ gcc-toolset-13 \ bpftool \ ca-certificates \ clang \ curl \ createrepo_c \ git \ gmp-devel \ libbpf-devel \ ... (clipped 25 lines)
	CI secret exposure risk Description: The workflow passes Bazel flag '--//toolchains/rpm:is_rpmbuild_available=1'; ensure that any secrets used during package publishing are scoped to the job and masked in logs—verify that args expansion ('"${args[@]}"') cannot echo secret contents to logs. release.yml [266-273] Referred Code `bazel run \ --config=no_remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ //release:publish_packages \ -- "${args[@]}"`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Package Integrity: The Dockerfile installs numerous packages and downloads binaries via curl without explicit checksum or signature verification, which may not meet strict input integrity validation requirements. Referred Code RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ && install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ ... (clipped 33 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1986#issuecomment-3568143321 Original created: 2025-11-23T16:46:27Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=2>🔴</td> <td><details><summary>Unsigned binary downloads </summary> Description: Downloading and installing 'cosign' and 'syft' via curl from GitHub without verifying checksums or signatures exposes the build to supply-chain attacks—add version-pinned checksums or signature verification to ensure binary integrity. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R106-R116'>Dockerfile.rbe [106-116]</a> <details open><summary>Referred Code</summary> ```txt EOF # Install Rust toolchains for native builds. RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o /tmp/rustup-init \ && chmod +x /tmp/rustup-init \ && /tmp/rustup-init -y --profile minimal --default-toolchain stable --no-modify-path \ && rm -f /tmp/rustup-init \ && rustup default stable \ && cargo install --locked bpf-linker # Install cosign for container signing/attestation ``` </details></details></td></tr> <tr><td><details><summary>Unsigned binary downloads </summary> Description: The Oracle Linux variant also installs 'cosign' and 'syft' using curl piping without checksum/signature verification, enabling binary tampering—pin versions and verify checksums or signatures to mitigate supply-chain risk. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834dR106-R116'>Dockerfile.rbe-ora9 [106-116]</a> <details open><summary>Referred Code</summary> ```txt ARG COSIGN_VERSION=2.4.1 RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign \ && chmod +x /usr/local/bin/cosign \ && cosign version # Install syft for SBOM generation ARG SYFT_VERSION=1.38.0 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \ sh -s -- -b /usr/local/bin v${SYFT_VERSION} \ && syft version ``` </details></details></td></tr> <tr><td rowspan=5>⚪</td> <td><details><summary>Secret handling in build </summary> Description: The CNPG image preload step reads a GHCR token from a Docker build secret and may emit warnings or status messages; ensure that no secret values (e.g., the token or derived data) are logged or leaked via build output—verify that only presence is checked and sensitive values are never echoed. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R91-R101'>Dockerfile.rbe [91-101]</a> <details open><summary>Referred Code</summary> ```txt RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then ``` </details></details></td></tr> <tr><td><details><summary>Secret handling in build </summary> Description: The legacy Oracle Linux Dockerfile pulls a private GHCR image using a token provided as a build secret; confirm that logs never reveal credentials and that the fallback unauthenticated pull cannot leak registry paths or tags considered sensitive in your environment. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834dR80-R95'>Dockerfile.rbe-ora9 [80-95]</a> <details open><summary>Referred Code</summary> ```txt RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi EOF ``` </details></details></td></tr> <tr><td><details><summary>Unpinned package versions </summary> Description: Installing numerous packages via apt without pinning versions or using minimal snapshots may lead to non-reproducible builds and unexpected security regressions—consider pinning versions or using a reproducible base to control updates. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R14-R67'>Dockerfile.rbe [14-67]</a> <details open><summary>Referred Code</summary> ```txt RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ && install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ ... (clipped 33 lines) ``` </details></details></td></tr> <tr><td><details><summary>Unpinned package versions </summary> Description: DNF-installed packages are not version-pinned, reducing reproducibility and potentially introducing vulnerable updates—prefer explicit versions or a locked snapshot repository. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834dR10-R55'>Dockerfile.rbe-ora9 [10-55]</a> <details open><summary>Referred Code</summary> ```txt RUN dnf install -y oracle-epel-release-el9 oraclelinux-developer-release-el9 \ && dnf config-manager --enable ol9_codeready_builder \ && dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm \ && dnf -qy module disable postgresql \ && dnf install -y \ skopeo \ podman \ podman-docker \ slirp4netns \ fuse-overlayfs \ containernetworking-plugins \ iptables \ gcc-toolset-13 \ bpftool \ ca-certificates \ clang \ curl \ createrepo_c \ git \ gmp-devel \ libbpf-devel \ ... (clipped 25 lines) ``` </details></details></td></tr> <tr><td><details><summary>CI secret exposure risk </summary> Description: The workflow passes Bazel flag '--//toolchains/rpm:is_rpmbuild_available=1'; ensure that any secrets used during package publishing are scoped to the job and masked in logs—verify that args expansion ('"${args[@]}"') cannot echo secret contents to logs. <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R266-R273'>release.yml [266-273]</a> <details open><summary>Referred Code</summary> ```yaml bazel run \ --config=no_remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ //release:publish_packages \ -- "${args[@]}" ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=5>🟢</td><td> <details><summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=1>⚪</td> <td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R14-R67'>Package Integrity</a>: The Dockerfile installs numerous packages and downloads binaries via curl without explicit checksum or signature verification, which may not meet strict input integrity validation requirements. <details open><summary>Referred Code</summary> ```txt RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ && install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ ... (clipped 33 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-23 16:47:30 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1986#issuecomment-3568144158
Original created: 2025-11-23T16:47:30Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Building RPMs on Ubuntu is risky Building RPM packages on an Ubuntu executor risks runtime incompatibility on target RPM-based systems. Use the preserved Oracle Linux 9 Dockerfile (`Dockerfile.rbe-ora9`) as a dedicated executor for RPM packaging to ensure reliability. Examples: docker/Dockerfile.rbe [64-65] `rpm \ createrepo-c \` docker/Dockerfile.rbe-ora9 [1-123] `# syntax=docker/dockerfile:1 # Custom RBE executor image based on Oracle Linux 9 with development tooling. # This image provides a hermetic build environment for BuildBuddy RBE with RPM building support. FROM --platform=linux/amd64 oraclelinux:9 SHELL ["/bin/bash", "-lc"] # Install build dependencies RUN dnf install -y oracle-epel-release-el9 oraclelinux-developer-release-el9 \ ... (clipped 113 lines)` Solution Walkthrough: Before: `# docker/Dockerfile.rbe FROM ubuntu:24.04 ... # RPM building tools are installed on Ubuntu RUN apt-get install -y rpm createrepo-c ... # Bazel build configuration (conceptual) # All build actions, including RPM packaging, # are configured to use the default Ubuntu RBE executor. platform( name = "rbe_linux_amd64", exec_properties = { "container-image": "docker://.../rbe-executor:v1.0.15", # Ubuntu based }, )` After: `# Bazel build configuration (conceptual) # Define a separate platform for RPM building that uses the Oracle Linux image. platform( name = "rbe_rpm_builder", exec_properties = { "container-image": "docker://.../rbe-executor-ora9:v1.0.15", # Oracle Linux based }, ) # In the BUILD file for the RPM package # Associate the RPM packaging rule with the dedicated RPM builder platform. pkg_rpm( name = "my_package_rpm", ..., target_compatible_with = [ "//build/platforms:rbe_rpm_builder", ], )` Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical risk of runtime incompatibility when building RPM packages on the new Ubuntu-based environment, proposing a robust architectural solution.	High
Possible issue	Fix PostgreSQL setup and dependency Improve the PostgreSQL installation by explicitly adding the `postgresql-common` package and updating the APT repository setup to use a de-armored GPG key in `/etc/apt/keyrings` for better security and standards compliance. docker/Dockerfile.rbe [14-67] RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ - && install -d /usr/share/postgresql-common/pgdg \ - && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ - && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ + postgresql-common \ + && install -m 0755 -d /etc/apt/keyrings \ + && curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \| gpg --dearmor -o /etc/apt/keyrings/postgresql-archive-keyring.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/postgresql-archive-keyring.gpg] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ # Container Tools skopeo \ podman \ podman-docker \ slirp4netns \ fuse-overlayfs \ iptables \ # Database / Libs postgresql-server-dev-16 \ libpq-dev \ libssl-dev \ zlib1g-dev \ liblz4-dev \ libzstd-dev \ libgmp-dev \ libev-dev \ libbpf-dev \ linux-tools-generic \ protobuf-compiler \ libprotobuf-dev \ # Utils git \ patch \ unzip \ rsync \ tar \ m4 \ perl \ # RPM Building on Debian rpm \ createrepo-c \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly proposes updating the PostgreSQL repository setup to use a de-armored GPG key, which aligns with current Debian/Ubuntu best practices and improves maintainability.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1986#issuecomment-3568144158 Original created: 2025-11-23T16:47:30Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Building RPMs on Ubuntu is risky</summary> ___ **Building RPM packages on an Ubuntu executor risks runtime incompatibility on target RPM-based systems. Use the preserved Oracle Linux 9 Dockerfile (<code>Dockerfile.rbe-ora9</code>) as a dedicated executor for RPM packaging to ensure reliability.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R64-R65">docker/Dockerfile.rbe [64-65]</a> </summary> ```dockerfile rpm \ createrepo-c \ ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1986/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834dR1-R123">docker/Dockerfile.rbe-ora9 [1-123]</a> </summary> ```dockerfile # syntax=docker/dockerfile:1 # Custom RBE executor image based on Oracle Linux 9 with development tooling. # This image provides a hermetic build environment for BuildBuddy RBE with RPM building support. FROM --platform=linux/amd64 oraclelinux:9 SHELL ["/bin/bash", "-lc"] # Install build dependencies RUN dnf install -y oracle-epel-release-el9 oraclelinux-developer-release-el9 \ ... (clipped 113 lines) ``` </details> ### Solution Walkthrough: #### Before: ```dockerfile # docker/Dockerfile.rbe FROM ubuntu:24.04 ... # RPM building tools are installed on Ubuntu RUN apt-get install -y rpm createrepo-c ... # Bazel build configuration (conceptual) # All build actions, including RPM packaging, # are configured to use the default Ubuntu RBE executor. platform( name = "rbe_linux_amd64", exec_properties = { "container-image": "docker://.../rbe-executor:v1.0.15", # Ubuntu based }, ) ``` #### After: ```dockerfile # Bazel build configuration (conceptual) # Define a separate platform for RPM building that uses the Oracle Linux image. platform( name = "rbe_rpm_builder", exec_properties = { "container-image": "docker://.../rbe-executor-ora9:v1.0.15", # Oracle Linux based }, ) # In the BUILD file for the RPM package # Associate the RPM packaging rule with the dedicated RPM builder platform. pkg_rpm( name = "my_package_rpm", ..., target_compatible_with = [ "//build/platforms:rbe_rpm_builder", ], ) ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a critical risk of runtime incompatibility when building RPM packages on the new Ubuntu-based environment, proposing a robust architectural solution. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Fix PostgreSQL setup and dependency</summary> ___ **Improve the PostgreSQL installation by explicitly adding the <code>postgresql-common</code> package and updating the APT repository setup to use a de-armored GPG key in <code>/etc/apt/keyrings</code> for better security and standards compliance.** [docker/Dockerfile.rbe [14-67]](https://github.com/carverauto/serviceradar/pull/1986/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R14-R67) ```diff RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ - && install -d /usr/share/postgresql-common/pgdg \ - && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ - && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ + postgresql-common \ + && install -m 0755 -d /etc/apt/keyrings \ + && curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/postgresql-archive-keyring.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/postgresql-archive-keyring.gpg] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ # Container Tools skopeo \ podman \ podman-docker \ slirp4netns \ fuse-overlayfs \ iptables \ # Database / Libs postgresql-server-dev-16 \ libpq-dev \ libssl-dev \ zlib1g-dev \ liblz4-dev \ libzstd-dev \ libgmp-dev \ libev-dev \ libbpf-dev \ linux-tools-generic \ protobuf-compiler \ libprotobuf-dev \ # Utils git \ patch \ unzip \ rsync \ tar \ m4 \ perl \ # RPM Building on Debian rpm \ createrepo-c \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly proposes updating the PostgreSQL repository setup to use a de-armored GPG key, which aligns with current Debian/Ubuntu best practices and improves maintainability. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>