chore: create and build test image for CICD pipelines (#5079)

* chore: create test image and build in workflow
* chore: move test image Dockerfile to scripts/

.github/workflows/create-test-image.yml

@@ -0,0 +1,19 @@
+name: Create Test Image
+
+on:
+  schedule:
+    - cron: '0 4 * * 2'
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: docker/setup-buildx-action@v2
+      - name: Build Docker image
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_BUILDKIT: 1
+        run: scripts/create-test-image.sh

Makefile

@@ -247,7 +247,7 @@ clean-golang:
 .PHONY: acceptance-test-with-proxy
 acceptance-test-with-proxy: pre-build
 	@echo "-- Running acceptance tests in a proxied environment"
-	@docker build -t acceptance-test-with-proxy -f ./test/acceptance/environments/proxy/Dockerfile .
+	@docker build -t acceptance-test-with-proxy -f ./scripts/environments/proxy/Dockerfile .
 	@docker run --rm --cap-add=NET_ADMIN acceptance-test-with-proxy ./node_modules/.bin/jest ./ts-binary-wrapper/test/acceptance/basic.spec.ts
 # TODO: Run all acceptance tests behind a proxy using npm run test:acceptance
 

scripts/create-test-image.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -exuo pipefail # ensures that the script exits on any error, and that all commands are printed before they are executed
+
+# This script is used for building Docker images which in turn build the CLI.
+# It sets up the environment, logs into Docker, and builds images for different architectures.
+
+# Before running the script, ensure DOCKER_USERNAME and DOCKER_PASSWORD environment variables are set.
+# Example usage:
+#   export DOCKER_USERNAME=<your-docker-hub-username>
+#   export DOCKER_PASSWORD=<a-docker-hub-personal-access-token>
+#   ./scripts/create-test-image.sh
+
+# Determine the directory where the script is located.
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+NOW=$(date "+%Y%m%d-%H%M%S")
+
+
+pushd "$SCRIPT_DIR/.."
+  NODEVERSION=$(head -1 .nvmrc)
+  export NODEVERSION
+
+  docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD"
+
+  BASE_IMG_NAME=$DOCKER_USERNAME/cli-test
+  docker buildx build \
+    --build-arg NODEVERSION="$NODEVERSION" \
+    --build-arg ARCH="x86_64" \
+    --platform linux/amd64 \
+    --tag "$BASE_IMG_NAME":$NOW \
+    --tag "$BASE_IMG_NAME":latest \
+    --push \
+    --file ./scripts/environments/proxy/Dockerfile .
+
+  BASE_IMG_NAME=$DOCKER_USERNAME/cli-test-arm64
+  docker buildx build \
+    --build-arg NODEVERSION="$NODEVERSION" \
+    --build-arg ARCH="aarch64" \
+    --platform linux/arm64 \
+    --tag "$BASE_IMG_NAME":$NOW \
+    --tag "$BASE_IMG_NAME":latest \
+    --push \
+    --file ./scripts/environments/proxy/Dockerfile .
+
+popd

scripts/environments/proxy/Dockerfile

@@ -0,0 +1,121 @@
+# Copyright 2022-2023 Snyk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM --platform=$TARGETPLATFORM golang:1.20-bullseye
+
+# install "normal" stuff
+
+ARG NODEVERSION
+ARG ARCH
+
+RUN echo "Required Node version: $NODEVERSION"
+RUN curl -sL https://deb.nodesource.com/setup_$(echo $NODEVERSION | cut -f1 -d '.').x | bash -
+RUN apt-get update
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    sudo \
+    musl-tools \
+    git \
+    vim \
+    make \
+    maven \
+    gradle \
+    apt-transport-https \
+    curl \
+    gnupg \
+    -yqq \
+    elixir \
+    composer \
+    jq \
+    faketime \
+    zip \
+    nodejs=$(apt-cache policy nodejs | grep nodesource | xargs | cut -d " " -f2) \
+    # convco deps
+    cmake \
+    # python deps
+    python3 \
+    python3-pip \
+    python-is-python3 \
+    python3-requests \
+    python3-yaml \
+    pipenv \
+    # proxy deps
+    squid \
+    traceroute \
+    net-tools \
+    iptables
+
+RUN node -v
+RUN apt-get auto-remove -y && apt-get clean -y && rm -rf /var/lib/apt/
+
+# install aws cli
+ADD .circleci/awscli-publickey.pub awscli-publickey.pub
+RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$ARCH.zip" -o "awscliv2.zip"
+RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$ARCH.zip.sig" -o "awscliv2.sig"
+RUN gpg --import awscli-publickey.pub
+RUN gpg --verify awscliv2.sig awscliv2.zip
+RUN unzip awscliv2.zip
+RUN sudo ./aws/install
+RUN rm -rf "awscli*"
+
+RUN useradd circleci --create-home
+RUN echo "circleci ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+# install snyk
+RUN mkdir -p /app
+RUN mkdir -p /target/global-logging
+COPY . /app
+RUN rm -rf /app/build /app/.bin
+RUN cp /app/scripts/environments/proxy/entrypoint.sh /bin
+RUN chmod +x /bin/entrypoint.sh
+RUN chmod 777 /app && chown -R circleci /app
+
+RUN /app/scripts/install-swift.sh $ARCH
+ENV PATH=/usr/local/swift/usr/bin:$PATH
+
+# install openssl3
+RUN /app/scripts/install_openssl3_fips.sh /app/
+ENV PATH=/usr/local/bin/:$PATH
+ENV LD_LIBRARY_PATH=/usr/local/lib/
+
+RUN update-alternatives --set iptables /usr/sbin/iptables-legacy
+USER circleci
+
+# install deps
+RUN cd /app && npm install
+
+# install java & scala
+RUN curl -s "https://get.sdkman.io" | bash
+RUN /app/scripts/jvm-install.sh
+ENV PATH=/home/circleci/.sdkman/candidates/scala/current/bin:/home/circleci/.sdkman/candidates/sbt/current/bin:/home/circleci/.sdkman/candidates/java/current/bin:$PATH
+
+# install dotnet
+RUN curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin --channel 8.0
+ENV PATH=/home/circleci/.dotnet:$PATH
+ENV TEMP=/tmp
+ENV TMP=$TEMP
+ENV TMPDIR=$TEMP
+
+# install rust and convco
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+RUN ~/.cargo/bin/cargo install convco
+ENV PATH=/home/circleci/.cargo/bin:$PATH
+
+# setup proxy
+ENV http_proxy="http://localhost:3128"
+ENV https_proxy="http://localhost:3128"
+ENV no_proxy "localhost,127.0.0.1"
+RUN env
+
+WORKDIR /app
+ENTRYPOINT ["/bin/entrypoint.sh"]

scripts/install_openssl3_fips.sh

@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 set -ex
 
+APP_PATH="${1:-}"
+
 git clone https://github.com/openssl/openssl.git
 
 pushd .
@@ -12,7 +14,7 @@ export PATH=/usr/local/bin/:$PATH
 export LD_LIBRARY_PATH=/usr/local/lib/
 popd
 
-cp scripts/openssl.cnf /usr/local/ssl/openssl_fips_enabled.cnf
+cp ${APP_PATH}scripts/openssl.cnf /usr/local/ssl/openssl_fips_enabled.cnf
 chmod +r /usr/local/ssl/openssl_fips_enabled.cnf
 
 openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so