Simpler nginx dockerfile

[fopina]

Instead of complex node installation on top of the build base image, this uses separate stage just for yarn and then collectstatic copies the components from it.

I've pinned the same node and yarn versions that were used - but it can always use just node:20.11 to pick up on latest patches

NOTE I've opened another PR with an alternative that I believe to be even better but a bigger change - #11182

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the build process and dependency management for the DefectDojo application's Docker images, including simplifying the Node.js and Yarn installation, optimizing the static file generation, and streamlining the Python dependency installation.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the build process and dependency management for the DefectDojo application's nginx-alpine and nginx-debian Docker images. The key changes include:

1. Simplifying the Node.js and Yarn installation process by using pre-built images and specific versions.
2. Optimizing the static file generation process by copying the necessary files from the "yarn" stage to the "collectstatic" stage.
3. Streamlining the Python dependency installation by using pre-built wheels from the "build" stage.

From an application security perspective, these changes appear to be reasonable and do not introduce any obvious security concerns. However, it's important to regularly review the following aspects to maintain the application's security posture:

1. Ensure that the versions of the dependencies (Python, Node.js, Yarn, etc.) used in the Dockerfiles are the latest stable versions and do not have any known security vulnerabilities.
2. Review the security of the base images used (e.g., python:3.11.9-slim-bookworm, nginx:1.27.2-alpine) and keep them up-to-date.
3. Verify that the principle of least privilege is followed by reviewing the permissions and ownership of the files and directories.
4. Carefully manage the environment variables used in the Dockerfiles to prevent the exposure of sensitive information.
5. Thoroughly review the configuration files (e.g., wsgi_params, nginx.conf, nginx_TLS.conf) to ensure they are properly configured for security.

Files Changed:

1. Dockerfile.nginx-alpine:

   • Removes the manual installation of Node.js and uses a pre-built Node.js image instead.
   • Installs the specific version of Yarn (1.22.19) using the Node.js image.
   • Copies the "components/" directory from the "yarn" stage to the "collectstatic" stage for static file generation.
   • Installs the Python dependencies from the "requirements.txt" file in the "collectstatic" stage, using the pre-built wheels from the "build" stage.

2. Dockerfile.nginx-debian:

   • Divides the Dockerfile into multiple stages: "base", "build", "collectstatic", and the final nginx image stage.
   • Adds a separate "yarn" stage that installs the specific version of Yarn (1.22.19) and copies the "components/" directory.
   • Removes the manual installation of Node.js and Yarn in the "collectstatic" stage, and instead, uses the "yarn" stage to provide the necessary components.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.