# This default may be swapped for any compatible base image
ARG BASE_IMAGE=ubuntu:24.04

# Containerbase is used for tool installation and user/directory setup
FROM ghcr.io/containerbase/base:13.26.7@sha256:5a7aace53413ad8e98fbb87cbe1aa6727ce2ad225356a46a58ea9171ae8966d1 AS containerbase


FROM ${BASE_IMAGE} as base

RUN apt-get update -y && apt-get upgrade -y && apt-get clean && rm -rf /var/lib/apt/lists/*

# Containerbase supports custom user
ARG USER_NAME=wss-scanner
ARG USER_ID=1000
ARG USER_HOME=/home/${USER_NAME}
ARG APT_HTTP_PROXY

# Set env and shell
ENV BASH_ENV=/usr/local/etc/env
SHELL ["/bin/bash" , "-c"]

# Set up containerbase
COPY --from=containerbase /usr/local/sbin/ /usr/local/sbin/
COPY --from=containerbase /usr/local/containerbase/ /usr/local/containerbase/
RUN install-containerbase && \
    prepare-tool all
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 3          │ CVE-2025-66471, CVE-2025-66418, CVE-2026-21441     │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-tags packageName=git/git
ARG GIT_VERSION=v2.41.3
RUN install-tool git

# install git lfs
# renovate: datasource=github-releases packageName=git-lfs/git-lfs
#ARG GIT_LFS_VERSION=v3.5.1
#RUN install-tool git-lfs

# renovate: datasource=github-releases packageName=containerbase/node-prebuild versioning=node
ARG NODE_VERSION=24.0.0
RUN install-tool node
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 7          │ CVE-2026-24842, CVE-2026-23745, CVE-2026-23950, CVE-2026-24842    │
# │            │            │ CVE-2025-64756, CVE-2026-23745, CVE-2026-23950                    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

# renovate: datasource=npm versioning=npm
ARG NPM_VERSION=11.6.1
RUN install-tool npm
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 6          │ CVE-2025-64756, CVE-2026-23950, CVE-2026-24842, CVE-2025-64756    │
# │            │            │ CVE-2026-25547, CVE-2026-23745                                    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

# renovate: datasource=npm packageName=@yarnpkg/cli-dist
ARG YARN_VERSION=1.22.22
RUN install-tool yarn

# renovate: datasource=npm
ARG BOWER_VERSION=1.8.14
RUN install-tool bower
# ┌────────────┬────────────┬─────────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                                │
# ├────────────┼────────────┼─────────────────────────────────────────────────────────────────────┤
# │ Critical   │ 11         │ CVE-2021-3918, CVE-2025-7783, CVE-2023-26136, CVE-2021-23369        │
# │            │            │ CVE-2021-23807, CVE-2023-26136, CVE-2025-7783, CVE-2021-23383       │
# │            │            │ CVE-2021-44906, CVE-2019-10744, CVE-2019-10744                      │
# ├────────────┼────────────┼─────────────────────────────────────────────────────────────────────┤
# │ High       │ 30         │ CVE-2022-21213, CVE-2020-7792, CVE-2022-24999, CVE-2020-36604       │
# │            │            │ CVE-2018-3728, CVE-2022-3517, CVE-2016-10540, CVE-2020-8116         │
# │            │            │ CVE-2020-8203, CVE-2022-25883, CVE-2025-59343, CVE-2022-25883       │
# │            │            │ CVE-2020-8203, CVE-2021-23337, CVE-2017-15010, CVE-2022-3517        │
# │            │            │ CVE-2017-15010, CVE-2024-12905, CVE-2025-48387, CVE-2015-8855       │
# │            │            │ CVE-2022-24999, CVE-2017-1000048, CVE-2025-15284, CVE-2022-21213    │
# │            │            │ CVE-2020-7792, CVE-2021-23343, CVE-2021-43138, CVE-2025-15284       │
# │            │            │ CVE-2021-23337, CVE-2022-29167                                      │
# └────────────┴────────────┴─────────────────────────────────────────────────────────────────────┘

# renovate: datasource=npm
#ARG PNPM_VERSION=10.17.0
#RUN install-tool pnpm

### provide permissions
RUN echo '{ "allow_root": true }' > ${USER_HOME}/.bowerrc && \
	chown -R ${USER_NAME}:${GROUP_NAME} ${USER_HOME}/.bowerrc

ARG JAVA_VERSION=8.0.472+8
RUN install-tool java

# renovate: datasource=java-version packageName=java-jre
ARG JAVA_VERSION=11.0.29+7
RUN install-tool java

# renovate: datasource=java-version packageName=java-jre
ARG JAVA_VERSION=21.0.10+7.0.LTS
RUN install-tool java

### !!! PAY ATTENTION! The version that should be the default, must be installed last !!! ###
# renovate: datasource=java-version packageName=java-jre
ARG JAVA_VERSION=17.0.18+8
RUN install-tool java
ENV MEND_JAVA=/usr/local/bin/mend_java
RUN ln -sf /opt/containerbase/tools/java/$JAVA_VERSION/bin/java $MEND_JAVA && \
    chmod +x $MEND_JAVA

# renovate: datasource=gradle-version packageName=gradle versioning=gradle
ARG GRADLE_VERSION=6.9.4
RUN install-tool gradle
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ Critical   │ 4          │ CVE-2020-7692, CVE-2021-26291, CVE-2021-26291, CVE-2022-1471      │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 18         │ CVE-2021-22573, CVE-2023-4759, CVE-2021-36090, CVE-2021-46877     │
# │            │            │ CVE-2020-36518, CVE-2022-42003, CVE-2021-35516, CVE-2022-46751    │
# │            │            │ CVE-2022-37866, CVE-2022-25647, CVE-2023-2976, CVE-2024-21634     │
# │            │            │ CVE-2024-47554, CVE-2025-52999, CVE-2022-42004, CVE-2022-25857    │
# │            │            │ CVE-2021-35515, CVE-2021-35517                                    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

# renovate: datasource=gradle-version packageName=gradle versioning=gradle
ARG GRADLE_VERSION=7.6.6
RUN install-tool gradle

# renovate: datasource=gradle-version packageName=gradle versioning=gradle
ARG GRADLE_VERSION=9.3.0
RUN install-tool gradle

### !!! PAY ATTENTION! The version that should be the default, must be installed last !!! ###
# renovate: datasource=gradle-version packageName=gradle versioning=gradle
ARG GRADLE_VERSION=8.14.4
RUN install-tool gradle

# renovate: datasource=github-releases packageName=containerbase/golang-prebuild
#ARG GOLANG_VERSION=1.24.7
#RUN install-tool golang
# A temporary workaround, until it is fixed by renovate
#ENV GOSUMDB="sum.golang.org"

#USER ${USER_ID}
## Install package managers
#RUN go install github.com/tools/godep@latest && \
#    go install github.com/LK4D4/vndr@latest && \
#    go install  github.com/kardianos/govendor@latest

#All Deparacted/archived go package managers
# RUN go install  github.com/gpmgo/gopm@latest && \
#     go install  github.com/golang/dep/cmd/dep@latest && \
#     go install github.com/Masterminds/glide@latest && \
#     curl https://glide.sh/get | sh
#USER 0
#RUN chgrp -R 0 /go && chmod -R g=u /go

# renovate: datasource=maven packageName=org.apache.maven:maven
ARG MAVEN_VERSION=3.9.12
RUN install-tool maven

# renovate: datasource=github-releases packageName=scala/scala
# ARG SCALA_VERSION=v2.13.16
# RUN install-tool scala

# renovate: datasource=github-releases packageName=sbt/sbt
# ARG SBT_VERSION=1.5.7
# RUN install-tool sbt

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.6.15
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 3          │ CVE-2024-6345, CVE-2024-53899, CVE-2025-47273      │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=2.7.18
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 3          │ CVE-2024-6345, CVE-2025-47273, CVE-2024-53899      │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.11.14
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 1          │ CVE-2026-24049                                     │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.12.12
RUN install-tool python

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.10.19
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 1          │ CVE-2026-24049                                     │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.7.17
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 2          │ CVE-2025-47273, CVE-2024-6345                      │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.8.20
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 2          │ CVE-2024-6345, CVE-2025-47273                      │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.13.11
RUN install-tool python

# renovate: datasource=github-releases packageName=containerbase/python-prebuild
ARG PYTHON_VERSION=3.9.25
RUN install-tool python
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 1          │ CVE-2026-24049                                     │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=pypi ; Must be installed after python and before python version 3.7.17
ARG CHECKOV_VERSION=3.2.471
RUN install-tool checkov
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 5          │ CVE-2025-66471, CVE-2025-66418, CVE-2026-21441, CVE-2025-24359    │
# │            │            │ GHSA-vp47-9734-prjw                                               │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

# renovate: datasource=github-releases packageName=containerbase/php-prebuild
#ARG PHP_VERSION=8.5.2
#RUN install-tool php

# renovate: datasource=github-releases packageName=containerbase/composer-prebuild
#ARG COMPOSER_VERSION=2.0.13
#RUN install-tool composer

# These are needed to get earlier dotnet versions to install in Ubuntu 24.04
# RUN curl -o /tmp/libssl1.1.deb https://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.24_amd64.deb && \
#     dpkg -i /tmp/libssl1.1.deb

# renovate: datasource=dotnet packageName=dotnet-sdk
#ARG DOTNET_VERSION=2.2.402
#RUN install-tool dotnet

# renovate: datasource=dotnet packageName=dotnet-sdk
#ARG DOTNET_VERSION=3.1.426
#RUN install-tool dotnet

# renovate: datasource=dotnet packageName=dotnet-sdk
#ARG DOTNET_VERSION=5.0.408
#RUN install-tool dotnet

# renovate: datasource=dotnet packageName=dotnet-sdk
#ARG DOTNET_VERSION=6.0.428
#RUN install-tool dotnet

# renovate: datasource=dotnet packageName=dotnet-sdk
ARG DOTNET_VERSION=8.0.417
RUN install-tool dotnet
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 7          │ CVE-2025-26646, CVE-2024-38095, CVE-2025-55247, CVE-2025-26646    │
# │            │            │ CVE-2025-55247, CVE-2025-55247, CVE-2025-26646                    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

ARG DOTNET_VERSION=9.0.310
RUN install-tool dotnet
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 2          │ CVE-2025-26646, CVE-2024-38095                     │
# └────────────┴────────────┴────────────────────────────────────────────────────┘

# renovate: datasource=dotnet packageName=dotnet-sdk
ARG DOTNET_VERSION=7.0.410
RUN install-tool dotnet
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ Critical   │ 2          │ CVE-2024-0057, CVE-2021-24112                                     │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 12         │ CVE-2024-30105, CVE-2024-38081, CVE-2024-30105, CVE-2025-26646    │
# │            │            │ CVE-2024-30105, CVE-2025-26646, CVE-2024-30105, CVE-2024-38095    │
# │            │            │ CVE-2024-30105, CVE-2024-38095, CVE-2024-38095, CVE-2025-26646    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

# Set .NET SDK 7.0.405 as the default version
RUN echo '{ "sdk": { "version": "7.0.410" } }' > ${USER_HOME}/global.json

# renovate: datasource=docker versioning=docker
#ARG RUST_VERSION=1.58.1
#RUN install-tool rust

# pip user install (so available for all python versions)
USER ${USER_ID}

# renovate: datasource=pypi
ARG PIPENV_VERSION=2023.7.23
RUN install-tool pipenv



USER 0

# renovate: datasource=pypi
#ARG UV_VERSION=0.9.7
#RUN install-tool uv

# renovate: datasource=pypi
ARG POETRY_VERSION=2.0.1
RUN install-tool poetry

# renovate: datasource=pypi
ARG POETRY_VERSION=1.6.1
RUN install-tool poetry

#ENV GEM_HOME=/tmp/containerbase/cache/.ruby
#ENV GEM_PATH="${GEM_HOME}"
# renovate: datasource=github-releases packageName=containerbase/ruby-prebuild versioning=ruby)
#ARG RUBY_VERSION=3.2.2
#RUN install-tool ruby && \
#    gem install rubygems-update -v 3.3.0 && \
#    gem update --system
#ENV PATH="${GEM_HOME}/bin:${PATH}"

# renovate: datasource=rubygems versioning=ruby
#ARG BUNDLER_VERSION=2.4.18
#RUN install-tool bundler

# renovate: datasource=pypi
#ARG CONAN_VERSION=2.24.0
#RUN install-tool conan

#RUN install-tool erlang 24.3.3.0

#RUN install-tool elixir 1.13.4

#### Install rbenv and ruby-build
### or maybe be saved to /etc/profile instead of /etc/profile.d/
#RUN git clone https://github.com/sstephenson/rbenv.git ${USER_HOME}/.rbenv; \
#	git clone https://github.com/sstephenson/ruby-build.git ${USER_HOME}/.rbenv/plugins/ruby-build; \
#	${USER_HOME}/.rbenv/plugins/ruby-build/install.sh && \
#	echo 'eval "$(rbenv init -)"' >> /etc/profile.d/rbenv.sh && \
#	echo 'eval "$(rbenv init -)"' >> ${USER_HOME}/.bashrc && \
#	chown -R ${USER_NAME}:${GROUP_NAME} ${USER_HOME}/.rbenv ${USER_HOME}/.bashrc
#ENV PATH ${USER_HOME}/.rbenv/bin:$PATH

# renovate: datasource=rubygems versioning=ruby
# ARG COCOAPODS_VERSION=1.16.2
# RUN install-tool cocoapods && \
#     adduser cocoapods
# USER cocoapods
# RUN pod setup
# USER 0

# renovate: datasource=github-releases packageName=helm/helm
#ARG HELM_VERSION=3.19.0
#RUN install-tool helm

## No renovate datasource exists yet
ARG HASKELL_GHC_VERSION=8.6.5

## No renovate datasource exists yet
ARG CABAL_VERSION=3.2

# Fix for npm engine-strict
ENV npm_config_engine_strict=false

ENV DEBIAN_FRONTEND noninteractive
ENV LANGUAGE	en_US.UTF-8
ENV LANG    	en_US.UTF-8
ENV LC_ALL  	en_US.UTF-8

### Install wget, curl, git, unzip, gnupg, locales
RUN apt-get update && \
	apt-get -y install wget curl git unzip gnupg locales && \
	locale-gen en_US.UTF-8 && \
	apt-get clean && \
	rm -rf /var/lib/apt/lists/* && \
	rm -rf /tmp/*


##### Install Conda
## Warning: Using Anaconda's default channel may require a commercial license.
## However, the conda-forge channel is not subject to the same terms. See commented
## out settings below for an example of using conda-forge.
#
# Set conda-forge to be the default registry
# conda config --add channels conda-forge
# Use conda-forge strictly
# conda config --set channel_priority strict
#
#RUN  su -p ${USER_NAME} -c "cd ${USER_HOME} && \
#        mkdir -p ${USER_HOME}/miniconda3 && \
#        wget https://repo.anaconda.com/miniconda/Miniconda3-py39_24.1.2-0-Linux-x86_64.sh -O ${USER_HOME}/miniconda3/miniconda.sh && \
#        bash ${USER_HOME}/miniconda3/miniconda.sh -b -u -p ${USER_HOME}/miniconda3 && \
#        rm -rf ${USER_HOME}/miniconda3/miniconda.sh" && \
#        chgrp -R 0 ${USER_HOME}/miniconda3 && \
#        chmod -R g=u ${USER_HOME}/miniconda3
#
#RUN echo '#!/usr/bin/env bash' >> /usr/bin/conda && \
#        echo 'source ${USER_HOME}/miniconda3/etc/profile.d/conda.sh' >> /usr/bin/conda && \
#        echo '${USER_HOME}/miniconda3/bin/conda "$@"' >> /usr/bin/conda && \
#        chmod +x /usr/bin/conda


#### Important note ###
#### uncomment for:
####    Scala
####    SBT
####    Mix/ Hex/ Erlang/ Elixir
####    dotnet/nuget cli's
#RUN apt-get update && \
#	apt-get install -y --force-yes build-essential software-properties-common && \
#	apt-get install -y --force-yes zlib1g-dev libssl-dev libreadline-dev libyaml-dev libxml2-dev libxslt-dev && \
#	apt-get clean && \
#	rm -rf /var/lib/apt/lists/* && \
#	rm -rf /tmp/*

### Install PHP Plugins
#RUN apt-get update && \
#	apt-get install -y php-mbstring && \
#	apt-get install -y php-dom && \
#	apt-get clean && \
#	rm -rf /var/lib/apt/lists/* && \
#	rm -rf /tmp/*


#### Install R and Packrat
# Set environment variables to avoid interactive prompts
#ENV DEBIAN_FRONTEND=noninteractive
#ENV TZ=UTC
## Update system and install dependencies
#RUN apt-get update && apt-get install -y \
#    software-properties-common \
#    dirmngr \
#    lsb-release \
#    build-essential \
#    gfortran \
#    libcurl4-openssl-dev \
#    libssl-dev \
#    libxml2-dev \
#    libfontconfig1-dev \
#    libharfbuzz-dev \
#    libfribidi-dev \
#    libfreetype6-dev \
#    libpng-dev \
#    libtiff5-dev \
#    libjpeg-dev \
#    git \
#    && rm -rf /var/lib/apt/lists/*
## Add CRAN repository and install R
#RUN wget -qO- https://cloud.r-project.org/bin/linux/ubuntu/marutter_pubkey.asc | gpg --dearmor -o /usr/share/keyrings/r-project.gpg && \
#    echo "deb [signed-by=/usr/share/keyrings/r-project.gpg] https://cloud.r-project.org/bin/linux/ubuntu noble-cran40/" | tee -a /etc/apt/sources.list.d/r-project.list && \
#    apt-get update && \
#    apt-get install -y r-base r-base-dev && \
#    rm -rf /var/lib/apt/lists/*
## Install devtools and packrat from R
#RUN R -e "install.packages(c('devtools', 'packrat'), repos='https://cloud.r-project.org/')"


#### Install Cabal
#RUN apt-get update &&\
#	apt-get install -y build-essential curl libffi-dev libffi8ubuntu1 libgmp-dev libgmp10 libncurses-dev && \
#	apt-get clean && \
#	rm -rf /var/lib/apt/lists/* && \
#	rm -rf /tmp/*
#
#RUN su -p ${USER_NAME} -c "curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | sh && \
#	source /home/wss-scanner/.ghcup/env && \
#	echo "source /home/wss-scanner/.ghcup/env" >> /home/wss-scanner/.bashrc && \
#	ghcup install cabal ${CABAL_VERSION} &&\
#	cabal update" && \
#   chgrp -R 0 ${USER_HOME}/.cabal ${USER_HOME}/.ghcup && \
#   chmod -R g=u ${USER_HOME}/.cabal ${USER_HOME}/.ghcup

#### Install Mono
#RUN apt-get update && \
#    apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF && \
#    apt-get install -y --no-install-recommends apt-transport-https ca-certificates && \
#    echo "deb https://download.mono-project.com/repo/ubuntu bionic main" | tee /etc/apt/sources.list.d/mono-official-stable.list && \
#    apt-get update && \
#    apt-get install -y mono-devel && \
#    apt-get clean && \
#    rm -rf /var/lib/apt/lists/* && \
#    rm -rf /tmp/*
#
#### Install Nuget CLI
#RUN apt-get update && \
#    apt-get install nuget

## Install Paket
#ENV PAKET_HOME=${USER_HOME}/.dotnet/tools
#ENV PATH="${PATH}:${PAKET_HOME}"
#RUN dotnet tool install Paket --version 7.2.1 --tool-path ${PAKET_HOME}

## Install Bazel
# renovate: datasource=github-releases packageName=bazelbuild/bazelisk
#ARG BAZELISK_VERSION=v1.27.0
#RUN install-tool bazelisk

# Pre-download Bazel 6.1.1 to cache it in the image
#RUN USE_BAZEL_VERSION=6.1.1 bazel version

# Set Bazel 6.1.1 as the default version
#ENV USE_BAZEL_VERSION=6.1.1

# Install Swift (including SPM)
# renovate: datasource=docker versioning=docker
#ARG SWIFT_VERSION=5.10.0
#RUN install-tool swift

# delete the partially populated directory /tmp/containerbase and recreate one with full content instead
RUN rm -rf /tmp/* && containerbase-cli init tool all

# END OF BASE IMAGE

## Uncomment the below to enable Dynamic package manager install for selected package managers
##
# COPY --from=containerbase/runinstall:20240327 /home/ubuntu/bin/runinstall ${USER_HOME}/.local/bin/runinstall
# RUN ln -s ${USER_HOME}/.local/bin/runinstall ${USER_HOME}/.local/bin/mvn
# RUN ln -s ${USER_HOME}/.local/bin/runinstall ${USER_HOME}/.local/bin/pipenv


# Download the mend sca tool and set it in $PATH. The URL can be changed via:
#--build-arg $SCA_TOOL_URL=URL
USER 0
ARG SCA_TOOL_URL=https://downloads.mend.io/production/sca/sca-wrapper/26.1.2.1/linux_amd64/sca-wrapper
ENV MEND_SCA_BIN_DIR=/sca-wrapper/bin
RUN echo "Downloading Mend SCA tool [$SCA_TOOL_URL]" && \
    curl "$SCA_TOOL_URL" --create-dirs -o "${MEND_SCA_BIN_DIR}/sca-wrapper" && \
    chmod 0777 -R "${MEND_SCA_BIN_DIR}" && \
su -p "${USER_NAME}" -c ' \
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ Critical   │ 7          │ CVE-2025-68121, CVE-2025-68121, CVE-2025-68121, CVE-2025-22871    │
# │            │            │ CVE-2025-22871, CVE-2025-68121, CVE-2025-22871                    │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 28         │ CVE-2025-58183, CVE-2025-24970, CVE-2025-61729, CVE-2025-61729    │
# │            │            │ CVE-2022-3171, CVE-2025-58183, CVE-2025-61730, CVE-2024-7254      │
# │            │            │ CVE-2022-3509, CVE-2025-61728, CVE-2025-61728, CVE-2025-58057     │
# │            │            │ CVE-2022-3510, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730     │
# │            │            │ CVE-2025-61730, CVE-2025-61726, CVE-2025-30204, CVE-2025-47907    │
# │            │            │ CVE-2025-61729, CVE-2025-47907, CVE-2024-34156, CVE-2025-58183    │
# │            │            │ CVE-2025-22869, CVE-2025-47907, CVE-2025-61726, CVE-2025-65637    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘
    SCA_TOOL_VERSION="$($MEND_SCA_BIN_DIR/sca-wrapper version)" && \
    echo "Mend-SCA-Tool Version: $SCA_TOOL_VERSION" && \
    "$MEND_SCA_BIN_DIR/sca-wrapper" init' && \
    chmod 0777 -R /sca-wrapper
ENV PATH=$PATH:$MEND_SCA_BIN_DIR
ENV MEND_SCA_SCAN_PRINT_ENGINE_LOGS=true

# Download the standalone pre-scan-builder binary to the $MEND_SCA_BIN_DIR directory. The URL can be changed via:
#--build-arg $PSB_URL=URL
ARG PSB_URL=https://downloads.mend.io/production/sca/pre-scan-builder/25.8.1/linux_amd64/psb
RUN echo "Downloading PSB [$PSB_URL]" && \
    curl $PSB_URL -o ${MEND_SCA_BIN_DIR}/psb && \
    chmod 0777 ${MEND_SCA_BIN_DIR}/psb && \
    PSB_VERSION="$(psb --version)" && echo "PSB Version: $PSB_VERSION"
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ Critical   │ 2          │ CVE-2025-68121, CVE-2025-22871                                    │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 7          │ CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-58183    │
# │            │            │ CVE-2024-34156, CVE-2025-47907, CVE-2025-61729                    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘


# Download the SAST CLI and set it in $PATH, can be replaced by:
#--build-arg SASTCLI=URL
ARG SASTCLI=https://downloads.mend.io/cli/linux_amd64/mend
RUN echo "Downloading Mend Unified CLI wrapper" && \
    curl $SASTCLI --create-dirs -o /sast/bin/mend && chmod 0775 /sast/bin/mend
ENV PATH=$PATH:/sast/bin

### copy folder
COPY docker-image-scanner/ /
# ┌────────────┬────────────┬─────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                            │
# ├────────────┼────────────┼─────────────────────────────────────────────────────────────────┤
# │ High       │ 8          │ CVE-2025-58056, CVE-2025-67721, CVE-2023-3894, CVE-2022-3510    │
# │            │            │ CVE-2022-3509, CVE-2022-3171, CVE-2024-7254, CVE-2025-58057     │
# └────────────┴────────────┴─────────────────────────────────────────────────────────────────┘

# Temporarily copying the current Dockerfile to generate the installed-versions.json file.
ARG THIS_DOCKERFILE_NAME=Dockerfile
COPY ${THIS_DOCKERFILE_NAME} /tmp/target-dockerfile
RUN chmod +x /generate_versions_json.sh \
  && mkdir -p "${USER_HOME}/.mend" \
  && /generate_versions_json.sh /tmp/target-dockerfile \
     > "${USER_HOME}/.mend/installed-versions.json" \
  && rm /tmp/target-dockerfile && rm /generate_versions_json.sh

RUN chmod 755 /start.sh && \
    chgrp -R 0 ${USER_HOME} && chmod -R g=u ${USER_HOME}

ENV SCM_SCANNER_HOME=/etc/usr/local/whitesource/scm-scanner
RUN chmod -R ugo+rw ${SCM_SCANNER_HOME}
ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
### Switch User ###
ENV HOME ${USER_HOME}
WORKDIR ${USER_HOME}
USER ${USER_NAME}
ARG JAVA_OPTS
ENV JAVA_OPTS=${JAVA_OPTS}
ENV JDK_JAVA_OPTIONS "--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED"

EXPOSE 9393

ENTRYPOINT ["docker-entrypoint.sh"]
# Mend traceability labels
LABEL io.mend.image.dockerfile.path=integration-new/github-scanner-parent/scm-packaging/src/assembly-staging/docker/Dockerfile
LABEL org.opencontainers.image.source=https://github.com/whitesource/github-scanner

CMD ["/start.sh"]
