# This default may be swapped for any compatible base image
ARG BASE_IMAGE=ubuntu:24.04

# Containerbase is used for tool installation and user/directory setup
FROM ghcr.io/containerbase/base:14.9.5@sha256:2852f7e2784fb21e745325a81c9beb1906be51b79956376eecf9ce57dacf6fd0 AS containerbase


FROM ${BASE_IMAGE} as base

RUN apt-get update -y && apt-get upgrade -y && apt-get clean && rm -rf /var/lib/apt/lists/*

# Containerbase supports custom user
ARG USER_NAME=wss-scanner
ARG USER_ID=1000
ARG USER_HOME=/home/${USER_NAME}

# Set env and shell
ENV BASH_ENV=/usr/local/etc/env
SHELL ["/bin/bash" , "-c"]

# Set up containerbase
COPY --from=containerbase /usr/local/sbin/ /usr/local/sbin/
COPY --from=containerbase /usr/local/containerbase/ /usr/local/containerbase/
RUN install-containerbase && \
    prepare-tool all

# renovate: datasource=github-tags depName=git lookupName=git/git
ARG GIT_VERSION=v2.41.0
RUN install-tool git
# Layer 6 (instruction #7): RUN |4 USER_NAME=wss-scanner USER_ID=1000 USER_HOME=/home/wss-scanner GIT_VERSIO
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                              │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ Critical   │ 11         │ CVE-2026-43501, CVE-2026-31637, CVE-2026-43185, CVE-2026-46043    │
# │            │            │ CVE-2026-43037, CVE-2026-43304, CVE-2026-43011, CVE-2026-31402    │
# │            │            │ CVE-2026-45988, CVE-2026-46135, CVE-2026-43038                    │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────────┤
# │ High       │ 36         │ CVE-2026-46275, CVE-2026-46319, CVE-2026-43084, CVE-2025-71315    │
# │            │            │ CVE-2026-46195, CVE-2026-46274, CVE-2026-45972, CVE-2026-43378    │
# │            │            │ CVE-2026-43493, CVE-2026-43083, CVE-2026-43406, CVE-2026-46119    │
# │            │            │ CVE-2026-46185, CVE-2026-46259, CVE-2026-46273, CVE-2026-31705    │
# │            │            │ CVE-2026-46304, CVE-2026-46320, CVE-2025-54518, CVE-2026-43186    │
# │            │            │ CVE-2026-31657, CVE-2026-31436, CVE-2026-31478, CVE-2026-31536    │
# │            │            │ CVE-2026-31659, CVE-2026-31607, CVE-2026-23455, CVE-2026-31405    │
# │            │            │ CVE-2026-23450, CVE-2026-23240, CVE-2026-23428, CVE-2026-43198    │
# │            │            │ CVE-2026-43341, CVE-2026-31414, CVE-2026-43407, CVE-2026-31669    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────────┘

### !!! Install this version after the other versions, so that it is the default !!! ###
# renovate: datasource=adoptium-java depName=java
ARG JAVA_VERSION=17.0.8+7
RUN install-tool java

# END OF BASE IMAGE

# Download the SAST CLI and set it in $PATH, can be replaced by:
#--build-arg SASTCLI=URL
RUN echo "Downloading latest Mend Unified CLI wrapper"
ARG SASTCLI=https://downloads.mend.io/cli/linux_amd64/mend
RUN curl -f $SASTCLI --create-dirs -o /sast/bin/mend && chmod 0775 /sast/bin/mend
# Layer 9 (instruction #10): RUN |6 USER_NAME=wss-scanner USER_ID=1000 USER_HOME=/home/wss-scanner GIT_VERSIO
# ┌────────────┬────────────┬────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                               │
# ├────────────┼────────────┼────────────────────────────────────────────────────┤
# │ High       │ 1          │ CVE-2026-42504                                     │
# └────────────┴────────────┴────────────────────────────────────────────────────┘
ENV PATH=$PATH:/sast/bin

ENV WS_SAST_SCAN_PREFIX=SAST_

### copy folder
COPY docker-image-scanner/ /
# Layer 10 (instruction #11): COPY docker-image-scanner/ / # buildkit
# ┌────────────┬────────────┬───────────────────────────────────────────────────────────────┐
# │ Severity   │ Count      │ CVEs                                                          │
# ├────────────┼────────────┼───────────────────────────────────────────────────────────────┤
# │ High       │ 4          │ CVE-2022-3510, CVE-2022-3509, CVE-2022-3171, CVE-2024-7254    │
# └────────────┴────────────┴───────────────────────────────────────────────────────────────┘

RUN chmod 755 /start.sh
RUN chgrp -R 0 ${USER_HOME} && chmod -R g=u ${USER_HOME}

ENV SCM_SCANNER_HOME=/etc/usr/local/whitesource/scm-scanner
RUN chmod -R ugo+rw ${SCM_SCANNER_HOME}
ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
### Switch User ###
ENV HOME ${USER_HOME}
WORKDIR ${USER_HOME}
USER ${USER_NAME}
ARG JAVA_OPTS
ENV JAVA_OPTS=${JAVA_OPTS}
ENV JDK_JAVA_OPTIONS "--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED"

EXPOSE 9393

ENTRYPOINT ["docker-entrypoint.sh"]
# Mend traceability labels  
LABEL io.mend.image.dockerfile.path=integration-new/github-scanner-parent/scm-packaging/src/assembly-staging/docker/Dockerfile
LABEL org.opencontainers.image.source=https://github.com/whitesource/github-scanner

CMD ["/start.sh"]
