[BUG] Cannot build Privado Docker images

[cattius]

Describe the bug
There is no Dockerfile provided that enables custom application images to be built and launched from privado-cli. Please add a complete Dockerfile and instructions to the repo.

I've tried building both the Dockerfile in this repo (see details below) and the Dockerfile in privado-core. Both fail to launch with the same error because /app/code and many other file paths that privado-cli expects to find don't exist in the container (I can only find /home/privado-core-build in the image produced by the privado-core Dockerfile).

I hope I'm not missing something obvious here 😅 Opening this issue as a last resort after a lot of failed attempts.

To Reproduce

• Create a local Privado image from this repo by running docker build -t privadolocal:latest .
• Note that the resulting image is only 94.17MB
• Modify the image URL in privado-cli (app_config.go) to the local image name and comment out the if dockerAccessKey, err := docker.GetPrivadoDockerAccessKey ... if/else block in scan.go so that it does not try to pull the image.
• Run a scan with the modified privado-cli (go build, go run main.go scan .)
• The image is found, but launching a scan with it fails with the following error:

Received error: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "/app/code": permission denied: unknown
exit status 1

Similarly, to reproduce with privado-core build an image with docker build -t privadocorelocal:latest --build-arg JAR_VERSION="dev-SNAPSHOT" --build-arg VERSION=1 .

Expected behavior
It is possible to launch a scan from privado-cli using the locally-built image. The image should be the same size and have the same image history as the latest Privado image from AWS ECR (see below for details).

Desktop:

• OS: Windows 11
• Using this repo at commit a52a047, privado-cli at commit 6041ed29ecf969f3b3f8c6da40cdbcdc4c33530c, privado-core at commit Privado-Inc/privado-core@ebe0200

Additional context
In contrast, the latest Privado image from AWS ECR is 2.14GB and has clearly been created with a different Dockerfile, as the image history is very different:

No.	Cmd	Size
0	ENTRYPOINT ["/usr/local/bin/core" "scan"]	0 Bytes
1	ENV PRIVADO_DOCKER_ACCESS_KEY=eeac235df262ec3aab5db19aac947d3d63312fc9c0154efed5e668eace3db65d	0 Bytes
2	ENV IS_PRODUCTION=true	0 Bytes
3	ARG IS_PRODUCTION=false	0 Bytes
4	COPY /home/privado-core-build/log4j2.xml /app/config/ # buildkit	562 Bytes
5	COPY /home/privado-core-build/version.txt /privado-core/ # buildkit	7 Bytes
6	RUN |1 RULES_PATH=/app/rules /bin/sh -c ln -s /privado-core/bin/privado-core /usr/local/bin/core # buildkit	30 Bytes
7	RUN |1 RULES_PATH=/app/rules /bin/sh -c unzip /home/privado-core-build/privado-core.zip -d /home/privado-core-build/ && mv /home/privado-core-build/privado-core-* privado-core && mkdir -p privado-core/bin/astgen && cp -rf /home/privado-core-build/astgen/ privado-core/bin/ && rm -f /home/privado-core-build/privado-core.zip # buildkit	478.78 MB
8	COPY /home/rules/ /app/rules # buildkit	86.36 MB
9	COPY /build/astgen/dist/astgen /home/privado-core-build/astgen # buildkit	259.12 MB
10	COPY /home/privado-core-build/ /home/privado-core-build/ # buildkit	367.98 MB
11	ARG RULES_PATH=/app/rules	0 Bytes
12	RUN /bin/sh -c apt update && apt install -y zip python3 curl gnupg bash maven # buildkit	284.95 MB
13	/bin/sh -c #(nop) CMD ["jshell"]	0 Bytes
14	/bin/sh -c set -eux; arch="$(dpkg --print-architecture)"; case "$arch" in 'amd64') downloadUrl='https://download.java.net/java/GA/jdk18.0.2.1/db379da656dc47308e138f21b33976fa/1/GPL/openjdk-18.0.2.1_linux-x64_bin.tar.gz'; downloadSha256='3bfdb59fc38884672677cebca9a216902d87fe867563182ae8bc3373a65a2ebd'; ;; 'arm64') downloadUrl='https://download.java.net/java/GA/jdk18.0.2.1/db379da656dc47308e138f21b33976fa/1/GPL/openjdk-18.0.2.1_linux-aarch64_bin.tar.gz'; downloadSha256='79900237a5912045f8c9f1065b5204a474803cbbb4d075ab9620650fb75dfc1b'; ;; ) echo >&2 "error: unsupported architecture: '$arch'"; exit 1 ;; esac; wget --progress=dot:giga -O openjdk.tgz "$downloadUrl"; echo "$downloadSha256 openjdk.tgz" | sha256sum --strict --check -; mkdir -p "$JAVA_HOME"; tar --extract --file openjdk.tgz --directory "$JAVA_HOME" --strip-components 1 --no-same-owner ; rm openjdk.tgz; { echo '#!/usr/bin/env bash'; echo 'set -Eeuo pipefail'; echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; } > /etc/ca-certificates/update.d/docker-openjdk; chmod +x /etc/ca-certificates/update.d/docker-openjdk; /etc/ca-certificates/update.d/docker-openjdk; find "$JAVA_HOME/lib" -name '.so' -exec dirname '{}' ';' | sort -u > /etc/ld.so.conf.d/docker-openjdk.conf; ldconfig; java -Xshare:dump; fileEncoding="$(echo 'System.out.println(System.getProperty("file.encoding"))' | jshell -s -)"; [ "$fileEncoding" = 'UTF-8' ]; rm -rf ~/.java; javac --version; java --version	323.81 MB
15	/bin/sh -c #(nop) ENV JAVA_VERSION=18.0.2.1	0 Bytes
16	/bin/sh -c #(nop) ENV LANG=C.UTF-8	0 Bytes
17	/bin/sh -c #(nop) ENV PATH=/usr/local/openjdk-18/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin	0 Bytes
18	/bin/sh -c #(nop) ENV JAVA_HOME=/usr/local/openjdk-18	0 Bytes
19	/bin/sh -c set -eux; apt-get update; apt-get install -y --no-install-recommends bzip2 unzip xz-utils binutils fontconfig libfreetype6 ca-certificates p11-kit ; rm -rf /var/lib/apt/lists/*	37.54 MB
20	/bin/sh -c apt-get update && apt-get install -y --no-install-recommends git mercurial openssh-client subversion procps && rm -rf /var/lib/apt/lists/*	151.98 MB
21	/bin/sh -c set -ex; if ! command -v gpg > /dev/null; then apt-get update; apt-get install -y --no-install-recommends gnupg dirmngr ; rm -rf /var/lib/apt/lists/*; fi	18.95 MB
22	/bin/sh -c set -eux; apt-get update; apt-get install -y --no-install-recommends ca-certificates curl netbase wget ; rm -rf /var/lib/apt/lists/*	10.7 MB
23	/bin/sh -c #(nop) CMD ["bash"]	0 Bytes
24	/bin/sh -c #(nop) ADD file:b03d13d345c29f69557f410c8504e748226756d1f48e5abdb63cd40179b2640c in /	124.12 MB

[ojaswa1942]

Hi @cattius
Thanks for reporting this.

Currently, we merge the artifacts generated from both of these images into a final image which is then consumed by Privado CLI. Here is the Dockerfile:

FROM privado-core:latest AS core
FROM privado-main:latest AS rules

FROM node:16 as astgen
WORKDIR /build
RUN git clone https://github.com/max-leuthaeuser/astgen.git
WORKDIR /build/astgen
RUN npm install -g pkg
RUN yarn install
RUN pkg . --no-bytecode --no-native-build --public --out-path dist/astgen

FROM openjdk:18.0.2.1-jdk-bullseye as main
RUN apt update && apt install -y zip python3 curl gnupg bash maven
ARG RULES_PATH=/app/rules

COPY --from=core /home/privado-core-build/ /home/privado-core-build/
COPY --from=astgen /build/astgen/dist/astgen /home/privado-core-build/astgen
COPY --from=rules /home/rules/ $RULES_PATH

RUN unzip /home/privado-core-build/privado-core.zip -d /home/privado-core-build/ && mv /home/privado-core-build/privado-core-* privado-core && mkdir -p privado-core/bin/astgen && cp -rf /home/privado-core-build/astgen/ privado-core/bin/ && rm -f /home/privado-core-build/privado-core.zip
RUN ln -s /privado-core/bin/privado-core /usr/local/bin/core
COPY --from=core /home/privado-core-build/version.txt /privado-core/
COPY --from=core /home/privado-core-build/log4j2.xml /app/config/
ARG IS_PRODUCTION=true
ENV IS_PRODUCTION=${IS_PRODUCTION}

ENV PRIVADO_DOCKER_ACCESS_KEY="eeac235df262ec3aab5db19aac947d3d63312fc9c0154efed5e668eace3db65d"

ENTRYPOINT ["/usr/local/bin/core","scan"]

Here privado-core:latest and privado-main:latest are local builds of privado-core and privado respectively.

Further, we have been planning to move the missing configurations and revisit the bundling process. I've created a separate ticket to track those here #288.

Hope this helps!

[cattius]

Thank you! That additional Dockerfile solves the mystery for me - I'll give it a try building a custom image with that.

If the work will be tracked in #288, I think we can close this issue as a duplicate, but in the interim until #288 can be worked on, it would be really helpful to add this to the documentation.

[juicetin]

@ojaswa1942 Hi, a heads up this is still an issue when installing the CLI as per repo instructions

> Scanning directory: /home/me/repos/public/BankingSystem-Backend

> Pulling the latest image: public.ecr.aws/privado/privado:latest
latest: Pulling from privado/privado
Digest: sha256:323fce8743184e3232fc5a56826c8e7db08030d14ca98680aaef3beb254a3924
Status: Image is up to date for public.ecr.aws/privado/privado:latest

> Starting container with the latest image
> Container ID: 56896f95faf8308be0f40477bed2331cce4798f5876ecc7c09b690cd288c8a9b

> Waiting for process to complete:
Privado CLI Version: v2.2.9
Privado Core Version: 1.1.140
Privado Language Engine Version: 2.0.283
Warning: Privado doesn't have write permission on give repo location - /app/code
Error Occurred: /app/code

[juicetin]

Hi @cattius , may I ask how you worked around this problem while #288 is still outstanding?