From 0b14168a59b08be3914c50a2f4749035fb25eede Mon Sep 17 00:00:00 2001
From: Michael Imamura <michael.imamura@turner.com>
Date: Thu, 12 Dec 2024 13:40:45 -0500
Subject: [PATCH] Update Node.js to v22.

- The "node14" container is now just named "node" and is based on
  Node.js v22.
- Enabled cache mounts for Apt, Pip, and NPM.
- Upgraded ESLint (and dependencies) to work with Node.js v22.
---
 backend/Dockerfiles/Dockerfile.node           | 36 +++++++++++++++++++
 backend/Dockerfiles/Dockerfile.node14         | 26 --------------
 backend/Makefile                              | 16 ++++-----
 backend/engine/plugins/eslint/settings.json   |  2 +-
 .../plugins/node_dependencies/settings.json   |  2 +-
 .../engine/plugins/nodejsscan/settings.json   |  2 +-
 6 files changed, 47 insertions(+), 37 deletions(-)
 create mode 100644 backend/Dockerfiles/Dockerfile.node
 delete mode 100644 backend/Dockerfiles/Dockerfile.node14

diff --git a/backend/Dockerfiles/Dockerfile.node b/backend/Dockerfiles/Dockerfile.node
new file mode 100644
index 00000000..ef420534
--- /dev/null
+++ b/backend/Dockerfiles/Dockerfile.node
@@ -0,0 +1,36 @@
+# syntax=docker/dockerfile:1
+FROM node:22-bookworm-slim
+
+ARG MAINTAINER
+LABEL maintainer=$MAINTAINER
+
+# hadolint ignore=DL3008,DL3016
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install python3 python3-pip git -y --no-install-recommends && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Upgrade npm for the node_dependencies plugin.
+# Install eslint and dependencies for eslint plugin.
+WORKDIR /opt/eslint
+RUN --mount=type=cache,target=/root/.npm,sharing=locked \
+    npm install -g npm@10.9.2 && \
+    npm install \
+        eslint@8.57.1 \
+        eslint-plugin-security@3.0.1 \
+        typescript@5.7.2 \
+        @typescript-eslint/parser@8.18.0
+
+# Provide our own eslint wrapper to set the plugin search directory.
+# We assume that eslint will always be called with absolute paths.
+RUN printf "#!/bin/sh\ncd /opt/eslint\n"'npx eslint --resolve-plugins-relative-to=/opt/eslint "$@"' > /usr/local/bin/eslint && \
+    chmod 755 /usr/local/bin/eslint
+
+# Install nodejsscan for the nodejsscan plugin.
+# hadolint ignore=DL3013,DL3042
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install --break-system-packages --upgrade pip setuptools && \
+    pip install --break-system-packages \
+        nodejsscan
diff --git a/backend/Dockerfiles/Dockerfile.node14 b/backend/Dockerfiles/Dockerfile.node14
deleted file mode 100644
index 6dfd0107..00000000
--- a/backend/Dockerfiles/Dockerfile.node14
+++ /dev/null
@@ -1,26 +0,0 @@
-FROM node:14-bullseye-slim
-
-ARG MAINTAINER
-LABEL maintainer=$MAINTAINER
-
-# Run all additional config in a single RUN to reduce the layers:
-# - Apply security updates
-# - Base requirements to execute script
-# - Install eslint and security plugin.
-# - Upgrade pip
-# - Install nodejsscan
-# hadolint ignore=DL3008,DL3013,DL3016,DL3042
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/root/.cache/pip \
-    apt-get update && \
-    grep security /etc/apt/sources.list > /etc/apt/security.sources.list && \
-    apt-get upgrade -y && \
-    apt-get upgrade -y -o Dir::Etc::Sourcelist=/etc/apt/security.sources.list && \
-    apt-get install python3 python3-pip git -y --no-install-recommends && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    npm install eslint-plugin-security && \
-    npm install typescript@5.1.6 @typescript-eslint/parser@5.50.0 && \
-    npm install -g eslint@8.57.0 npm@7.8.0 && \
-    pip3 install --upgrade pip setuptools && \
-    pip3 install nodejsscan
diff --git a/backend/Makefile b/backend/Makefile
index 3372d89c..67a3fc17 100644
--- a/backend/Makefile
+++ b/backend/Makefile
@@ -111,7 +111,7 @@ PYTHON_PKG := ${PREFIX}/python
 PYTHON_TAG := ${PYTHON_PKG}:3-latest
 
 NODE_PKG := ${PREFIX}/node
-NODE_TAG := ${NODE_PKG}:14-latest
+NODE_TAG := ${NODE_PKG}:latest
 
 PHP_PKG := ${PREFIX}/php
 PHP_TAG := ${PHP_PKG}:latest
@@ -449,9 +449,9 @@ dist/docker/python3: Dockerfiles/Dockerfile.python3
 	touch $@
 	@echo "${OK}"
 
-dist/docker/node14: Dockerfiles/Dockerfile.node14
+dist/docker/node: Dockerfiles/Dockerfile.node
 	@echo "${INFO}Building $@"
-	$(DOCKER) build . --pull -t ${NODE_TAG} -f Dockerfiles/Dockerfile.node14 \
+	$(DOCKER) build . --pull -t ${NODE_TAG} -f Dockerfiles/Dockerfile.node \
 		${DOCKER_BUILD_EXTRA_ARGS} \
 		--build-arg MAINTAINER=${MAINTAINER}
 	mkdir -p ${DIST_DIR}/docker
@@ -597,7 +597,7 @@ docker-java: docker-bake.hcl Dockerfiles/Dockerfile.java
 docker:  ## Build all docker images
 docker: dist/docker/engine \
 		dist/docker/python3 \
-		dist/docker/node14 \
+		dist/docker/node \
 		dist/docker/php \
 		dist/docker/dind \
 		dist/docker/golang \
@@ -638,7 +638,7 @@ stage/docker/python3: dist/docker/python3
 	touch $@
 	@echo "${OK}"
 
-stage/docker/node14: dist/docker/node14
+stage/docker/node: dist/docker/node
 	@echo "${INFO}Staging $@ in ECR"
 	mkdir -p ${STAGE_DIR}/docker
 	aws ecr get-login-password --region=${REGION} | docker login --username AWS --password-stdin ${ECR_URL}
@@ -739,7 +739,7 @@ stage/docker/swift: dist/docker/swift
 docker_push:  ## Stage all docker images in ECR
 docker_push: stage/docker/engine \
 			 stage/docker/python3 \
-			 stage/docker/node14 \
+			 stage/docker/node \
 			 stage/docker/php \
 			 stage/docker/dind \
 			 stage/docker/golang \
@@ -1484,7 +1484,7 @@ deploy_python_image:
 	@echo "${OK}"
 .PHONY: deploy_python_image
 
-deploy_node14_image:
+deploy_node_image:
 	@echo "${INFO}Moving staged node image into place"
 	aws ecr get-login-password --region=${REGION} | docker login --username AWS --password-stdin ${ECR_URL}
 	docker pull ${ECR_URL}${NODE_TAG}-stage-${LATEST_COMMIT}
@@ -1596,7 +1596,7 @@ deploy_swift_image:
 
 deploy_images: deploy_engine_image \
         	   deploy_python_image \
-        	   deploy_node14_image \
+        	   deploy_node_image \
         	   deploy_php_image \
         	   deploy_dind_image \
         	   deploy_golang_image \
diff --git a/backend/engine/plugins/eslint/settings.json b/backend/engine/plugins/eslint/settings.json
index cc16d2f2..c24ded95 100644
--- a/backend/engine/plugins/eslint/settings.json
+++ b/backend/engine/plugins/eslint/settings.json
@@ -1,6 +1,6 @@
 {
     "name": "ESLint Static Scanner",
     "type": "static_analysis",
-    "image": "$ECR/artemis/node:14-latest",
+    "image": "$ECR/artemis/node:latest",
     "runner": "boxed"
 }
diff --git a/backend/engine/plugins/node_dependencies/settings.json b/backend/engine/plugins/node_dependencies/settings.json
index b337f04e..f019a276 100644
--- a/backend/engine/plugins/node_dependencies/settings.json
+++ b/backend/engine/plugins/node_dependencies/settings.json
@@ -1,7 +1,7 @@
 {
     "name": "NPM Audit Scanner",
     "type": "vulnerability",
-    "image": "$ECR/artemis/node:14-latest",
+    "image": "$ECR/artemis/node:latest",
     "runner": "boxed",
     "writable": true
 }
diff --git a/backend/engine/plugins/nodejsscan/settings.json b/backend/engine/plugins/nodejsscan/settings.json
index ed16a03e..8f5aa2c9 100644
--- a/backend/engine/plugins/nodejsscan/settings.json
+++ b/backend/engine/plugins/nodejsscan/settings.json
@@ -1,6 +1,6 @@
 {
     "name": "Nodejsscan",
     "type": "static_analysis",
-    "image": "$ECR/artemis/node:14-latest",
+    "image": "$ECR/artemis/node:latest",
     "runner": "boxed"
 }