From 8c26ae962b0b79f51f376a40f5838ffb85be3620 Mon Sep 17 00:00:00 2001
From: Casey Marshall <casey.marshall@snyk.io>
Date: Fri, 23 Feb 2024 15:29:17 -0600
Subject: [PATCH] chore: update pom dependency, base image to jenkins 2.442

Mitigate critical severity vuln
https://app.snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIMAIN-6190606
by updating the pom dependency and base image to Jenkins 2.442.

In this new base image, system-wide pip installs aren't allowed so the Debian
packages are updated to satisfy the virtualenv requirement.

Installing Debian packages with --no-install-recommends because the default was
pulling in x11 and a bunch of extra junk a Jenkins server shouldn't need.

Drive-by: fix docker command-line flag in run script, noticed this when testing
the image locally.
---
 .github/Dockerfile | 6 +++---
 .github/run.sh     | 2 +-
 pom.xml            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/Dockerfile b/.github/Dockerfile
index 6dbc743..7472d94 100644
--- a/.github/Dockerfile
+++ b/.github/Dockerfile
@@ -12,11 +12,11 @@ RUN ./mvnw verify -q -s .mvn/settings.xml --fail-never
 COPY . .
 RUN ./mvnw clean verify -s .mvn/settings.xml
 
-FROM jenkins/jenkins:2.401.1-jdk11
+FROM jenkins/jenkins:2.442-jdk11
 
 USER root
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -qq git python3 python3-pip sudo
-RUN pip3 install virtualenv
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -qq --no-install-recommends git python3 python3-pip python3-virtualenv sudo
 
 USER jenkins
 
diff --git a/.github/run.sh b/.github/run.sh
index abee97d..1dfe240 100755
--- a/.github/run.sh
+++ b/.github/run.sh
@@ -8,5 +8,5 @@ echo "Please connect to IP address $HOST"
 # to persist data:
   # create a volume using docker `volume create <VOLUME_NAME>`
   # mount the volume via docker run command using `-v <VOLUME_NAME>:/var/jenkins_home`
-docker run -rm --platform linux/amd64 -p 8080:8080 -p 50000:50000 --name=jenkins-snyk jenkins-snyk
+docker run --rm --platform linux/amd64 -p 8080:8080 -p 50000:50000 --name=jenkins-snyk jenkins-snyk
 popd || exit
diff --git a/pom.xml b/pom.xml
index d070725..27d6c1c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
   </parent>
 
   <properties>
-    <jenkins.version>2.401.1</jenkins.version>
+    <jenkins.version>2.442</jenkins.version>
     <!-- java11 required since 2.357:
           https://www.jenkins.io/blog/2022/06/28/require-java-11/ -->
     <java.version>11</java.version>