Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
release
PromucFlow_constructor/Dockerfile
subratadeypappu 20da6c6aef
fix: CVE-2024-38821 (#41221) 
## Description
**Before:**
The appsmith-ce release image contains CVE-2024-38821 critical
vulnerability.
<img width="1258" height="876" alt="Screenshot 2025-09-12 at 1 41 00 PM"
src="https://github.com/user-attachments/assets/6e5292c7-d073-4241-970d-511ab0533547"
/>


[cves_report_ce.json](https://github.com/user-attachments/files/22292789/cves_report_ce.json)



**After:**
The current DP image doesn't contain CVE-2024-38821 after removing pg
build from server.

<img width="1248" height="906" alt="Screenshot 2025-09-12 at 1 40 36 PM"
src="https://github.com/user-attachments/assets/d7d2c812-d6e5-4994-9c08-923e0302b415"
/>


[cves_41221.txt](https://github.com/user-attachments/files/22292798/cves_41221.txt)


Fixes CVE-2024-38821

## Automation

/ok-to-test tags="@tag.Sanity"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/17725447283>
> Commit: 959d97e926357bfcd1e0aec32a9127be5b8df403
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=17725447283&attempt=2"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Mon, 15 Sep 2025 08:39:53 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Removed PostgreSQL support from build artifacts; only the MongoDB
edition is produced going forward.
* Updated Docker validation to require only the MongoDB server jar;
error message reflects this change.
* Simplified artifact preparation by removing PostgreSQL image
extraction and related steps.
* Maintains existing exit-on-failure behavior; successful MongoDB paths
are unchanged.
  * No changes to runtime behavior for MongoDB users.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-15 17:14:16 +06:00

70 lines
2.0 KiB
Docker
Raw Permalink Blame History

ARG BASE
FROM ${BASE}
ENV IN_DOCKER=1
ARG APPSMITH_CLOUD_SERVICES_BASE_URL
ENV APPSMITH_CLOUD_SERVICES_BASE_URL=${APPSMITH_CLOUD_SERVICES_BASE_URL}
ARG APPSMITH_SEGMENT_CE_KEY
ENV APPSMITH_SEGMENT_CE_KEY=${APPSMITH_SEGMENT_CE_KEY}
COPY deploy/docker/fs /
RUN apt-get update && \
apt-get install -y software-properties-common && \
add-apt-repository -y ppa:git-core/ppa && \
apt-get update && \
apt-get install -y git tar zstd openssh-client && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN <<END
if ! [ -f info.json ]; then
echo "Missing info.json" >&2
exit 1
fi
if ! [ -f server/mongo/server.jar ]; then
echo "Missing MongoDB server.jar file. Are you using the build script?" >&2
exit 1
fi
END
# Add client UI - Application Layer
COPY ./app/client/build editor/
# Add RTS - Application Layer
COPY ./app/client/packages/rts/dist rts/
# Create the git-storage directory with group writeable permissions so non-root users can write to it.
RUN mkdir --mode 775 "/dev/shm/git-storage"
ENV PATH /opt/bin:/opt/java/bin:/opt/node/bin:$PATH
RUN <<END
set -o errexit
# Make all `*.sh` files executable, excluding `node_modules`.
find . \( -name node_modules -prune \) -o \( -type f -name '*.sh' \) -exec chmod +x '{}' +
# Ensure all custom command-scripts have executable permission
chmod +x /opt/bin/* /watchtower-hooks/*.sh
# Disable setuid/setgid bits for the files inside container.
find / \( -path /proc -prune \) -o \( \( -perm -2000 -o -perm -4000 \) -exec chmod -s '{}' + \) || true
mkdir -p /.mongodb/mongosh /appsmith-stacks
chmod ugo+w /etc /appsmith-stacks
chmod -R ugo+w /var/run /.mongodb /etc/ssl /usr/local/share
END
LABEL com.centurylinklabs.watchtower.lifecycle.pre-check=/watchtower-hooks/pre-check.sh
LABEL com.centurylinklabs.watchtower.lifecycle.pre-update=/watchtower-hooks/pre-update.sh
EXPOSE 80
EXPOSE 443
ENTRYPOINT [ "/opt/appsmith/entrypoint.sh" ]
HEALTHCHECK --interval=15s --timeout=15s --start-period=45s CMD "/opt/appsmith/healthcheck.sh"
CMD ["/usr/bin/supervisord", "-n"]
Reference in New Issue View Git Blame Copy Permalink