Merge branch 'release/v3.9.3-1'

Author: dnschwarzer

CHANGELOG.md

@@ -6,6 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v3.9.3-1] - 2025-03-13
+### Changed
+- Update Postfix to v3.9.3
+- Updated Base Image to v3.21.0-1
+- Upgrade dogu-build-lib to v3.1.0 
+- Upgrade ces-build-lib to v4.1.0
+- added pre-release steps in pipeline
+### Security
+- Fixed [CVE-2024-45337](https://avd.aquasec.com/nvd/2024/cve-2024-45337/)
+
 ## [v3.9.0-4] - 2025-02-12
 ### Changed
 - [#32] Update Makefiles to 9.5.0

Dockerfile

@@ -1,15 +1,17 @@
-FROM registry.cloudogu.com/official/base:3.20.2-1
+FROM registry.cloudogu.com/official/base:3.21.0-1
 LABEL NAME="official/postfix" \
-      VERSION="3.9.0-4" \
+      VERSION="3.9.3-1" \
       [email protected]
 
+ENV POSTFIX_ALPINE_VERSION=3.9.3-r0
+
 # INSTALL POSTFIX
 RUN set -o errexit \
   && set -o nounset \
   && set -o pipefail \
   && apk update \
   && apk upgrade \
-  && apk add --update postfix openrc supervisor rsyslog \
+  && apk add --update postfix=${POSTFIX_ALPINE_VERSION} openrc supervisor rsyslog \
   && rm -rf /var/cache/apk/*
 
 COPY resources /

Jenkinsfile

@@ -1,7 +1,7 @@
 #!groovy
-@Library(['github.com/cloudogu/[email protected]', 'github.com/cloudogu/[email protected]'])
-import com.cloudogu.ces.cesbuildlib.*
+@Library(['github.com/cloudogu/[email protected]', 'github.com/cloudogu/[email protected]']) _
 import com.cloudogu.ces.dogubuildlib.*
+import com.cloudogu.ces.cesbuildlib.*
 
 timestamps {
     properties([
@@ -11,10 +11,10 @@ timestamps {
             disableConcurrentBuilds(),
             // Parameter to activate dogu upgrade test on demand
             parameters([
-                    booleanParam(defaultValue: false, description: 'Test dogu upgrade from latest release or optionally from defined version below', name: 'TestDoguUpgrade'),
-                    string(defaultValue: '', description: 'Old Dogu version for the upgrade test (optional; e.g. 2.222.1-1)', name: 'OldDoguVersionForUpgradeTest'),
-                    choice(name: 'TrivyScanLevels', choices: [TrivyScanLevel.CRITICAL, TrivyScanLevel.HIGH, TrivyScanLevel.MEDIUM, TrivyScanLevel.ALL], description: 'The levels to scan with trivy'),
-                    choice(name: 'TrivyStrategy', choices: [TrivyScanStrategy.UNSTABLE, TrivyScanStrategy.FAIL, TrivyScanStrategy.IGNORE], description: 'Define whether the build should be unstable, fail or whether the error should be ignored if any vulnerability was found.')
+                       booleanParam(defaultValue: false, description: 'Test dogu upgrade from latest release or optionally from defined version below', name: 'TestDoguUpgrade'),
+                        string(defaultValue: '', description: 'Old Dogu version for the upgrade test (optional; e.g. 3.23.0-1)', name: 'OldDoguVersionForUpgradeTest'),
+                        choice(name: 'TrivySeverityLevels', choices: [TrivySeverityLevel.CRITICAL, TrivySeverityLevel.HIGH_AND_ABOVE, TrivySeverityLevel.MEDIUM_AND_ABOVE, TrivySeverityLevel.ALL], description: 'The levels to scan with trivy', defaultValue: TrivySeverityLevel.CRITICAL),
+                        choice(name: 'TrivyStrategy', choices: [TrivyScanStrategy.UNSTABLE, TrivyScanStrategy.FAIL, TrivyScanStrategy.IGNORE], description: 'Define whether the build should be unstable, fail or whether the error should be ignored if any vulnerability was found.', defaultValue: TrivyScanStrategy.UNSTABLE),
             ])
     ])
 
@@ -36,6 +36,7 @@ timestamps {
             shellCheck("./resources/logging.sh ./resources/startup.sh ./resources/mask2cidr.sh")
         }
     }
+
     node('vagrant') {
         Git git = new Git(this, "cesmarvin")
         git.committerName = 'cesmarvin'
@@ -52,6 +53,10 @@ timestamps {
         try {
 
             stage('Provision') {
+                // change namespace to prerelease_namespace if in develop-branch
+                if (gitflow.isPreReleaseBranch()) {
+                    sh "make prerelease_namespace"
+                }
                 ecoSystem.provision("/dogu")
             }
 
@@ -61,19 +66,27 @@ timestamps {
             }
 
             stage('Build') {
+                // purge postfix from official namespace to prevent conflicts while building prerelease_official/postfix, keep config to avoid no etcd endpoints error
+                if (gitflow.isPreReleaseBranch()) {
+                    ecoSystem.purgeDogu("postfix", "--keep-config")
+                }
                 ecoSystem.build("/dogu")
             }
 
+
+            stage('Trivy scan') {
+                ecoSystem.copyDoguImageToJenkinsWorker("/dogu")
+                Trivy trivy = new Trivy(this)
+                trivy.scanDogu(".", params.TrivySeverityLevels, params.TrivyStrategy)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.TABLE)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
+            }
+
             stage('Verify') {
                 ecoSystem.verify("/dogu")
             }
 
-            stage('Trivy scan') {
-                Trivy trivy = new Trivy(this, ecoSystem)
-                trivy.scanDogu("/dogu", TrivyScanFormat.HTML, params.TrivyScanLevels, params.TrivyStrategy)
-                trivy.scanDogu("/dogu", TrivyScanFormat.JSON,  params.TrivyScanLevels, params.TrivyStrategy)
-                trivy.scanDogu("/dogu", TrivyScanFormat.PLAIN, params.TrivyScanLevels, params.TrivyStrategy)
-            }
 
             if (params.TestDoguUpgrade != null && params.TestDoguUpgrade){
                 stage('Upgrade dogu') {
@@ -98,8 +111,13 @@ timestamps {
                     ecoSystem.push("/dogu")
                 }
 
-                stage('Add Github-Release') {
-                    github.createReleaseWithChangelog(releaseVersion, changelog)
+                stage('Add Github-Release'){
+                    github.createReleaseWithChangelog(releaseVersion, changelog, productionReleaseBranch)
+                }
+            } else if (gitflow.isPreReleaseBranch()) {
+                // push to registry in prerelease_namespace
+                stage('Push Prerelease Dogu to registry') {
+                    ecoSystem.pushPreRelease("/dogu")
                 }
             }
 

Makefile

@@ -1,8 +1,9 @@
-MAKEFILES_VERSION=9.5.0
+MAKEFILES_VERSION=9.7.0
 
 .DEFAULT_GOAL:=dogu-release
 
 include build/make/variables.mk
 include build/make/self-update.mk
 include build/make/release.mk
-include build/make/k8s-dogu.mk
+include build/make/k8s-dogu.mk
+include build/make/prerelease.mk

build/make/k8s.mk

@@ -36,11 +36,11 @@ K3S_LOCAL_REGISTRY_PORT?=30099
 
 # The URL of the container-registry to use. Defaults to the registry of the local-cluster.
 # If RUNTIME_ENV is "remote" it is "registry.cloudogu.com/testing"
-CES_REGISTRY_HOST?="${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}"
+CES_REGISTRY_HOST?=${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}
 CES_REGISTRY_NAMESPACE ?=
 ifeq (${RUNTIME_ENV}, remote)
-	CES_REGISTRY_HOST="registry.cloudogu.com"
-	CES_REGISTRY_NAMESPACE="/testing"
+	CES_REGISTRY_HOST=registry.cloudogu.com
+	CES_REGISTRY_NAMESPACE=/testing
 endif
 $(info CES_REGISTRY_HOST=$(CES_REGISTRY_HOST))
 

build/make/prerelease.mk

@@ -3,4 +3,4 @@
 
 .PHONY: prerelease_namespace
 prerelease_namespace:
-	build/make/stagex.sh prerelease_namespace
+	build/make/prerelease.sh prerelease_namespace

build/make/prerelease.sh

@@ -5,21 +5,29 @@ set -o pipefail
 
 prerelease_namespace() {
 
+  TIMESTAMP=$(date +"%Y%m%d%H%M%S")
+
   # Update version in dogu.json
   if [ -f "dogu.json" ]; then
     echo "Updating name in dogu.json..."
     ORIG_NAME="$(jq -r ".Name" ./dogu.json)"
+    ORIG_VERSION="$(jq -r ".Version" ./dogu.json)"
     PRERELEASE_NAME="prerelease_${ORIG_NAME}"
+    PRERELEASE_VERSION="${ORIG_VERSION}${TIMESTAMP}"
     jq ".Name = \"${PRERELEASE_NAME}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json
+    jq ".Version = \"${PRERELEASE_VERSION}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json
     jq ".Image = \"registry.cloudogu.com/${PRERELEASE_NAME}\"" dogu.json >dogu2.json && mv dogu2.json dogu.json
   fi
 
   # Update version in Dockerfile
   if [ -f "Dockerfile" ]; then
     echo "Updating version in Dockerfile..."
-    ORIG_NAME="$(grep -oP "^[ ]*NAME=\"([^\"]*)" Dockerfile | awk -F "\"" '{print $2}')"
+    ORIG_NAME="$(grep -oP ".*[ ]*NAME=\"([^\"]*)" Dockerfile | awk -F "\"" '{print $2}')"
+    ORIG_VERSION="$(grep -oP ".*[ ]*VERSION=\"([^\"]*)" Dockerfile | awk -F "\"" '{print $2}')"
     PRERELEASE_NAME="prerelease_$( echo -e "$ORIG_NAME" | sed 's/\//\\\//g' )"
-    sed -i "s/\(^[ ]*NAME=\"\)\([^\"]*\)\(.*$\)/\1${PRERELEASE_NAME}\3/" Dockerfile
+    PRERELEASE_VERSION="${ORIG_VERSION}${TIMESTAMP}"
+    sed -i "s/\(.*[ ]*NAME=\"\)\([^\"]*\)\(.*$\)/\1${PRERELEASE_NAME}\3/" Dockerfile
+    sed -i "s/\(.*[ ]*VERSION=\"\)\([^\"]*\)\(.*$\)/\1${PRERELEASE_VERSION}\3/" Dockerfile
   fi
 
 }

build/make/release.mk

@@ -4,7 +4,7 @@
 
 .PHONY: dogu-release
 dogu-release: ## Start a dogu release
-	build/make/release.sh dogu
+	build/make/release.sh dogu "${FIXED_CVE_LIST}" $(DRY_RUN)
 
 .PHONY: node-release
 node-release: ## Start a node package release
@@ -14,6 +14,10 @@ node-release: ## Start a node package release
 go-release: ## Start a go tool release
 	build/make/release.sh go-tool
 
+.PHONY: image-release
+image-release: ## Start a go tool release
+	build/make/release.sh image
+
 .PHONY: dogu-cve-release
 dogu-cve-release: ## Start a dogu release of a new build if the local build fixes critical CVEs
 	@bash -c "build/make/release_cve.sh \"${REGISTRY_USERNAME}\" \"${REGISTRY_PASSWORD}\" \"${TRIVY_IMAGE_SCAN_FLAGS}\" \"${DRY_RUN}\" \"${CVE_SEVERITY}\""

build/make/self-update.mk

@@ -24,4 +24,9 @@ copy-new-files:
 .PHONY: update-build-libs
 update-build-libs:
 	@echo "Check for newer Build-Lib versions"
-	build/make/self-update.sh buildlibs
+	build/make/self-update.sh buildlibs
+
+.PHONY: set-dogu-version
+set-dogu-version:
+	@echo "Set Version of Dogu without Release"
+	build/make/self-update.sh versions

build/make/self-update.sh

@@ -3,6 +3,10 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+
+# shellcheck disable=SC1090
+source "$(pwd)/build/make/release_functions.sh"
+
 TYPE="${1}"
 
 update_build_libs() {
@@ -34,12 +38,23 @@ get_highest_version() {
 # Patch Jenkinsfile
 update_jenkinsfile() {
   sed -i "s/ces-build-lib@[[:digit:]].[[:digit:]].[[:digit:]]/ces-build-lib@$(get_highest_version ces)/g" Jenkinsfile
-  sed -i "s/dogu-build-lib@[[:digit:]].[[:digit:]].[[:digit:]]/dogu-build-lib@$(get_highest_version dogu)/g" Jenkinsfile
+  sed -i "s/dogu-build-lib@v[[:digit:]].[[:digit:]].[[:digit:]]/dogu-build-lib@v$(get_highest_version dogu)/g" Jenkinsfile
+}
+
+# Patch Dogu Version without Release
+set_dogu_version() {
+  CURRENT_TOOL_VERSION=$(get_current_version_by_dogu_json)
+  echo "$(tput setaf 1)ATTENTION: Make sure that the new version corresponds to the current software version$(tput sgr0)"
+  NEW_RELEASE_VERSION="$(read_new_version)"
+  validate_new_version "${NEW_RELEASE_VERSION}"
+  update_versions "${NEW_RELEASE_VERSION}"
 }
 
 # switch for script entrypoint
 if [[ "${TYPE}" == "buildlibs" ]];then
   update_build_libs
+elif [[ "${TYPE}" == "versions" ]];then
+  set_dogu_version
 else
   echo "Unknown target ${TYPE}"
 fi

build/make/test-common.mk

@@ -1,6 +1,6 @@
 GO_JUNIT_REPORT=$(UTILITY_BIN_PATH)/go-junit-report
-GO_JUNIT_REPORT_VERSION=v1.0.0
+GO_JUNIT_REPORT_VERSION=v2.1.0
 
 $(GO_JUNIT_REPORT): $(UTILITY_BIN_PATH)
 	@echo "Download go-junit-report..."
-	@$(call go-get-tool,$@,github.com/jstemmer/go-junit-report@$(GO_JUNIT_REPORT_VERSION))
+	@$(call go-get-tool,$@,github.com/jstemmer/go-junit-report/v2@$(GO_JUNIT_REPORT_VERSION))

build/make/test-unit.mk

@@ -1,6 +1,7 @@
 ##@ Unit testing
 
 UNIT_TEST_DIR=$(TARGET_DIR)/unit-tests
+XUNIT_JSON=$(UNIT_TEST_DIR)/report.json
 XUNIT_XML=$(UNIT_TEST_DIR)/unit-tests.xml
 UNIT_TEST_LOG=$(UNIT_TEST_DIR)/unit-tests.log
 COVERAGE_REPORT=$(UNIT_TEST_DIR)/coverage.out
@@ -9,9 +10,9 @@ PRE_UNITTESTS?=
 POST_UNITTESTS?=
 
 .PHONY: unit-test
-unit-test: $(XUNIT_XML) ## Start unit tests
+unit-test: $(XUNIT_JSON) ## Start unit tests
 
-$(XUNIT_XML): $(SRC) $(GO_JUNIT_REPORT)
+$(XUNIT_JSON): $(SRC) $(GO_JUNIT_REPORT)
 ifneq ($(strip $(PRE_UNITTESTS)),)
 	@make $(PRE_UNITTESTS)
 endif
@@ -20,13 +21,15 @@ endif
 	@echo 'mode: set' > ${COVERAGE_REPORT}
 	@rm -f $(UNIT_TEST_LOG) || true
 	@for PKG in $(PACKAGES) ; do \
-    ${GO_CALL} test -v $$PKG -coverprofile=${COVERAGE_REPORT}.tmp 2>&1 | tee $(UNIT_TEST_LOG).tmp ; \
+    ${GO_CALL} test -v $$PKG -coverprofile=${COVERAGE_REPORT}.tmp -json 2>&1 | tee $(UNIT_TEST_LOG).tmp ; \
 		cat ${COVERAGE_REPORT}.tmp | tail +2 >> ${COVERAGE_REPORT} ; \
 		rm -f ${COVERAGE_REPORT}.tmp ; \
 		cat $(UNIT_TEST_LOG).tmp >> $(UNIT_TEST_LOG) ; \
 		rm -f $(UNIT_TEST_LOG).tmp ; \
 	done
-	@cat $(UNIT_TEST_LOG) | $(GO_JUNIT_REPORT) > $@
+	@cat $(UNIT_TEST_LOG) >> $@
+	@cat $(UNIT_TEST_LOG) | $(GO_JUNIT_REPORT) -parser gojson > $(XUNIT_XML)
+
 	@if grep '^FAIL' $(UNIT_TEST_LOG); then \
 		exit 1; \
 	fi

docs/gui/releasenotes_de.md

@@ -4,5 +4,11 @@ Im Folgenden finden Sie die Release Notes für das Postfix-Dogu.
 
 Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https://docs.cloudogu.com/de/docs/dogus/postfix/CHANGELOG/).
 
+## [Unreleased]
+### Security
+- [CVE-2024-45337](https://avd.aquasec.com/nvd/2024/cve-2024-45337/) behoben.
+### Changed
+- Update der Postfix Version auf 3.9.3
+
 ## [v3.9.0-3]
-- Die Cloudogu-eigenen Quellen werden von der MIT-Lizenz auf die AGPL-3.0-only relizensiert.
+- Die Cloudogu-eigenen Quellen werden von der MIT-Lizenz auf die AGPL-3.0-only relizensiert.

docs/gui/releasenotes_en.md

@@ -4,5 +4,11 @@ Below you will find the release notes for the Postfix-Dogu.
 
 Technical details on a release can be found in the corresponding [Changelog](https://docs.cloudogu.com/en/docs/dogus/postfix/CHANGELOG/).
 
+## [Unreleased]
+### Security
+- Resolved [CVE-2024-45337](https://avd.aquasec.com/nvd/2024/cve-2024-45337/).
+### Changed
+- Update Postfix to version 3.9.3
+
 ## [v3.9.0-3]
-- Relicense own code to AGPL-3.0-only
+- Relicense own code to AGPL-3.0-only

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/postfix",
-  "Version": "3.9.0-4",
+  "Version": "3.9.3-1",
   "DisplayName": "Postfix",
   "Description": "Postfix - Mail Transfer Agent",
   "Logo": "https://cloudogu.com/images/dogus/postfix.png",