forked from NVIDIA-AI-Blueprints/vulnerability-analysis
-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathDockerfile
More file actions
executable file
·145 lines (114 loc) · 4.6 KB
/
Dockerfile
File metadata and controls
executable file
·145 lines (114 loc) · 4.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ARG BASE_IMAGE_URL=nvcr.io/nvidia/base/ubuntu
ARG BASE_IMAGE_TAG=22.04_20240212
ARG PYTHON_VERSION=3.12
# Specified on the command line with --build-arg VULN_ANALYSIS_VERSION=$(python -m setuptools_scm)
ARG VULN_ANALYSIS_VERSION=2.0.0
FROM ${BASE_IMAGE_URL}:${BASE_IMAGE_TAG} AS base
COPY --from=ghcr.io/astral-sh/uv:0.7.15 /uv /uvx /bin/
ARG VULN_ANALYSIS_VERSION
ARG PYTHON_VERSION
ARG AGENT_GIT_COMMIT
ARG AGENT_GIT_TAG
ENV PYTHONDONTWRITEBYTECODE=1
ENV AGENT_GIT_COMMIT=${AGENT_GIT_COMMIT}
ENV AGENT_GIT_TAG=${AGENT_GIT_TAG}
RUN apt-get update && apt-get install -y \
ca-certificates \
curl \
git \
git-lfs \
wget \
skopeo \
libarchive-tools \
xz-utils \
libatomic1 \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& update-ca-certificates
RUN curl -L -X GET https://go.dev/dl/go1.24.1.linux-amd64.tar.gz -o /tmp/go1.24.1.linux-amd64.tar.gz \
&& tar -C /usr/local -xzf /tmp/go1.24.1.linux-amd64.tar.gz \
&& rm /tmp/go1.24.1.linux-amd64.tar.gz
ENV GOTOOLCHAIN=auto
# --- Node.js 25.2.0 and npm 11.6.2 ---
ARG NODE_VERSION=25.2.0
RUN curl -fsSL -o /tmp/node.tar.xz \
"https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" \
&& mkdir -p /opt/nodejs \
&& tar -C /opt/nodejs -xJf /tmp/node.tar.xz --strip-components=1 \
&& rm -f /tmp/node.tar.xz
ENV PATH="/opt/nodejs/bin:${PATH}"
# Verify Node.js and npm installation
RUN node --version && npm --version
# --- Temurin JDK 22 (amd64/x86_64) ---
ARG JDK_URL="https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.2%2B9/OpenJDK22U-jdk_x64_linux_hotspot_22.0.2_9.tar.gz"
ARG JDK_DIR="jdk-22.0.2+9"
RUN mkdir -p /opt/jdk \
&& curl -fsSL -o /tmp/jdk.tgz "${JDK_URL}" \
&& tar -C /opt/jdk -xzf /tmp/jdk.tgz \
&& rm -f /tmp/jdk.tgz
ENV JAVA_HOME=/opt/jdk/${JDK_DIR}
ENV PATH="${JAVA_HOME}/bin:${PATH}"
# --- Maven 3.9.11 (optional) ---
ARG MVN_VER=3.9.11
RUN curl -fsSL -o /tmp/maven.tgz \
"https://archive.apache.org/dist/maven/maven-3/${MVN_VER}/binaries/apache-maven-${MVN_VER}-bin.tar.gz" \
&& tar -C /opt -xzf /tmp/maven.tgz \
&& rm -f /tmp/maven.tgz
ENV PATH="/opt/apache-maven-${MVN_VER}/bin:${PATH}"
# Verify
RUN java -version && mvn -v
# Set SSL environment variables
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Add Tini
ENV TINI_VERSION=v0.19.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
SHELL ["/bin/bash", "-c"]
# Set working directory
WORKDIR /workspace
# Copy the project into the container
COPY ./ /workspace
RUN groupadd workspace-group && \
useradd -u 1001 -m -g workspace-group user1001 && \
chown -R :workspace-group /home/user1001 && \
chmod -R g+wrx /home/user1001
# Install the NeMo Agent toolkit package and vuln analysis package
RUN --mount=type=cache,id=uv_cache,target=/home/user1001/.cache/uv,mode=0775,sharing=locked \
export SETUPTOOLS_SCM_PRETEND_VERSION=${VULN_ANALYSIS_VERSION} && \
uv venv --python ${PYTHON_VERSION} /workspace/.venv && \
uv sync && \
chown -R :workspace-group /workspace && \
chmod -R g+wrx /workspace && \
chown -R :workspace-group /root && \
chmod -R g+rx /root
USER 1001
# Activate the environment (make it default for subsequent commands)
# Enivronment variables for the venv
ENV PATH="/workspace/.venv/bin:/usr/local/go/bin:$PATH"
# Mark all git repos as safe to avoid git errors
RUN echo $'\
[safe]\n\
directory = *\n\
'> ~/.gitconfig
# Activate the environment (make it default for subsequent commands)
RUN echo "source /workspace/.venv/bin/activate" >> ~/.bashrc
# ===== Setup for development =====
FROM base AS runtime
RUN --mount=type=cache,id=uv_cache,target=/root/.cache/uv,sharing=locked \
source /workspace/.venv/bin/activate
CMD ["jupyter-lab", "--no-browser", "--allow-root", "--ip='*'", "--port=8000", "--NotebookApp.token=''", "--NotebookApp.password=''"]