Merge branch 'main' into universal-vulnerability-issues-fix

Author: Kaniska244

src/base-debian/.devcontainer/Dockerfile

@@ -1,5 +1,5 @@
-# [Choice] Debian version (use bullseye on local arm64/Apple Silicon): bookworm, bullseye, buster
-ARG VARIANT="bookworm"
+# [Choice] Debian version (use bullseye on local arm64/Apple Silicon): trixie, bookworm, bullseye, buster
+ARG VARIANT="trixie"
 FROM buildpack-deps:${VARIANT}-curl
 
 # [Optional] Uncomment this section to install additional OS packages.

src/base-debian/README.md

@@ -9,8 +9,8 @@
 | *Categories* | Core, Other |
 | *Image type* | Dockerfile |
 | *Published images* | mcr.microsoft.com/devcontainers/base:debian |
-| *Available image variants* | bookworm, bullseye ([full list](https://mcr.microsoft.com/v2/devcontainers/base/tags/list)) |
-| *Published image architecture(s)* | x86-64, aarch64/arm64 for `bookworm`, and `bullseye` variant |
+| *Available image variants* | trixie, bookworm, bullseye ([full list](https://mcr.microsoft.com/v2/devcontainers/base/tags/list)) |
+| *Published image architecture(s)* | x86-64, aarch64/arm64 for `trixie`, `bookworm`, and `bullseye` variant |
 | *Container host OS support* | Linux, macOS, Windows |
 | *Container OS* | Debian |
 | *Languages, platforms* | Any |
@@ -22,16 +22,17 @@ See **[history](history)** for information on the contents of published images.
 You can directly reference pre-built versions of `Dockerfile` by using the `image` property in `.devcontainer/devcontainer.json` or updating the `FROM` statement in your own `Dockerfile` to one of the following. An example `Dockerfile` is included in this repository.
 
 - `mcr.microsoft.com/devcontainers/base:debian` (latest)
+- `mcr.microsoft.com/devcontainers/base:trixie` (or `debian-13`)
 - `mcr.microsoft.com/devcontainers/base:bookworm` (or `debian-12`)
 - `mcr.microsoft.com/devcontainers/base:bullseye` (or `debian-11`)
 
 Refer to [this guide](https://containers.dev/guide/dockerfile) for more details.
 
 You can decide how often you want updates by referencing a [semantic version](https://semver.org/) of each image. For example:
 
-- `mcr.microsoft.com/devcontainers/base:1-bookworm`
-- `mcr.microsoft.com/devcontainers/base:1.0-bookworm`
-- `mcr.microsoft.com/devcontainers/base:1.0.0-bookworm`
+- `mcr.microsoft.com/devcontainers/base:1-trixie`
+- `mcr.microsoft.com/devcontainers/base:1.0-trixie`
+- `mcr.microsoft.com/devcontainers/base:1.0.0-trixie`
 
 See [history](history) for information on the contents of each version and [here for a complete list of available tags](https://mcr.microsoft.com/v2/devcontainers/base/tags/list).
 

src/base-debian/manifest.json

@@ -1,13 +1,18 @@
 {
-	"version": "1.0.25",
+	"version": "2.0.0",
 	"variants": [
+		"trixie",
 		"bookworm",
 		"bullseye"
 	],
 	"build": {
-		"latest": "bookworm",
+		"latest": "trixie",
 		"rootDistro": "debian",
 		"architectures": {
+			"trixie": [
+				"linux/amd64",
+				"linux/arm64"
+			],
 			"bookworm": [
 				"linux/amd64",
 				"linux/arm64"
@@ -21,12 +26,16 @@
 			"base:${VERSION}-${VARIANT}"
 		],
 		"variantTags": {
-			"bookworm": [
-				"base:${VERSION}-debian-12",
-				"base:${VERSION}-debian12",
+			"trixie": [
+				"base:${VERSION}-debian-13",
+				"base:${VERSION}-debian13",
 				"base:${VERSION}-debian",
 				"base:${VERSION}"
 			],
+			"bookworm": [
+				"base:${VERSION}-debian-12",
+				"base:${VERSION}-debian12"
+			],
 			"bullseye": [
 				"base:${VERSION}-debian-11",
 				"base:${VERSION}-debian11"

src/go/.devcontainer/Dockerfile

@@ -1,6 +1,12 @@
 ARG VARIANT=1.25-bookworm
 FROM golang:${VARIANT}
 
+# Fixing vulnerability issue by upgrading svn to 1.14.5. Ref https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
+COPY ./scripts/install-subversion.sh /tmp/install-subversion.sh
+RUN chmod +x /tmp/install-subversion.sh
+RUN /tmp/install-subversion.sh \
+  && rm -f /tmp/install-subversion.sh
+
 # [Optional] Uncomment the next line to use go get to install anything else you need
 # RUN go get -x <your-dependency-or-tool>
 

src/go/.devcontainer/scripts/install-subversion.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -eux
+
+URL="https://archive.apache.org/dist/subversion/subversion-1.14.5.tar.gz"
+TMP="/tmp"
+TARBALL="subversion-1.14.5.tar.gz"
+SRCDIR="subversion-1.14.5"
+
+if wget -q -O "${TMP}/${TARBALL}" "${URL}"; then
+  echo "Downloaded ${TARBALL} — building..."
+  apt-get remove -y subversion libsvn1 || true
+  cd "${TMP}"
+  tar -xzf "${TARBALL}"
+  cd "${SRCDIR}"
+  apt-get update -y
+  apt-get install -y --no-install-recommends build-essential autoconf libtool libsqlite3-dev pkg-config libapr1-dev libaprutil1-dev liblz4-dev libutf8proc-dev zlib1g-dev
+  ./configure --with-lz4=internal --prefix=/usr
+  make -j"$(nproc 2>/dev/null || getconf _NPROCESSORS_ONLN 2>/dev/null || echo 1)"
+  make install
+  cd /
+  rm -rf "${TMP:?}/${SRCDIR}" "${TMP:?}/${TARBALL}"
+  apt-get purge -y --auto-remove build-essential autoconf libtool pkg-config
+  rm -rf /var/lib/apt/lists/*
+  echo "Subversion built and installed (build deps removed)"
+else
+  echo "Downloading svn source failed, skipping Subversion build"
+fi
+

src/go/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.4.5",
+  "version": "1.4.6",
   "variants": [
     "1.25-bookworm",
     "1.24-bookworm",

src/go/test-project/test.sh

@@ -24,6 +24,10 @@ check "gitconfig-contains-name" sh -c "cat /etc/gitconfig | grep 'name = devcont
 
 check "usr-local-etc-config-does-not-exist" test ! -f "/usr/local/etc/gitconfig"
 
+# Testing vulnerability issue CVE-2024-46901 fix by upgrading svn to 1.14.5.
+svn_version=$(svn --version --quiet)
+check-version-ge "svn-requirement" "${svn_version}" "1.14.5"
+
 check "Oh My Zsh! theme" test -e $HOME/.oh-my-zsh/custom/themes/devcontainers.zsh-theme
 check "zsh theme symlink" test -e $HOME/.oh-my-zsh/custom/themes/codespaces.zsh-theme
 

src/javascript-node/.devcontainer/Dockerfile

@@ -22,6 +22,12 @@ RUN \
     && su ${USERNAME} -c "umask 0002 && npm install -g eslint" \
     && npm cache clean --force > /dev/null 2>&1
 
+# Fixing vulnerability issue by upgrading svn to 1.14.5. Ref https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
+COPY ./scripts/install-subversion.sh /tmp/install-subversion.sh
+RUN chmod +x /tmp/install-subversion.sh
+RUN /tmp/install-subversion.sh \
+  && rm -f /tmp/install-subversion.sh
+
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 #     && apt-get -y install --no-install-recommends <your-package-list-here>

src/javascript-node/.devcontainer/scripts/install-subversion.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -eux
+
+URL="https://archive.apache.org/dist/subversion/subversion-1.14.5.tar.gz"
+TMP="/tmp"
+TARBALL="subversion-1.14.5.tar.gz"
+SRCDIR="subversion-1.14.5"
+
+if wget -q -O "${TMP}/${TARBALL}" "${URL}"; then
+  echo "Downloaded ${TARBALL} — building..."
+  apt-get remove -y subversion libsvn1 || true
+  cd "${TMP}"
+  tar -xzf "${TARBALL}"
+  cd "${SRCDIR}"
+  apt-get update -y
+  apt-get install -y --no-install-recommends build-essential autoconf libtool libsqlite3-dev pkg-config libapr1-dev libaprutil1-dev liblz4-dev libutf8proc-dev zlib1g-dev
+  ./configure --with-lz4=internal --prefix=/usr
+  make -j"$(nproc 2>/dev/null || getconf _NPROCESSORS_ONLN 2>/dev/null || echo 1)"
+  make install
+  cd /
+  rm -rf "${TMP:?}/${SRCDIR}" "${TMP:?}/${TARBALL}"
+  apt-get purge -y --auto-remove build-essential autoconf libtool pkg-config
+  rm -rf /var/lib/apt/lists/*
+  echo "Subversion built and installed (build deps removed)"
+else
+  echo "Downloading svn source failed, skipping Subversion build"
+fi
+

src/javascript-node/manifest.json

@@ -1,5 +1,5 @@
 {
-	"version": "3.0.2",
+	"version": "3.0.3",
 	"variants": [
 		"24-bookworm",
 		"22-bookworm",