[ISSUE 394] Failing health check for next.js app (#395)

HHS · Aug 22, 2023 · 47d071e · 47d071e
1 parent 555076d
commit 47d071e
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/.grype.yml b/.grype.yml
@@ -16,3 +16,30 @@ ignore:
   - fix-state: not-fixed
   - fix-state: wont-fix
   - fix-state: unknown
+
+  # glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex
+  # https://github.com/advisories/GHSA-ww39-953v-wcq6
+  # High severity
+  # Ignoring since this is only a dependency of dev tools: storybook (for storybook docs site),
+  # eslint (for Linting in CI), and sass (for compiling CSS during CI build phase)
+  - vulnerability: GHSA-ww39-953v-wcq6
+
+  # Regular Expression Denial of Service in trim
+  # https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
+  # High severity
+  # Ignoring since this is only used in storybook which is a dev tool
+  - vulnerability: GHSA-w5p7-h5w8-2hfq
+
+  # Uncontrolled Resource Consumption in trim-newlines
+  # https://github.com/advisories/GHSA-7p7h-4mm5-852v
+  # Ignoring since this is only used in storybook which is a dev tool
+  - vulnerability: GHSA-7p7h-4mm5-852v
+
+  #####################
+  ## False positives ##
+  #####################
+
+  # http-cache-semantics vulnerable to Regular Expression Denial of Service
+  # https://github.com/advisories/GHSA-rc47-6667-2j5j
+  # http-cache-semantics does not exist as a dependency in this app
+  - vulnerability: GHSA-rc47-6667-2j5j
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
@@ -62,6 +62,15 @@ WORKDIR /frontend
 RUN mkdir -p /frontend/.next/cache/images/
 VOLUME ["/frontend/.next/cache/images/"]
 
+RUN apt-get update \
+    # Install security updates
+    # https://pythonspeed.com/articles/security-updates-in-docker/
+    && apt-get upgrade --yes \
+    # Install wget, required for health checks
+    wget \
+    # Reduce the image size by clearing apt cached lists
+    && rm -fr /var/lib/apt/lists/*
+
 # Release stage doesn't have a need for `npm`, so remove it to avoid
 # any vulnerabilities specific to NPM
 RUN npm uninstall -g npm

diff --git a/frontend/Makefile b/frontend/Makefile
@@ -46,4 +46,4 @@ storybook: # Run the Storybook local dev server in Docker
 	docker compose logs --follow storybook
 
 stop:
-	docker-compose down
+	docker compose down
diff --git a/frontend/next-i18next.config.js b/frontend/next-i18next.config.js
@@ -1,6 +1,8 @@
+// @ts-check
 /**
  * Next.js i18n routing options
  * https://nextjs.org/docs/advanced-features/i18n-routing
+ * @type {import('next').NextConfig['i18n']}
  */
 const i18n = {
   defaultLocale: "en",
@@ -13,8 +15,14 @@ const i18n = {
  * i18next and react-i18next options
  * https://www.i18next.com/overview/configuration-options
  * https://react.i18next.com/latest/i18next-instance
+ * @type {import("i18next").InitOptions}
  */
 const i18next = {
+  // Default namespace to load, typically overridden within components,
+  // but set here to prevent the system from attempting to load
+  // translation.json, which is the default, and doesn't exist
+  // in this codebase
+  ns: "common",
   defaultNS: "common",
   fallbackLng: i18n.defaultLocale,
   interpolation: {
@@ -25,6 +33,7 @@ const i18next = {
 /**
  * next-i18next options
  * https://github.com/i18next/next-i18next#options
+ * @type {Partial<import("next-i18next").UserConfig>}
  */
 const nextI18next = {
   // Locale resources are loaded once when the server is started, which
@@ -33,6 +42,9 @@ const nextI18next = {
   reloadOnPrerender: process.env.NODE_ENV === "development",
 };
 
+/**
+ * @type {import("next-i18next").UserConfig}
+ */
 module.exports = {
   i18n,
   ...i18next,