Integration Tests: Check for exceptions at build time

[Maffooch]

In the event of an exception in the docker/install_chrome_dependencies.py file at build time, the exception should not be swallowed, and instead raised to prevent unit tests from churning needlessly

[sc-7194]

[dryrunsecurity]

DryRun Security Summary

The code change in this pull request is a script that identifies missing dependencies for the Chrome browser in a Docker environment, logs the missing packages, and helps prevent potential security vulnerabilities or stability problems.

Expand for full summary

Summary:

The code change in this pull request is part of a script that identifies missing dependencies for the Chrome browser when running in a Docker environment. The script uses the ldd command to find missing dependencies, and then searches for the corresponding packages using the apt-file command. The script logs the list of missing packages to assist in resolving the dependencies.

From an application security perspective, this change is focused on ensuring the correct dependencies are installed for the Chrome browser, which is a critical component for many web applications. By identifying and resolving missing dependencies, the script helps prevent potential issues related to missing libraries or outdated dependencies, which could lead to security vulnerabilities or stability problems. The code appears to be well-structured and handles errors appropriately, but there are a few areas for potential improvement, such as adding more robust error handling and extending the script to automatically install the missing packages.

Files Changed:

• docker/install_chrome_dependencies.py: This script is responsible for identifying missing dependencies for the Chrome browser when running in a Docker environment. The key changes include:
  1. Using the ldd command to identify the dependencies of the /opt/chrome/chrome binary and parsing the output to find any missing dependencies.
  2. Using the apt-file command to search for the corresponding package that provides the missing library, filtering out packages that are likely not the main library.
  3. Logging the list of missing packages to assist in resolving the dependencies.

Overall, this code change is focused on improving the reliability and security of the Chrome browser deployment in a Docker environment, which is an important aspect of application security.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[cneill]

Doesn't this also need to check the return code, or does ldd return a nonzero status code in cases that aren't really errors for us here? Just thinking we may not want to ignore all ldd errors.

[Maffooch]

I believe the intention is to return an empty string such we skip the logic of identifying missing packages. We could just allow it to error out instead though If that would be preferable

[cneill]

It appears that ldd exits with a nonzero status code when there's some kind of issue reading the executable (or if it's not a valid executable at all). Unfortunately that StackOverflow answer is all I can find - the ldd man page doesn't say anything about exit status codes. I suppose we can wait until the executable fails to run since that might give us a more descriptive error

[mtesauro]

Approved

[Maffooch]

This test was ran when we knew integration tests would fail, and the error was still not caught earlier.. It seems like more attention is needed on this one

[Maffooch]

This is the type of error I would except to see when searching for dependencies fails

I will now pull the latest dev images. I know those will build correctly, so if the tests are successful with this changes with solid containers, than I believe we will be good here

[Maffooch]

Looks like I will need to spend more time on this solution...

[Maffooch]

@cneill I swapped in the dynamic chrome version fetching and the builds still failed. The interesting part is that the script is working sorta as expected? ldd is not failing this time, but some dependencies are still not appearing to be pulled in

#18 [build  9/17] RUN   missing_chrome_deps=$(python install_chrome_dependencies.py) &&   apt-get -y install $missing_chrome_deps
#18 0.101 Reading package lists...
#18 0.507 Building dependency tree...
#18 0.614 Reading state information...
#18 0.731 0 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.
#18 DONE 0.7s

#19 [build 10/17] RUN apt-get install -y libxi6 libgconf-2-4 jq libjq1 libonig5 libxkbcommon0 libxss1 libglib2.0-0 libnss3   libfontconfig1 libatk-bridge2.0-0 libatspi2.0-0 libgtk-3-0 libpango-1.0-0 libgdk-pixbuf2.0-0 libxcomposite1   libxcursor1 libxdamage1 libxtst6 libappindicator3-1 libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libxfixes3   libdbus-1-3 libexpat1 libgcc1 libnspr4 libgbm1 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxext6   libxrandr2 libxrender1 gconf-service ca-certificates fonts-liberation libappindicator1 lsb-release xdg-utils

That seems out of the scope of this PR. Does the current implementation of check the error codes of ldd satisfy your request?

[cneill]

Looks good! We can circle back on the other issues with installing Chrome in the future