feat: vulnz Docker v2

[EugenMayer]

Based on all the work of https://github.com/jeremylong/Open-Vulnerability-Project/pull/87

Added

• support for JAVA_OPT to configure the memory usage
• added docs on how to run and build the docker image
• added volume definition
• CI integration (PR and RELEASE tasks)
  • PR task does not use any github tokens or publishes and docker images. Just builds
  • Release task can be triggered by tagging with vulnz/5.1.1 which builds vulnz in the version 5.1.1 and the publishes it with the docker-image tagged with 5.1.1

Discussions

• [x] discussion image target namespace, currently jeremylong/vulnz
• [x] i moved version from to gradle.properties so it can be overriden during compile time (snapshot builds). Keeping it in vuln.tools.java-common-conventions.gradle does block this

Testing

• [x] e2e test
• [x] e2e test docker image in k8s helm chart

I also based the helm chart on this image now

[EugenMayer]

@jeremylong let me know if you want anything to be changed. I got the CI integration running and testing in my fork and it works well for now. The PR workflow does not use any credentials and is safe, the release workflow, which will be triggered by you only, uses the usual github token authentication.

Anything else seems up and running, i got it running via the helm chart too. So from my POV, it is read for review or even merge.

[EugenMayer]

For everybody keen to test, i have published it temporary under https://github.com/users/eugenmayer/packages/container/package/vulnz so you can test-drive the docker image with

docker run -e NVD_API_KEY=yourkey ghcr.io/eugenmayer/vulnz:5.1.1

or use the helm chart at artifactory / source

[EugenMayer]

I would suggest, if there is such a bottleneck in doing reviews, that i fork the effort into a separate repository that builds released versions if this repository - so an entire standalone repository that the community can maintain, instead of you having the burden to maintain and work on it @jeremylong

I set myself a deadline in 2 weeks to iron out that repository, taking of the pressure from you here.

I hope this gets you well, this i do not want to torpedo this project, rather take weight from your shoulders maintain all "bits and pieces" - maybe you can then just focus on the actual library itself / cli tool.

[jeremylong]

Again - thank you for the PR. I've been exceedingly busy with other commitments. I'll try to get this published this week.

[jeremylong]

I think we should update the image name to open-vulnerability-data-mirror.

[EugenMayer]

@jeremylong you would need to expose the package in https://github.com/jeremylong?tab=packages so that it is actually public. AFAICS the workflow finished, but i cannot see the images, i assume they are yet private. Also be sure to link the package to the repository, if that has not been done via annotation already. Usually that is all done within a few seconds in the github UI.

I really value that you deploy to GHCR - personally, i do not even double-publich anylong on docker hub. When they introduced their rate limits and entire bonkers strategy, i entirely went away (years ago i started). I understand if you want to publish on both platforms, sure - but i consider GHCR to be the new better source - since no rate limits are applied.

Thank you for taking your time and pushing this one through!

[jeremylong]

The release workflow hasn't run yet as a new tag has not been published yet. I'm in the middle of a significant rework of the NVD API and should be done fairly soon - so I'll be pushing a new tag within a week.

[EugenMayer]

Sure, not worries.

[EugenMayer]

@jeremylong any progress on publishing the docker-images?

[jeremylong]

@EugenMayer the docker image should now be available. sorry about the delay. See https://github.com/jeremylong/Open-Vulnerability-Project/releases/tag/v5.1.2

[EugenMayer]

@jeremylong great, thank you

I have updated the helm chart https://github.com/EugenMayer/helm-charts/tree/main/charts/vulnz-nvd-mirror to use the new production image.

If you like or it make sense, we should make the people aware of the helm chart - but it is discover-able via https://artifacthub.io/packages/helm/eugen/vulnz-nvd-mirror