Project-MONAI
diff --git a/‎.dockleignore
Lines changed: 17 additions & 0 deletions b/‎.dockleignore
Lines changed: 17 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml
100644100755
Lines changed: 50 additions & 37 deletions b/‎.github/workflows/ci.yml
100644100755
Lines changed: 50 additions & 37 deletions
diff --git a/‎.github/workflows/package-cleanup.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/package-cleanup.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎.licenserc.yaml
Lines changed: 1 addition & 0 deletions b/‎.licenserc.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfile
100644100755
Lines changed: 12 additions & 5 deletions b/‎Dockerfile
100644100755
Lines changed: 12 additions & 5 deletions
@@ -0,0 +1,17 @@
+# Copyright 2023 MONAI Consortium
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Checked and no actual secrets found in dockerfile, just some environment variables for compatibility
+CIS-DI-0010
+
@@ -42,13 +42,13 @@ jobs:
       nuGetVersionV2: ${{ steps.gitversion.outputs.nuGetVersionV2 }}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
 
       - name: Install GitVersion
         run: dotnet tool install --global GitVersion.Tool
@@ -82,16 +82,16 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: "6.0.x"
+        dotnet-version: "8.0.x"
 
     - name: Enable NuGet cache
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       with:
         path: ~/.nuget/packages
         key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
@@ -123,25 +123,25 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: "6.0.x"
+        dotnet-version: "8.0.x"
 
     - name: Enable Homebrew
       run: echo "/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin" >> $GITHUB_PATH
 
     - name: Install License Finder tool with Homebrew
-      uses: tecoli-com/actions-use-homebrew-tools@v1.1
+      uses: tecoli-com/actions-use-homebrew-tools@v1.2
       with:
         tools: licensefinder
         cache: yes
 
     - name: Enable NuGet cache
-      uses: actions/[email protected].1
+      uses: actions/[email protected].2
       with:
         path: ~/.nuget/packages
         key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
@@ -183,25 +183,25 @@ jobs:
         ports:
         - 27017:27017
     steps:
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
           distribution: zulu
-          java-version: '11'
+          java-version: '17'
 
       - uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
 
       - name: Enable NuGet cache
-        uses: actions/[email protected].1
+        uses: actions/[email protected].2
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
           restore-keys: |
             ${{ runner.os }}-nuget
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -231,7 +231,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: find ~+ -type f -name "*.Test.csproj" | xargs -L1 dotnet test -c ${{ env.BUILD_CONFIG }} -v=minimal -r "${{ env.TEST_RESULTS }}" --collect:"XPlat Code Coverage" --settings coverlet.runsettings
+        run: find ~+ -type f -name "*.Test.csproj" | xargs -L1 dotnet test -c ${{ env.BUILD_CONFIG }} -v=minimal --results-directory "${{ env.TEST_RESULTS }}" --collect:"XPlat Code Coverage" --settings coverlet.runsettings
         working-directory: ./src
 
       - name: End SonarScanner
@@ -244,7 +244,7 @@ jobs:
       - uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          directory: "src/${{ env.TEST_RESULTS }}"
+          directory: "src/"
           files: "**/coverage.opencover.xml"
           flags: unittests
           name: codecov-umbrella
@@ -264,16 +264,16 @@ jobs:
       DOTNET_TEST: ${{ matrix.database }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
 
       - name: Enable NuGet cache
-        uses: actions/[email protected].1
+        uses: actions/[email protected].2
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
@@ -315,7 +315,7 @@ jobs:
       MAJORMINORPATCH: ${{ needs.calc-version.outputs.majorMinorPatch }}
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest]
       fail-fast: true
 
     outputs:
@@ -329,16 +329,16 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
 
       - name: Enable NuGet cache
-        uses: actions/[email protected].1
+        uses: actions/[email protected].2
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
@@ -394,7 +394,7 @@ jobs:
         if: ${{ (matrix.os == 'ubuntu-latest') }}
         run: |
           mkdir ~/nupkg
-          dotnet pack --no-build -c ${{ env.BUILD_CONFIG }} -o ~/nupkg -p:PackageVersion=${{ env.NUGETVER }}
+          dotnet pack -c ${{ env.BUILD_CONFIG }} -o ~/nupkg -p:PackageVersion=${{ env.NUGETVER }}
           ls -lR ~/nupkg
         working-directory: ./src/Api
 
@@ -433,13 +433,26 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-      - name: Scan image with Azure Container Scan
-        env:
-          TRIVY_TIMEOUT_SEC: 360s
-        uses: Azure/[email protected]
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
         if: ${{ (matrix.os == 'ubuntu-latest') }}
         with:
-          image-name: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+
+      - name: Run dockle scan
+        id: dockle-scan
+        uses: goodwithtech/dockle-action@main
+        if: ${{ (matrix.os == 'ubuntu-latest') }}
+        with:
+          image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          format: 'list'
+          exit-code: '1'
+          exit-level: 'warn'
 
       - name: Anchore container scan
         id: anchore-scan
@@ -450,7 +463,7 @@ jobs:
           fail-build: true
           severity-cutoff: critical
 
-      - name: Upload Anchore scan SARIF report
+      - name: Upload scan SARIF report
         uses: github/codeql-action/upload-sarif@v2
         if: ${{ (matrix.os == 'ubuntu-latest') }}
         with:
@@ -468,24 +481,24 @@ jobs:
     env:
       SEMVER: ${{ needs.calc-version.outputs.semVer }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
 
       - name: Enable NuGet cache
-        uses: actions/[email protected].1
+        uses: actions/[email protected].2
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
           restore-keys: |
             ${{ runner.os }}-nuget
 
       - name: Setup DocFX
-        uses: crazy-max/ghaction-chocolatey@v2
+        uses: crazy-max/ghaction-chocolatey@v3
         with:
           args: install docfx
 
@@ -539,7 +552,7 @@ jobs:
         env:
           NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
           source-url: https://nuget.pkg.github.com/Project-MONAI/index.json
 
       - name: Publish to GitHub
@@ -555,7 +568,7 @@ jobs:
       MAJORMINORPATCH: ${{ needs.calc-version.outputs.majorMinorPatch }}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -572,7 +585,7 @@ jobs:
         env:
           NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
-          dotnet-version: "6.0.x"
+          dotnet-version: "8.0.x"
           source-url: https://nuget.pkg.github.com/Project-MONAI/index.json
 
       - name: Publish to GitHub
 
@@ -17,8 +17,8 @@
 name: Cleanup Pre-release Packages
 
 on:
-  schedule:
-  - cron: "0 0 * * *"
+  # schedule:
+  # - cron: "0 0 * * *"
   workflow_dispatch:
 
 jobs:
 
@@ -560,3 +560,4 @@ FodyWeavers.xsd
 # Additional files built by Visual Studio
 
 # End of https://www.toptal.com/developers/gitignore/api/aspnetcore,dotnetcore,visualstudio,visualstudiocode
+/src/InformaticsGateway/Properties/launchSettings.json
@@ -40,6 +40,7 @@ header:
     - 'tests/Integration.Test/*.dev'
     - 'tests/Integration.Test/data/**'
     - 'guidelines/diagrams/*.txt'
+    - 'src/DicomWebClient/Third-party/**'
 
   comment: on-failure
 
 
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM mcr.microsoft.com/dotnet/sdk:6.0-jammy as build
+FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy as build
 
 # Install the tools
 RUN dotnet tool install --tool-path /tools dotnet-trace
@@ -26,25 +26,30 @@ RUN echo "Building MONAI Deploy Informatics Gateway..."
 RUN dotnet publish -c Release -o out --nologo src/InformaticsGateway/Monai.Deploy.InformaticsGateway.csproj
 
 # Build runtime image
-FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy
+FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy
+RUN adduser --system --group --no-create-home appuser
 
 # Enable elastic client compatibility mode
 ENV ELASTIC_CLIENT_APIVERSIONING=true
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get clean \
  && apt-get update \
- && apt-get install -y --no-install-recommends \
-    curl \
-    && rm -rf /var/lib/apt/lists
+ && apt-get install -y --no-install-recommends curl \
+ && apt-get install -y libc6-dev=2.35-0ubuntu3.8 \
+ && rm -rf /var/lib/apt/lists                           # this is a workaround for Mongo encryption library
 
 WORKDIR /opt/monai/ig
 
+RUN chown -R appuser:appuser /opt/monai/ig
+
 COPY --from=build /app/out .
 COPY --from=build /tools /opt/dotnetcore-tools
 COPY LICENSE ./
 COPY docs/compliance/third-party-licenses.md ./
 
+RUN ln -s /usr/lib/x86_64-linux-gnu/libdl.so.2 /opt/monai/ig/libdl.so    # part 2 of workaround for Mongo encryption library
+
 EXPOSE 104
 EXPOSE 2575
 EXPOSE 5000
@@ -54,4 +59,6 @@ HEALTHCHECK --interval=10s --retries=10 CMD curl --fail http://localhost:5000/he
 RUN ls -lR /opt/monai/ig
 ENV PATH="/opt/dotnetcore-tools:${PATH}"
 
+USER appuser
+
 ENTRYPOINT ["/opt/monai/ig/Monai.Deploy.InformaticsGateway"]
Original file line number	Diff line number	Diff line change
`@@ -560,3 +560,4 @@ FodyWeavers.xsd`
`560`	`560`	`# Additional files built by Visual Studio`
`561`	`561`
`562`	`562`	`# End of https://www.toptal.com/developers/gitignore/api/aspnetcore,dotnetcore,visualstudio,visualstudiocode`
	`563`	`+/src/InformaticsGateway/Properties/launchSettings.json`