From 2ee80c71cc5689a11316610e32b49fe5fc73bc15 Mon Sep 17 00:00:00 2001
From: Nigel Banks <nigelgbanks@users.noreply.github.com>
Date: Thu, 24 Mar 2022 07:39:22 +0000
Subject: [PATCH] Issue 168 vulnerability checks (#183)

* Update plugin to latest to get vunerability analysis checks

* Bumped alpine version to latest stable.

* Updated Imagemagick to latest

* Fix for java-jna package discontinued for aarch64

* Added link to aports issue that requires custom build of java-jna

* Generate grype reports on pushs as well as pull requests.

* Updated fits to latest to get security updates.

* Added ability to ignore specific vulnerabilities, while a fix is not availiable.

* Updated tomcat to latest

* Documented additional flag for grype

* Made alpine version a argument.

Co-authored-by: Nigel Banks <nigel.g.banks@gmail.com:w>
---
 .github/workflows/pr.yml                  |   6 +-
 .github/workflows/push.yml                |   6 +-
 abuild/Dockerfile                         |   5 +-
 base/Dockerfile                           |   5 +-
 base/README.md                            |   2 +-
 build.gradle.kts                          |   2 +-
 cantaloupe/Dockerfile                     |   3 +-
 code-server/Dockerfile                    |  21 ++-
 composer/Dockerfile                       |   3 +-
 download/Dockerfile                       |   5 +-
 download/README.md                        |   2 +-
 drupal/Dockerfile                         |   3 +-
 fcrepo6/Dockerfile                        |   3 +-
 fits/Dockerfile                           |  42 +++++-
 fits/build/0001-jar-without-natives.patch | 168 ++++++++++++++++++++++
 fits/build/APKBUILD                       |  71 +++++++++
 fits/build/no-Werror.patch                |  18 +++
 gradle.properties                         |  45 +++++-
 gradle/wrapper/gradle-wrapper.properties  |   2 +-
 grype.yaml                                |  16 +++
 homarus/Dockerfile                        |   3 +-
 hypercube/Dockerfile                      |   3 +-
 imagemagick/Dockerfile                    |   9 +-
 imagemagick/build/APKBUILD                |  49 ++++---
 java/Dockerfile                           |   3 +-
 mariadb/Dockerfile                        |   3 +-
 nginx/Dockerfile                          |   3 +-
 postgresql/Dockerfile                     |   3 +-
 riprap/Dockerfile                         |   3 +-
 tomcat/Dockerfile                         |   7 +-
 30 files changed, 456 insertions(+), 58 deletions(-)
 create mode 100644 fits/build/0001-jar-without-natives.patch
 create mode 100644 fits/build/APKBUILD
 create mode 100644 fits/build/no-Werror.patch
 create mode 100644 grype.yaml

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 00cda784..74596a8b 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -25,4 +25,8 @@ jobs:
     - name: Build/Test Docker images
       uses: eskatos/gradle-command-action@v1
       with:
-        arguments: build test -PisCI=true --info
+        arguments: build test grype -PisCI=true --info
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Grype Reports
+        path: build/**/*-grype.*
\ No newline at end of file
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 351a796c..dd93ab77 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -31,4 +31,8 @@ jobs:
     - name: Build/Test/Push Docker images
       uses: eskatos/gradle-command-action@v1
       with:
-        arguments: build test '-Pdocker.tags=${{ env.TAG }}' '-Pdocker.repository=${{ secrets.REPOSITORY }}' -Pdocker.push=true -Pdocker.driver=docker-container -Pdocker.cacheTo=true -Pdocker.platforms=linux/amd64,linux/arm64 -PisCI=true --info
+        arguments: build test grype '-Pdocker.tags=${{ env.TAG }}' '-Pdocker.repository=${{ secrets.REPOSITORY }}' -Pdocker.push=true -Pdocker.driver=docker-container -Pdocker.cacheTo=true -Pdocker.platforms=linux/amd64,linux/arm64 -PisCI=true --info
+    - uses: actions/upload-artifact@v2
+      with:
+        name: Grype Reports
+        path: build/**/*-grype.*
diff --git a/abuild/Dockerfile b/abuild/Dockerfile
index 5ee30aa7..af1070d6 100644
--- a/abuild/Dockerfile
+++ b/abuild/Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM ${repository}/download:${tag} AS download
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 RUN --mount=type=cache,id=abuild-apk,sharing=locked,from=cache,target=/var/cache/apk \
     ln -s /var/cache/apk /etc/apk/cache && \
diff --git a/base/Dockerfile b/base/Dockerfile
index 95e32fd4..2f809839 100644
--- a/base/Dockerfile
+++ b/base/Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM ${repository}/download:${tag} AS download
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 ENV DOWNLOAD_CACHE_DIRECTORY=/opt/downloads
 
diff --git a/base/README.md b/base/README.md
index cbbed41c..57f817b4 100644
--- a/base/README.md
+++ b/base/README.md
@@ -7,7 +7,7 @@ It's based off off [Alpine Linux], and includes [s6 overlay] and [confd].
 
 ## Dependencies
 
-Requires `alpine:3.13.2`
+Requires `alpine`
 
 ## Settings
 
diff --git a/build.gradle.kts b/build.gradle.kts
index a9a17351..18aadc86 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -1,3 +1,3 @@
 plugins {
-  id("com.github.nigelgbanks.IsleDocker") version "0.7"
+  id("com.github.nigelgbanks.IsleDocker") version "0.9"
 }
\ No newline at end of file
diff --git a/cantaloupe/Dockerfile b/cantaloupe/Dockerfile
index c57ea439..b515d196 100644
--- a/cantaloupe/Dockerfile
+++ b/cantaloupe/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=cantaloupe-downloads,sharing=locked,target=/opt/downloads \
@@ -14,7 +15,7 @@ RUN --mount=type=cache,id=cantaloupe-downloads,sharing=locked,target=/opt/downlo
     install-war-into-tomcat.sh --name "cantaloupe" --file "/tmp/${CANTALOUPE_UNPACKED}/${CANTALOUPE_UNPACKED}.war" && \
     rm -fr "/tmp/${CANTALOUPE_UNPACKED}"
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
 COPY --from=download --chown=tomcat:tomcat /opt/tomcat /opt/tomcat
diff --git a/code-server/Dockerfile b/code-server/Dockerfile
index 2e1fdad9..cc456c20 100644
--- a/code-server/Dockerfile
+++ b/code-server/Dockerfile
@@ -1,9 +1,18 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
+FROM node:fermium-alpine3.15 as node
 FROM ${repository}/abuild:${tag} AS build
 
+COPY --from=node /usr/lib /usr/lib
+COPY --from=node /usr/local/share /usr/local/share
+COPY --from=node /usr/local/lib /usr/local/lib
+COPY --from=node /usr/local/include /usr/local/include
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /opt /opt
+
 # g++, make, python are only required to build native dependencies via node-gyp.
 # spdlog is required for building / using xdebug extension.
 RUN --mount=type=cache,id=code-server-apk,sharing=locked,from=cache,target=/var/cache/apk \
@@ -14,8 +23,7 @@ RUN --mount=type=cache,id=code-server-apk,sharing=locked,from=cache,target=/var/
         nghttp2-dev \
         python3 \
         spdlog \
-        sudo \
-        yarn
+        sudo
 
 # `node-gyp` must be installed before anything else. This is unfortuante, but
 # make sure the version here matches the exact version in:
@@ -83,7 +91,6 @@ RUN --mount=type=cache,id=code-server-drupal-apk,sharing=locked,from=cache,targe
         htop \
         php7-pecl-xdebug \
         spdlog \
-        yarn \
         sudo \
         unison \
         parallel \
@@ -104,6 +111,12 @@ ENV \
 COPY --from=composer --chown=nginx:nginx /root/.composer /var/lib/nginx/.composer
 COPY --from=build --chown=nginx:nginx /opt/code-server /opt/code-server
 COPY --from=build /usr/local/share/.config/yarn /usr/local/share/.config/yarn
+COPY --from=node /usr/lib /usr/lib
+COPY --from=node /usr/local/share /usr/local/share
+COPY --from=node /usr/local/lib /usr/local/lib
+COPY --from=node /usr/local/include /usr/local/include
+COPY --from=node /usr/local/bin /usr/local/bin
+COPY --from=node /opt /opt
 
 COPY rootfs /
 
diff --git a/composer/Dockerfile b/composer/Dockerfile
index fa100f4f..f359e181 100644
--- a/composer/Dockerfile
+++ b/composer/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download 
 
 # https://getcomposer.org/download/
@@ -13,7 +14,7 @@ RUN --mount=type=cache,id=download-downloads,sharing=locked,target=/opt/download
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${COMPOSER_FILE}" /usr/bin/composer && \
     chmod a+x /usr/bin/composer
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/download:${tag}
 
 # Install packages and tools that allow for basic downloads.
diff --git a/download/Dockerfile b/download/Dockerfile
index 15ec8a73..7492ab56 100644
--- a/download/Dockerfile
+++ b/download/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
-FROM alpine:3.13.2 AS cache
-FROM alpine:3.13.2
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
+FROM alpine:${alpine}
 
 # Install packages and tools that allow for basic downloads.
 RUN --mount=type=cache,id=download-apk,sharing=locked,from=cache,target=/var/cache/apk \
diff --git a/download/README.md b/download/README.md
index 480c478f..810bea33 100644
--- a/download/README.md
+++ b/download/README.md
@@ -4,7 +4,7 @@ Image used to cache downloads cuts down on build times / cache misses.
 
 ## Dependencies
 
-Requires `alpine:3.13.2`
+Requires `alpine`
 
 ## Settings
 
diff --git a/drupal/Dockerfile b/drupal/Dockerfile
index e9e490d2..cdde71c9 100644
--- a/drupal/Dockerfile
+++ b/drupal/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=drupal-downloads,sharing=locked,target=/opt/downloads \
@@ -12,7 +13,7 @@ RUN --mount=type=cache,id=drupal-downloads,sharing=locked,target=/opt/downloads
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${DRUSH_FILE}" /usr/bin/drush && \
     chmod a+x /usr/bin/drush
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/nginx:${tag}
 
 EXPOSE 80
diff --git a/fcrepo6/Dockerfile b/fcrepo6/Dockerfile
index 161aad7c..ec59f56b 100644
--- a/fcrepo6/Dockerfile
+++ b/fcrepo6/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:experimental
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=fcrepo6-downloads,sharing=locked,target=/opt/downloads \
@@ -30,7 +31,7 @@ RUN --mount=type=cache,id=fcrepo6-downloads,sharing=locked,target=/opt/downloads
     download.sh --url "${UPGRADE_UTILS_URL}" --sha256 "${UPGRADE_UTILS_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     cp "${DOWNLOAD_CACHE_DIRECTORY}/${UPGRADE_UTILS_FILE}" /opt/tomcat
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
 # Install packages and tools required by all downstream images.
diff --git a/fits/Dockerfile b/fits/Dockerfile
index 13b752e2..fb176668 100644
--- a/fits/Dockerfile
+++ b/fits/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/download:${tag} AS download
 
 RUN --mount=type=cache,id=fits-downloads,sharing=locked,target=/opt/downloads \
@@ -10,10 +11,10 @@ RUN --mount=type=cache,id=fits-downloads,sharing=locked,target=/opt/downloads \
     FITSSERVLET_SHA256="13cfcb910092b197757e459353f0c30381febfca6baf3031ac69ff92789b200c" && \
     download.sh --url "${FITSSERVLET_URL}" --sha256 "${FITSSERVLET_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     install-war-into-tomcat.sh --name "fits" --file "${DOWNLOAD_CACHE_DIRECTORY}/${FITSSERVLET_FILE}" && \
-    FITS_VERSION="1.5.0" && \
+    FITS_VERSION="1.5.1" && \
     FITS_FILE="fits-${FITS_VERSION}.zip" && \
     FITS_URL="https://github.com/harvard-lts/fits/releases/download/${FITS_VERSION}/${FITS_FILE}" \
-    FITS_SHA256="1378a78892db103b3a00e45c510b58c70e19a1a401b3720ff4d64a51438bfe0b" && \
+    FITS_SHA256="4bf4adfedf0779221cc2f4648f5dfd3040c7a3e5daa4060c5754d73dc1964442" && \
     mkdir /opt/fits && \
     download.sh --url "${FITS_URL}" --sha256 "${FITS_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     unzip "${DOWNLOAD_CACHE_DIRECTORY}/${FITS_FILE}" -d /opt/fits && \
@@ -24,9 +25,43 @@ RUN --mount=type=cache,id=fits-downloads,sharing=locked,target=/opt/downloads \
         /opt/fits/tools/file_utility_windows \
         /opt/fits/tools/mediainfo
 
-FROM alpine:3.13.2 AS cache
+# Onces this https://gitlab.alpinelinux.org/alpine/aports/-/issues/13495 is resolved we can remove this build step.
+FROM ${repository}/abuild:${tag} AS build
+
+RUN --mount=type=cache,id=imagemagick-apk,sharing=locked,from=cache,target=/var/cache/apk \
+    apk add \
+        apache-ant \
+        autoconf \
+        automake \
+        libffi-dev \
+        libtool \
+        openjdk8
+
+COPY /build /build
+
+WORKDIR /build
+
+RUN chown -R builder /build
+
+USER builder
+
+RUN export PACKAGER="Nigel Banks <nigel.g.banks@gmail.com>" && \
+    abuild-keygen -ain && \
+    abuild-apk update && \
+    abuild
+
+USER root
+
+RUN cp -r /home/builder/packages/* /packages
+
+FROM alpine:${alpine} AS cache
 FROM ${repository}/tomcat:${tag}
 
+RUN --mount=type=bind,from=build,source=/packages,target=/packages \
+    --mount=type=bind,from=build,source=/etc/apk/keys,target=/etc/apk/keys \
+    apk add /packages/java-jna-*.apk && \
+    cleanup.sh
+
 COPY --from=download --chown=tomcat:tomcat /opt/tomcat /opt/tomcat
 COPY --from=download --chown=tomcat:tomcat /opt/fits /opt/fits
 
@@ -35,7 +70,6 @@ COPY --from=download --chown=tomcat:tomcat /opt/fits /opt/fits
 RUN --mount=type=cache,id=fits-apk,sharing=locked,from=cache,target=/var/cache/apk \
     apk add \
         file \
-        java-jna \
         libmediainfo \
         libzen \
         perl \
diff --git a/fits/build/0001-jar-without-natives.patch b/fits/build/0001-jar-without-natives.patch
new file mode 100644
index 00000000..0bfbfe5f
--- /dev/null
+++ b/fits/build/0001-jar-without-natives.patch
@@ -0,0 +1,168 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Wed, 13 Apr 2016 20:58:00 +0200
+Last-Updated: Tue, 31 Oct 2017 20:37:04 +0200
+Subject: [PATCH] Exclude native libs from jna.jar
+
+--- a/build.xml
++++ b/build.xml
+@@ -433,160 +433,10 @@
+         <attribute name="Bundle-Vendor" value="${vendor}"/>
+         <attribute name="Bundle-ActivationPolicy" value="lazy"/>
+         <attribute name="Export-Package" value="com.sun.jna;version=${jna.major}.${jna.minor}.${jna.revision}, com.sun.jna.ptr;version=${jna.major}.${jna.minor}.${jna.revision}, com.sun.jna.win32;version=${jna.major}.${jna.minor}.${jna.revision}"/>
+-        <!-- Note that no terminal "*" is included in this list,
+-             which will force failure on unsupported platforms.
+-          -->
+-        <attribute name="Bundle-NativeCode"
+-                   value="
+-com/sun/jna/win32-x86/jnidispatch.dll;
+-processor=x86;osname=win32,
+-com/sun/jna/win32-x86-64/jnidispatch.dll;
+-processor=x86-64;osname=win32,
+-com/sun/jna/win32-x86/jnidispatch.dll;
+-processor=x86;osname=win,
+-com/sun/jna/win32-x86-64/jnidispatch.dll;
+-processor=x86-64;osname=win,
+-com/sun/jna/w32ce-arm/jnidispatch.dll;
+-processor=arm;osname=wince,
+-
+-com/sun/jna/sunos-x86/libjnidispatch.so;
+-processor=x86;osname=sunos,
+-com/sun/jna/sunos-x86-64/libjnidispatch.so;
+-processor=x86-64;osname=sunos,
+-com/sun/jna/sunos-sparc/libjnidispatch.so;
+-processor=sparc;osname=sunos,
+-com/sun/jna/sunos-sparcv9/libjnidispatch.so;
+-processor=sparcv9;osname=sunos,
+-
+-com/sun/jna/aix-ppc/libjnidispatch.a;
+-processor=ppc;osname=aix,
+-com/sun/jna/aix-ppc64/libjnidispatch.a;
+-processor=ppc64;osname=aix,
+-
+-com/sun/jna/linux-ppc/libjnidispatch.so;
+-processor=ppc;osname=linux,
+-com/sun/jna/linux-ppc64/libjnidispatch.so;
+-processor=ppc64;osname=linux,
+-com/sun/jna/linux-ppc64le/libjnidispatch.so;
+-processor=ppc64le;osname=linux,
+-com/sun/jna/linux-x86/libjnidispatch.so;
+-processor=x86;osname=linux,
+-com/sun/jna/linux-x86-64/libjnidispatch.so;
+-processor=x86-64;osname=linux,
+-com/sun/jna/linux-arm/libjnidispatch.so;
+-processor=arm;osname=linux,
+-com/sun/jna/linux-arm/libjnidispatch.so;
+-processor=arm_le;osname=linux,
+-com/sun/jna/linux-armel/libjnidispatch.so;
+-processor=armel;osname=linux,
+-com/sun/jna/linux-aarch64/libjnidispatch.so;
+-processor=aarch64;osname=linux,
+-com/sun/jna/linux-ia64/libjnidispatch.so;
+-processor=ia64;osname=linux,
+-com/sun/jna/linux-sparcv9/libjnidispatch.so;
+-processor=sparcv9;osname=linux,
+-com/sun/jna/linux-mips64el/libjnidispatch.so;
+-processor=mips64el;osname=linux,
+-com/sun/jna/linux-s390x/libjnidispatch.so;
+-processor=S390x;osname=linux,
+-
+-com/sun/jna/freebsd-x86/libjnidispatch.so;
+-processor=x86;osname=freebsd,
+-com/sun/jna/freebsd-x86-64/libjnidispatch.so;
+-processor=x86-64;osname=freebsd,
+-com/sun/jna/openbsd-x86/libjnidispatch.so;
+-processor=x86;osname=openbsd,
+-com/sun/jna/openbsd-x86-64/libjnidispatch.so;
+-processor=x86-64;osname=openbsd,
+-
+-com/sun/jna/darwin/libjnidispatch.jnilib;
+-osname=macosx;processor=x86;processor=x86-64;processor=ppc
+-"/>
+       </manifest>
+       <fileset dir="${classes}" excludes="${jar.omitted}">
+         <patternset refid="jar-compiled"/>
+       </fileset>
+-      <zipfileset src="${lib.native}/win32-x86.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/win32-x86"/>
+-      <zipfileset src="${lib.native}/aix-ppc.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/aix-ppc"/>
+-      <zipfileset src="${lib.native}/aix-ppc64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/aix-ppc64"/>
+-      <zipfileset src="${lib.native}/darwin.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/darwin"/>
+-      <zipfileset src="${lib.native}/linux-x86.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-x86"/>
+-      <zipfileset src="${lib.native}/linux-x86-64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-x86-64"/>
+-      <zipfileset src="${lib.native}/linux-arm.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-arm"/>
+-      <zipfileset src="${lib.native}/linux-armel.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-armel"/>
+-      <zipfileset src="${lib.native}/linux-aarch64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-aarch64"/>
+-      <zipfileset src="${lib.native}/linux-ia64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-ia64"/>
+-      <zipfileset src="${lib.native}/linux-ppc.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-ppc"/>
+-      <zipfileset src="${lib.native}/linux-ppc64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-ppc64"/>
+-      <zipfileset src="${lib.native}/linux-ppc64le.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-ppc64le"/>
+-      <zipfileset src="${lib.native}/linux-sparcv9.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-sparcv9"/>
+-      <zipfileset src="${lib.native}/linux-mips64el.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-mips64el"/>
+-      <zipfileset src="${lib.native}/linux-s390x.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/linux-s390x"/>
+-      <zipfileset src="${lib.native}/sunos-x86.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/sunos-x86"/>
+-      <zipfileset src="${lib.native}/sunos-x86-64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/sunos-x86-64"/>
+-      <zipfileset src="${lib.native}/sunos-sparc.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/sunos-sparc"/>
+-      <zipfileset src="${lib.native}/sunos-sparcv9.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/sunos-sparcv9"/>
+-      <zipfileset src="${lib.native}/freebsd-x86.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/freebsd-x86"/>
+-      <zipfileset src="${lib.native}/freebsd-x86-64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/freebsd-x86-64"/>
+-      <zipfileset src="${lib.native}/openbsd-x86.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/openbsd-x86"/>
+-      <zipfileset src="${lib.native}/openbsd-x86-64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/openbsd-x86-64"/>
+-      <zipfileset src="${lib.native}/win32-x86-64.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/win32-x86-64"/>
+-      <zipfileset src="${lib.native}/w32ce-arm.jar"
+-                  includes="*jnidispatch*"
+-                  prefix="com/sun/jna/w32ce-arm"/>
+-      <zipfileset dir="."
+-                  includes="LICENSE,LGPL2.1,AL2.0"
+-                  prefix="META-INF"/>
+     </jar>
+     <zip zipfile="${build}/${minjar}">
+       <zipfileset src="${build}/${jar}" excludes="**/*jnidispatch*"/>
diff --git a/fits/build/APKBUILD b/fits/build/APKBUILD
new file mode 100644
index 00000000..d1b08694
--- /dev/null
+++ b/fits/build/APKBUILD
@@ -0,0 +1,71 @@
+# Adapted from: https://git.alpinelinux.org/aports/tree/community/java-jna/APKBUILD
+# Contributor: Nigel Banks <nigel.g.banks@gmail.com>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
+pkgname=java-jna
+_pkgname=${pkgname#java-}
+pkgver=5.6.0
+pkgrel=2
+pkgdesc="JNA provides Java programs easy access to native shared libraries."
+url="https://github.com/java-native-access/jna"
+# mips64, aarch64 and riscv64 blocked by java-jre-headless
+arch="all !mips64 !riscv64"
+license="Apache-2.0 LGPL-2.1"
+depends="java-jre-headless"
+makedepends="apache-ant autoconf automake libffi-dev>=3.2 libtool"
+subpackages="$pkgname-native"
+source="$pkgname-$pkgver.tar.gz::https://github.com/java-native-access/$_pkgname/archive/$pkgver.tar.gz
+	0001-jar-without-natives.patch
+	no-Werror.patch
+	"
+builddir="$srcdir/$_pkgname-$pkgver"
+
+prepare() {
+	default_prepare
+
+	cd "$builddir"
+
+	# Disable Java AWT support (requires some X libs).
+	sed -i -E "s/^(CDEFINES=.*)$/\1 -DNO_JAWT/g" native/Makefile
+
+	# Remove bundled libffi sources, we're gonna use headers form libffi-dev.
+	rm -r native/libffi
+
+	# Remove some bundled JARs.
+	rm -r dist
+	find lib/native -name "*.jar" -exec rm {} +
+}
+
+build() {
+	ant clean
+
+	# Parallel build doesn't work here!
+	MAKEFLAGS="-j1" \
+		ant native -Drelease=true -Ddynlink.native=true \
+		&& ant jar -Domit-jnilib=true
+}
+
+package() {
+	depends="$depends $pkgname-native"
+
+	install -m644 -D "$builddir"/build/jna.jar \
+		"$pkgdir"/usr/share/java/$_pkgname-$pkgver.jar
+	ln -sf $_pkgname-$pkgver.jar "$pkgdir"/usr/share/java/$_pkgname.jar
+}
+
+native() {
+	local soname="libjnidispatch.so"
+
+	cd "$builddir"
+
+	local sover="$(sed -En 's/^JNA_JNI_VERSION=([^ ]+).*/\1/p' native/Makefile)"
+	[ -n "$sover" ]
+
+	install -m755 -D build/native-linux-*/$soname \
+		"$subpkgdir"/usr/lib/$soname.$sover
+	ln -sf $soname.$sover "$subpkgdir"/usr/lib/$soname
+}
+
+sha512sums="645dd13f1ab8b36277fcd2af1557ca9fe15a72aaf78564ed9c2fb027a1b7d4fa93731aa2986d08fabb5af472f79b6cd1d2a260bddb966eac7e50dcd9d3158729  java-jna-5.6.0.tar.gz
+600dbd3fdc2b8413599e93650654acdbe43fb49a271e718cb043836231b628914eb141100665c456464fb5260caea6db960a3810691c97d868290340d5524ec3  0001-jar-without-natives.patch
+7754a3f1b0f735659ad269fd8f197217043033516848eea63182b0857f5d87a84e7a113c9de693c80ce491d50e0d3b9054a61159f5245b71f1eabe07809af259  no-Werror.patch"
diff --git a/fits/build/no-Werror.patch b/fits/build/no-Werror.patch
new file mode 100644
index 00000000..e41adda5
--- /dev/null
+++ b/fits/build/no-Werror.patch
@@ -0,0 +1,18 @@
+diff --git a/native/Makefile b/native/Makefile
+index 2d69a04..d05e6fb 100644
+--- a/native/Makefile
++++ b/native/Makefile
+@@ -337,11 +337,11 @@ ifeq ($(CC),gcc)
+     GCC_MAJOR_VERSION = $(shell gcc -dumpversion | cut -f 1 -d '.')
+     ifneq ($(GCC_MAJOR_VERSION),4)
+ 	ifneq ($(GCC_MAJOR_VERSION),3)
+-	    LOC_CC_OPTS=-Wno-unknown-warning-option -Werror -Wno-clobbered -Wno-unused-variable
++	    LOC_CC_OPTS=-Wno-unknown-warning-option -Wno-clobbered -Wno-unused-variable
+ 	endif
+     endif
+ else
+-    LOC_CC_OPTS=-Wno-unknown-warning-option -Werror -Wno-clobbered -Wno-unused-variable
++    LOC_CC_OPTS=-Wno-unknown-warning-option -Wno-clobbered -Wno-unused-variable
+ endif
+ 
+ # Enable 64-bit builds if the arch demands it
diff --git a/gradle.properties b/gradle.properties
index 3c1027e1..02ffcb75 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,15 +1,48 @@
-# ==============================================================================
+# =============================================================================
 # Gradle properties.
 org.gradle.caching=true
 org.gradle.parallel=true
 
-# ==============================================================================
+# =============================================================================
 # CI properties.
+
 # Set to true if building in an Continous Integration environment,
 # To reduce space used since the environment is ephemeral.
 isCI=false
 
-# ==============================================================================
+# =============================================================================
+# Grype properties.
+# See https://github.com/anchore/grype for in-depth explaination.
+
+# Used to ignore specific vunerabilities.
+grype.config=grype.yaml
+
+# Only included vunerabilities that have known fixes in the report.
+grype.only-fixed=false
+
+# Upon scanning, if a severity is found at or above the given severity then the
+# command will fail. The default is unset which will skip this validation.
+#
+# Options:
+# - negligible
+# - low
+# - medium
+# - high
+# - critical
+# grype.fail-on-severity=
+
+# The format of reports generated by grype, which can be found in:
+# `build/{image-name}/{image-name}-grype.{ext}`:
+#
+# Options:
+# - table: A columnar summary (default).
+# - cyclonedx: An XML report conforming to the CycloneDX 1.2 specification.
+# - json: Use this to get as much information out of Grype as possible!
+# - template: Lets the user specify the output format. See "Using templates" 
+#             <https://github.com/anchore/grype>.
+grype.format=table
+
+# =============================================================================
 # Docker properties.
 # See https://github.com/docker/buildx#documentation for in-depth explaination.
 
@@ -24,6 +57,12 @@ docker.tags=latest
 # The driver to use for the build, either "docker", "docker-container", or
 # "kubernetes". Note that "docker" only supports "inline" cache mode and does
 # *not* support multi-arch builds.
+#
+# Using 'docker-container' with a local repository requires that the following 
+# is set in your /etc/docker/daemon.json file.
+# {
+#  "insecure-registries" : ["http://isle-buildkit.registry"],
+# }
 docker.driver=docker
 
 # Conditionally allows pushing when `docker.driver` is set to `docker`. If we
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index af7be50b..2e6e5897 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.1.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/grype.yaml b/grype.yaml
new file mode 100644
index 00000000..9c6bdb14
--- /dev/null
+++ b/grype.yaml
@@ -0,0 +1,16 @@
+ignore:
+  # maven-resolver & maven-shared-utils
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
+- vulnerability: CVE-2021-26291
+  fix-state: unknown
\ No newline at end of file
diff --git a/homarus/Dockerfile b/homarus/Dockerfile
index fa132342..fd05f7aa 100644
--- a/homarus/Dockerfile
+++ b/homarus/Dockerfile
@@ -1,13 +1,14 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/crayfish:${tag} AS crayfish
 
 RUN --mount=type=cache,id=homarus-composer,sharing=locked,target=/root/.composer/cache \
     composer install -d /var/www/crayfish/Homarus && \
     ln -s /var/www/crayfish/Homarus/src /var/www/html
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/nginx:${tag}
 
 EXPOSE 8000
diff --git a/hypercube/Dockerfile b/hypercube/Dockerfile
index bd5f360c..1caa936e 100644
--- a/hypercube/Dockerfile
+++ b/hypercube/Dockerfile
@@ -1,13 +1,14 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/crayfish:${tag} AS crayfish
 
 RUN --mount=type=cache,id=hypercube-composer,sharing=locked,target=/root/.composer/cache \
     composer install -d /var/www/crayfish/Hypercube && \
     ln -s /var/www/crayfish/Hypercube/src /var/www/html
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/nginx:${tag}
 
 EXPOSE 8000
diff --git a/imagemagick/Dockerfile b/imagemagick/Dockerfile
index 5b3eb723..efb3f208 100644
--- a/imagemagick/Dockerfile
+++ b/imagemagick/Dockerfile
@@ -1,13 +1,12 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
 FROM ${repository}/abuild:${tag} AS build
 
 RUN --mount=type=cache,id=imagemagick-apk,sharing=locked,from=cache,target=/var/cache/apk \
     apk add \
-        libheif-dev \
-        libwebp-dev \
         chrpath \
         fftw-dev \
         fontconfig-dev \
@@ -16,10 +15,12 @@ RUN --mount=type=cache,id=imagemagick-apk,sharing=locked,from=cache,target=/var/
         ghostscript-fonts \
         graphviz \
         lcms2-dev \
+        libheif-dev \
         libjpeg-turbo-dev \
         libpng-dev \
         librsvg-dev \
         libtool \
+        libwebp-dev \
         libwmf-dev \
         libx11-dev \
         libxext-dev \
@@ -44,7 +45,7 @@ RUN export PACKAGER="Nigel Banks <nigel.g.banks@gmail.com>" && \
     abuild-apk update && \
     abuild
 
-FROM alpine:3.13.2
+FROM alpine:${alpine}
 
 COPY --from=build /etc/apk/keys /etc/apk/keys
 COPY --from=build /home/builder/packages/*/ /packages
\ No newline at end of file
diff --git a/imagemagick/build/APKBUILD b/imagemagick/build/APKBUILD
index badcd846..94aecb91 100644
--- a/imagemagick/build/APKBUILD
+++ b/imagemagick/build/APKBUILD
@@ -1,24 +1,21 @@
-# Adapted from: https://git.alpinelinux.org/aports/commit/?id=f0a480dcf122a955d24fffe94517875a4e32061e
+# Adapted from: https://git.alpinelinux.org/aports/tree/community/imagemagick/APKBUILD
 # Contributor: Nigel Banks <nigel.g.banks@gmail.com>
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
-# Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=imagemagick
 _pkgname=ImageMagick
-pkgver=7.0.10.57
-pkgrel=0
+pkgver=7.1.0.16
+pkgrel=1
 _pkgver=${pkgver%.*}-${pkgver##*.}
 _abiver=7
 pkgdesc="Collection of tools and libraries for many image formats"
-url="https://www.imagemagick.org/"
+url="https://imagemagick.org/"
 arch="all"
 license="ImageMagick"
 options="libtool"
-depends="
-	ghostscript"
 makedepends="
 	chrpath
-	fftw-dev
 	fontconfig-dev
 	freetype-dev
 	ghostscript-dev
@@ -26,9 +23,8 @@ makedepends="
 	libheif-dev
 	libjpeg-turbo-dev
 	libpng-dev
-	libtool 
+	libtool
 	libwebp-dev
-	libwmf-dev
 	libx11-dev
 	libxext-dev
 	libxml2-dev
@@ -40,18 +36,36 @@ makedepends="
 	zlib-dev"
 
 case "$CARCH" in
-	s390x) ;;
-	mips*) options="$options !check" ;;
+	s390x|riscv64) ;;
+	mips64) options="$options !check" ;;
 	*) makedepends="$makedepends librsvg-dev" ;;
 esac
 
 checkdepends="freetype fontconfig ghostscript ghostscript-fonts lcms2 graphviz"
-subpackages="$pkgname-libs"
-source="$_pkgname-$_pkgver.tar.gz::https://github.com/ImageMagick/ImageMagick/archive/$_pkgver.tar.gz
-	disable-avaraging-tests.patch"
+subpackages="
+	$pkgname-libs
+	"
+source="https://download.imagemagick.org/ImageMagick/download/releases/ImageMagick-$_pkgver.tar.xz"
 builddir="$srcdir/$_pkgname-$_pkgver"
 
 # secfixes:
+#   7.1.0.10-r0:
+#     - CVE-2021-39212
+#   7.1.0.0-r0:
+#     - CVE-2021-34183
+#   7.0.11.1-r0:
+#     - CVE-2021-20241
+#     - CVE-2021-20243
+#     - CVE-2021-20244
+#     - CVE-2021-20245
+#     - CVE-2021-20246
+#     - CVE-2021-20309
+#     - CVE-2021-20310
+#     - CVE-2021-20311
+#     - CVE-2021-20312
+#     - CVE-2021-20313
+#   7.0.10.57-r0:
+#     - CVE-2021-20176
 #   7.0.10.42-r0:
 #     - CVE-2020-29599
 #   7.0.10.35-r0:
@@ -181,5 +195,6 @@ package() {
 		-o -name '*.bs' \) -delete
 }
 
-sha512sums="404d78d8b2c8018e07eda39799d16ddf7e48e1daeb8356692ba5770cf6edda83541de859c2b19710c1ceddd526683e6c14b8f3a984f9f4b987be2c02862b84f7  ImageMagick-7.0.10-57.tar.gz
-58afb2da075a6208b6a990ff297b3a827d260687c3355198a8b4d987e1596c0b0cd78aff6f0be0e1896e537fbe44a3d467473183f5f149664ea6e6fb3d3291a9  disable-avaraging-tests.patch"
\ No newline at end of file
+sha512sums="
+6894e51ea96b49cd7aafb91d1e05b02f802bccc79121a6b6e65d2122cf97a27cd26bba393edb0b8d4c354ca95c2db0986257fd0d08756067dddb51240a346e2d  ImageMagick-7.1.0-16.tar.xz
+"
diff --git a/java/Dockerfile b/java/Dockerfile
index c79a9a9b..708b5f08 100644
--- a/java/Dockerfile
+++ b/java/Dockerfile
@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
 FROM ${repository}/base:${tag}
 
 # Install packages and tools required by all downstream images.
diff --git a/mariadb/Dockerfile b/mariadb/Dockerfile
index 9578f89b..79bbaa87 100644
--- a/mariadb/Dockerfile
+++ b/mariadb/Dockerfile
@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
 FROM ${repository}/base:${tag}
 
 EXPOSE 3306
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 315e2fa1..38dfd4ac 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
 FROM --platform=$BUILDPLATFORM ${repository}/composer:${tag} AS composer
 FROM ${repository}/base:${tag}
 
diff --git a/postgresql/Dockerfile b/postgresql/Dockerfile
index 419c1598..35b940e2 100644
--- a/postgresql/Dockerfile
+++ b/postgresql/Dockerfile
@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
-FROM alpine:3.13.2 AS cache
+ARG alpine=3.15.0
+FROM alpine:${alpine} AS cache
 FROM ${repository}/base:${tag}
 
 EXPOSE 5432
diff --git a/riprap/Dockerfile b/riprap/Dockerfile
index 52d6fe9c..5da10ffa 100644
--- a/riprap/Dockerfile
+++ b/riprap/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/composer:${tag} AS composer
 
 RUN --mount=type=cache,id=riprap-composer,sharing=locked,target=/root/.composer/cache \
@@ -13,7 +14,7 @@ RUN --mount=type=cache,id=riprap-composer,sharing=locked,target=/root/.composer/
         --worktree /var/www/riprap && \
     composer install -d /var/www/riprap --no-dev
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/nginx:${tag}
 
 EXPOSE 8000
diff --git a/tomcat/Dockerfile b/tomcat/Dockerfile
index 0096c734..fc43a24d 100644
--- a/tomcat/Dockerfile
+++ b/tomcat/Dockerfile
@@ -1,20 +1,21 @@
 # syntax=docker/dockerfile:1.2.1
 ARG repository=local
 ARG tag=latest
+ARG alpine=3.15.0
 FROM --platform=$BUILDPLATFORM ${repository}/java:${tag} AS download
 
 RUN --mount=type=cache,id=tomcat-downloads,sharing=locked,target=/opt/downloads \
-    TOMCAT_VERSION="9.0.34" && \
+    TOMCAT_VERSION="9.0.58" && \
     TOMCAT_FILE="apache-tomcat-${TOMCAT_VERSION}.tar.gz" && \
     TOMCAT_URL="https://archive.apache.org/dist/tomcat/tomcat-9/v${TOMCAT_VERSION}/bin/${TOMCAT_FILE}" && \
-    TOMCAT_FILE_SHA256="321de5b18a48ec09d2963d9faba4bfeafc7dd2203d80a2ef7e7a20b159e2120a" && \
+    TOMCAT_FILE_SHA256="a7895a9f425dd57fba5a1e8685d43754d3ecfe05de80e93bfd245ca8313cc7c1" && \
     download.sh --url "${TOMCAT_URL}" --sha256 "${TOMCAT_FILE_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
     install-apache-service.sh \
         --name tomcat \
         --file "${DOWNLOAD_CACHE_DIRECTORY}/${TOMCAT_FILE}" \
         webapps/docs webapps/examples
 
-FROM alpine:3.13.2 AS cache
+FROM alpine:${alpine} AS cache
 FROM ${repository}/java:${tag}
 
 EXPOSE 8080