[#30] Fix CVEs & update build libs

* Update ces-build-lib & dogu-build-lib
* Add prerelease stage to Jenkinsfile
* Add Trivy Scan to Jenkinsfile
* Update base image to debian:12.7-3
* Update mysql package to 0.8.33-1

Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.cloudogu.com/official/base-debian:12.6-1
+FROM registry.cloudogu.com/official/base-debian:12.7-3
 
 LABEL MAINTAINER="[email protected]" \
         NAME="official/mysql" \

Jenkinsfile

@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/ces-build-lib@v1.48.0', 'github.com/cloudogu/dogu-build-lib@v1.5.1']) _
+@Library(['github.com/cloudogu/ces-build-lib@4.0.1', 'github.com/cloudogu/dogu-build-lib@v3.0.0'])
 import com.cloudogu.ces.cesbuildlib.*
 import com.cloudogu.ces.dogubuildlib.*
 
@@ -47,13 +47,23 @@ timestamps {
                 // Keep only the last x builds to preserve space
                 buildDiscarder(logRotator(numToKeepStr: '10')),
                 // Don't run concurrent builds for a branch, because they use the same workspace directory
-                disableConcurrentBuilds()
+                disableConcurrentBuilds(),
+                parameters([
+                    booleanParam(defaultValue: true, description: 'Enables cypress to record video of the integration tests.', name: 'EnableVideoRecording'),
+                    booleanParam(defaultValue: true, description: 'Enables cypress to take screenshots of failing integration tests.', name: 'EnableScreenshotRecording'),
+                    choice(name: 'TrivySeverityLevels', choices: [TrivySeverityLevel.CRITICAL, TrivySeverityLevel.HIGH_AND_ABOVE, TrivySeverityLevel.MEDIUM_AND_ABOVE, TrivySeverityLevel.ALL], description: 'The levels to scan with trivy', defaultValue: TrivySeverityLevel.CRITICAL),
+                    choice(name: 'TrivyStrategy', choices: [TrivyScanStrategy.UNSTABLE, TrivyScanStrategy.FAIL, TrivyScanStrategy.IGNORE], description: 'Define whether the build should be unstable, fail or whether the error should be ignored if any vulnerability was found.', defaultValue: TrivyScanStrategy.UNSTABLE),
+                ])
         ])
 
         EcoSystem ecoSystem = new EcoSystem(this, 'gcloud-ces-operations-internal-packer', 'jenkins-gcloud-ces-operations-internal')
 
         try {
             stage('Provision') {
+                // change namespace to prerelease_namespace if in develop-branch
+                if (gitflow.isPreReleaseBranch()) {
+                    sh "make prerelease_namespace"
+                }
                 ecoSystem.provision(doguDirectory)
             }
 
@@ -73,6 +83,15 @@ timestamps {
                 ecoSystem.build(doguDirectory)
             }
 
+            stage('Trivy scan') {
+                ecoSystem.copyDoguImageToJenkinsWorker("/dogu")
+                Trivy trivy = new Trivy(this)
+                trivy.scanDogu(".", params.TrivySeverityLevels, params.TrivyStrategy)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.TABLE)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
+            }
+
             stage('Verify') {
                 ecoSystem.verify(doguDirectory)
             }
@@ -108,7 +127,12 @@ timestamps {
                 stage('Add Github-Release') {
                     github.createReleaseWithChangelog(releaseVersion, changelog, "main")
                 }
-            }
+            } else if (gitflow.isPreReleaseBranch()) {
+                 // push to registry in prerelease_namespace
+                 stage('Push Prerelease Dogu to registry') {
+                     ecoSystem.pushPreRelease("/dogu")
+                 }
+             }
 
         } finally {
             stage('Clean') {

installation-scripts/install-mysql.sh

@@ -2,10 +2,10 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-DEBIAN_SHA_256_SUM="df9c563abd70bb9b2fb1be7d11868a300bd60023bcd60700f24430008059a704"
+DEBIAN_SHA_256_SUM="455ec3690765cff58a4123ba498921fb58fb76c46465e9659180848e997452b6"
 # Version of debian file containing the installation files for mysql in different versions
 # This is NOT the actual mysql version to install
-VERSION="0.8.32-1"
+VERSION="0.8.33-1"
 # see for latest version: https://dev.mysql.com/downloads/repo/apt/
 wget "https://dev.mysql.com/get/mysql-apt-config_${VERSION}_all.deb"
 echo "${DEBIAN_SHA_256_SUM} mysql-apt-config_${VERSION}_all.deb" | sha256sum -c -