Skip to content

Commit

Permalink
[WIP] Replace Local File Loading with Direct Upload
Browse files Browse the repository at this point in the history
The local file loading has the security implication that an attacker can load arbitary files located at the server.

Also removed dependencies to lambok, various JSON parsing libs and commons-lang3.

Also migrated to Java 17.
  • Loading branch information
alexanderkiel committed Dec 14, 2021
1 parent 009722a commit ddddfe9
Show file tree
Hide file tree
Showing 22 changed files with 401 additions and 453 deletions.
62 changes: 46 additions & 16 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
push:
branches:
- main
- develop
tags:
- v[0-9]+.[0-9]+.[0-9]+**
pull_request:
Expand All @@ -15,18 +16,20 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

- name: Set up JDK 11
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '11'
java-version: '17'

- name: Cache Local Maven Repo
uses: actions/cache@v2.1.2
uses: actions/cache@v2
with:
path: ~/.m2/repository
key: maven-repo
key: maven-repo-test-${{ hashFiles('pom.xml') }}

- name: Cache SonarCloud packages
uses: actions/cache@v1
Expand Down Expand Up @@ -54,38 +57,65 @@ jobs:
steps:
- uses: actions/checkout@v2

- name: Set up JDK 11
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '11'
java-version: '17'

- name: Cache Local Maven Repo
uses: actions/cache@v2.1.2
uses: actions/cache@v2
with:
path: |
~/.m2/repository
key: maven-repo
path: ~/.m2/repository
key: maven-repo-build-${{ hashFiles('pom.xml') }}

- name: Build with Maven
run: mvn -B package -DskipTests -Dmaven.javadoc.skip=true

- name: Login to GitHub Docker Registry
- name: Login to DockerHub
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v1

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Build and push image
- name: Docker meta
id: docker-meta
uses: docker/metadata-action@v3
with:
images: |
samply/icd-dictionary
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,format=long
- name: Build and push
uses: docker/build-push-action@v2
with:
context: .
tags: ghcr.io/samply/icd10-dictionary:${{ github.sha }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: samply/icd-dictionary:sha-${{ github.sha }}
format: template
template: '@/contrib/sarif.tpl'
output: trivy-results.sarif

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@codeql-bundle-20211208
with:
sarif_file: trivy-results.sarif
26 changes: 5 additions & 21 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,24 +1,8 @@
FROM openjdk:14-ea-alpine
FROM openjdk:17

ENV SPRING_PROFILES_ACTIVE=docker
ARG JAR_FILE=target/icd10-dictionary.jar
COPY target/icd10-dictionary.jar /app/

ENV ICD_DB_HOST=localhost
ENV ICD_DB_PORT=5432
ENV ICD_DB_NAME=icd10
ENV ICD_DB_USER=postgres
ENV ICD_DB_PASSWORD=password
ENV ICD_POOL_SIZE=30
WORKDIR /app
USER 1001

RUN apk update
RUN apk upgrade
RUN apk add bash
RUN apk add gettext

COPY ${JAR_FILE} app.jar
COPY ./docker/start.sh .
RUN chmod +x ./start.sh
RUN mkdir config
COPY ./docker/docker.template.yml config

CMD ["./start.sh"]
CMD ["java", "-jar", "icd10-dictionary.jar"]
44 changes: 12 additions & 32 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,28 +10,18 @@ http://localhost:8080/fhir/ValueSet/$expand?url=http://hl7.org/fhir/sid/icd-10-g

## Default parameters

| variable | Docker | default value |
|---------------------------|---------------------------|--------------------------|
| application port | | 8080 |
| database host | ICD_DB_HOST | localhost |
| database port | ICD_DB_PORT | 5432 |
| database name | ICD_DB_NAME | icd10 |
| database user | ICD_DB_USER | postgres |
| database password | ICD_DB_PASSWORD | password |
| pool size | ICD_POOL_SIZE | 30 |
| Env Var | Default Value |
|----------------------------|----------------------------------------|
| | 8080 |
| SPRING_DATASOURCE_URL | jdbc:postgresql://localhost:5432/icd10 |
| SPRING_DATASOURCE_USERNAME | icd10 |
| SPRING_DATASOURCE_PASSWORD | icd10 |

## Start postgres

For testing purposes one can start a postgres database with Docker using following comand:
For testing purposes one can start a postgres database with Docker using following command:
```
docker network create -d bridge icd-net
docker run --name icd-postgres -d --network=icd-net -e POSTGRES_PASSWORD=password -p 5432:5432 postgres:alpine
```
Then create a database by executing a bash and using PSQL
```
docker exec -it icd-postgres bin/bash
psql -U postgres
CREATE DATABASE icd10;
docker run -e POSTGRES_DB=icd10 -e POSTGRES_USER=icd10 -e POSTGRES_PASSWORD=icd10 -p 5432:5432 postgres
```

## Preparing data
Expand All @@ -56,15 +46,9 @@ java -jar fhir-claml-0.0.1-SNAPSHOT.jar
-valueset http://hl7.org/fhir/sid/icd-10-gm/vs
```

4.) Run the ICD-10 dictionary (as executable jar) and load the data by using the endpoint "/api/v1/icd/load" with the file path to the FHIR .json-file as body - e.g.
```
http://localhost:8080/api/v1/icd/load
C:\Users\xyz\icd-service\codesystem-icd10gm-2020.json
4.) Run the ICD-10 dictionary (as executable jar) and load the data by using the endpoint "/api/v1/icd/load":
```
Remark: When working with Docker the file must be copied to a suitable location inside the container
```
docker cp C:\Users\xyz\icd-service\codesystem-icd10gm-2020.json [CONTAINER-ID]:/var/tmp/icd10
curl -d @codesystem-example.json -H Content-Type:application/json http://localhost:8080/api/v1/icd/load
```

## Docker
Expand All @@ -75,16 +59,12 @@ docker build -t icd-dictionary .
```
The command for starting the container is something like
```
docker run --rm -d -e "ICD_DB_HOST=icd-postgres" -p 8080:8080 --network=icd-net --name icd-dictionary icd-dictionary
docker run --rm -d -p 8080:8080 --name icd-dictionary icd-dictionary
```

## Developers

This project uses lombok. Though it is not neccessary it is recomended to install a suitable lombok plugin for your IDE (e.g. for IntelliJ Idea install https://plugins.jetbrains.com/plugin/6317-lombok).

## License

Copyright 2020 The Samply Development Community
Copyright 2020 - 2021 The Samply Community

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Expand Down
22 changes: 22 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: '3.2'
services:
postgres:
image: "postgres"
environment:
POSTGRES_DB: icd10
POSTGRES_USER: icd10
POSTGRES_PASSWORD: icd10
volumes:
- "data:/var/lib/postgresql/data"

icd-dictionary:
build: .
environment:
SPRING_DATASOURCE_URL: "jdbc:postgresql://postgres:5432/icd10"
ports:
- "8080:8080"
depends_on:
- postgres

volumes:
data:
6 changes: 0 additions & 6 deletions docker/docker.template.yml

This file was deleted.

6 changes: 0 additions & 6 deletions docker/start.sh

This file was deleted.

Loading

0 comments on commit ddddfe9

Please sign in to comment.