Merge pull request #2 from GannaChernyshova/app-update

mikesir87 · web-flow · commit 5473ebeb3ebe · 2025-11-20T12:11:44.000-05:00
removed express and app cve remediations for focus on the dhi value more
diff --git a/.labspace/01-introduction.md b/.labspace/01-introduction.md
@@ -2,6 +2,10 @@
 
 👋 Welcome to the **Docker Hardened Images** lab! This lab outlines the benefits of Docker Hardened Images and walks you through the migration process for the Node application.
 
+## First thing to get started, please provide your Docker org name
+
+::variableDefinition[orgname]{prompt="What is your Docker org name?"}
+
 ## Docker Hardened Images are Secure, Minimal, Production-Ready Images with near-zero CVEs and enterprise-grade SLA for rapid remediation. 
 
 These images follow a distroless philosophy, removing unnecessary components to significantly reduce the attack surface. The result? Smaller images that pull faster, run leaner, and provide a secure-by-default foundation for production workloads:
diff --git a/.labspace/02-mirror-the-image.md b/.labspace/02-mirror-the-image.md
@@ -1,9 +1,5 @@
 # Getting started
 
-## First thing to get started, please provide your Docker org name
-
-::variableDefinition[orgname]{prompt="What is your Docker org name?"}
-
 ## 1. Mirror a DHI node image repo
 
 Go to the [Node DHI page](https://hub.docker.com/orgs/$$orgname$$/hardened-images/catalog/dhi/node) and click on the `Mirror to repository` button.
diff --git a/.labspace/03-image-scanning.md b/.labspace/03-image-scanning.md
@@ -2,7 +2,7 @@
 
 ## Exploring the app
 
-This demo repository contains a Hello World Node.js application consisting of a basic ExpressJS server and Dockerfile pointing to a Trixie (Debian 13) base image.
+This demo repository contains a Hello World Node.js application consisting of a basic JS server and Dockerfile pointing to a Trixie (Debian 13) base image.
 The app logic is implemented in the :fileLink[app.js]{path="app.js"} file. 
 
 
@@ -23,74 +23,40 @@ docker buildx build --provenance=true --sbom=true -t $$orgname$$/demo-node-doi:v
 ```
 
 2. Now that you have an image let's analyze it.
-Use the `docker scout cves` command to list all discovered vulnerabilities:
+Use the `docker scout quickview` command to list all discovered vulnerabilities and scout policies alignment:
 
 ```bash
-docker scout cves $$orgname$$/demo-node-doi:v1
-```
-
-After a moment, you will see details about each of the vulnerabilities discovered in the image with a similar summary.
-
-```plaintext no-copy-button
-34 vulnerabilities found in 17 packages
-  CRITICAL  0   
-  HIGH      6   
-  MEDIUM    2   
-  LOW       26 
-```
-
-A couple of things to note about this:
-
-- If you scroll up or search the `pkg:npm/express@4.17.1` - this part of the report is related to the NPM package named `express`, which has version 4.17.1. You should see that the greatest fix version is `4.20.0`
-- Another source of HIGH CVEs is a `path-to-regexp 0.1.7`. The `express` package uses it internally and the `path-to-regexp` library is updated to a fixed version in express version `4.21.2`.
-- Aslo you may see another HIGH CVE `pkg:npm/glob@10.4.5`
-
-3. A common next step for developers is to clean up the package.json by updating dependencies to address known vulnerabilities.
-
-You could upgrade each dependency manually, but to simplify this process during the lab, let's use the following command, which automatically applies available fixes (and may update some packages to newer major versions):
-
-```bash
-npm audit fix --force
-```
-
-4. Build your image again by running the following command:
-```bash
-docker buildx build --provenance=true --sbom=true -t $$orgname$$/demo-node-doi:v2 .
-```
-
-5. And run one more analysis on the image.
-You can now analyze the image with the `docker scout quickview` command:
-
-```bash
-docker scout quickview $$orgname$$/demo-node-doi:v2
+docker scout quickview $$orgname$$/demo-node-doi:v1
 ```
 You will see similar output:
 ```plaintext no-copy-button
-Target     │  $$orgname$$/demo-node-doi:v2       │    0C     1H     1M    22L   
-  digest   │  48bd36fe1f0b                       │                              
-Base image │  node:24.9.0-trixie-slim            │    0C     1H     1M    22L   
-
-Policy status  FAILED  (6/9 policies met)
-
-  Status │                     Policy                     │           Results            
-─────────┼────────────────────────────────────────────────┼──────────────────────────────
-  ✓      │ AGPL v3 licenses found                         │    0 packages                
-  !      │ No default non-root user found                 │                              
-  ✓      │ No AGPL v3 licenses                            │    0 packages                
-  ✓      │ No embedded secrets                            │    0 deviations              
-  ✓      │ No embedded secrets (Rego)                     │    0 deviations              
-  !      │ Fixable critical or high vulnerabilities found │    0C     1H     0M     0L   
-  ✓      │ No high-profile vulnerabilities                │    0C     0H     0M     0L   
-  !      │ Unapproved base images found                   │    1 deviation               
-  ✓      │ Supply chain attestations                      │    0 deviations        
+    i Base image was auto-detected. To get more accurate results, build images with max-mode provenance attestations.
+      Review docs.docker.com ↗ for more information.
+
+  Target     │  demonstrationorg/demo-node-doi:v1  │    0C     2H     1M    18L   
+    digest   │  66cb8da420d8                       │                              
+  Base image │  node:24-trixie-slim                │    0C     2H     1M    18L   
+
+Policy status  FAILED  (5/10 policies met, 1 missing data)
+
+  Status │                              Policy                              │           Results            
+─────────┼──────────────────────────────────────────────────────────────────┼──────────────────────────────
+  ✓      │ AGPL v3 licenses found                                           │    0 packages                
+  !      │ No default non-root user found                                   │                              
+  ✓      │ No AGPL v3 licenses                                              │    0 packages                
+  ✓      │ No embedded secrets                                              │    0 deviations              
+  ✓      │ No embedded secrets (Rego)                                       │    0 deviations              
+  !      │ Fixable critical or high vulnerabilities found                   │    0C     2H     0M     0L   
+  ✓      │ No high-profile vulnerabilities                                  │    0C     0H     0M     0L   
+  !      │ No unapproved base images                                        │    No data                   
+  ✓      │ Missing supply chain attestation(s)                              │    2 deviations                   
       
 ```
-
-Hooray! No more critical or high CVEs on the application level!
-But there are still a few on the base image level. And the critical policies have failed:
+As you can see, there are no CVEs at the application level, but the base image contains 2 high, 1 medium, and 18 low severity CVEs, so it is recommended to be updated. Additionally, the critical policies have failed:
 
     1. No default non-root user found
     2. Fixable critical or high vulnerabilities found
     3. Unapproved base images found
- This is where DHI comes into play.
+ 
+This is where DHI comes into play.
 
diff --git a/.labspace/04-switch-to-dhi.md b/.labspace/04-switch-to-dhi.md
@@ -51,31 +51,32 @@ Hooray! There are zero CVEs and policy violations now!
 
 Docker Scout offers a helpful command `docker scout compare` that allows you to analyze and compare two images. We’ll use it to evaluate the difference in size and package footprint between `node:24.9.0-trixie-slim` and `dhi-node:24.9.0-debian13` based images.
 ```bash
-docker scout compare local://$$orgname$$/demo-node-doi:v2 --to local://$$orgname$$/demo-node-dhi:v1
+docker scout compare local://$$orgname$$/demo-node-dhi:v1 --to local://$$orgname$$/demo-node-doi:v1
 ```
 You will see a similar summary in the output:
 ```plaintext no-copy-button
 ## Overview
   
                       │               Analyzed Image                │              Comparison Image                
   ────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────
-    Target            │  local://$$orgname$$/demo-node-doi:v2       │  local://$$orgname$$/demo-node-dhi:v1   
-      digest          │  75eb23bc5d85                               │  e7a47068ccfa                                
-      tag             │  v2                                         │  v1                                          
+    Target            │  local://demonstrationorg/demo-node-dhi:v1  │  local://demonstrationorg/demo-node-doi:v1   
+      digest          │  e5b9ec7a980c                               │  66cb8da420d8                                
+      tag             │  v1                                         │  v1                                          
       platform        │ linux/arm64                                 │ linux/arm64                                  
-      vulnerabilities │    0C     6H     2M    26L                  │    0C     0H     0M     8L                   
-                      │           +6     +2    +18                  │                                              
-      size            │ 100 MB (+41 MB)                             │ 59 MB                                        
-      packages        │ 901 (+248)                                  │ 653                                          
+      vulnerabilities │    0C     0H     0M     8L                  │    0C     2H     1M    18L                   
+                      │           -2     -1    -10                  │                                              
+      size            │ 59 MB (-41 MB)                              │ 100 MB                                       
+      packages        │ 648 (-248)                                  │ 896                                          
                       │                                             │                                              
-    Base image        │  node:24.9.0-trixie-slim                    │  $$orgname$$/dhi-node:24.9.0-debian13        
+    Base image        │  demonstrationorg/dhi-node-smontri:24       │  node:24-trixie-slim                         
       tags            │ also known as                               │ also known as                                
-                      │   • current-trixie-slim                     │                                              
-                      │   • trixie-slim                             │                                              
-      vulnerabilities │    0C     1H     1M    22L                  │    0C     0H     0M     0L      
+                      │                                             │   • current-trixie-slim                      
+                      │                                             │   • trixie-slim                              
+      vulnerabilities │    0C     0H     0M     0L                  │    0C     2H     1M    18L                   
+  
 ```
 
-As you can see, the original `node:24.9.0-trixie-slim` based image is 41 MB larger, has 248 more packages, and includes high, medium, and low CVEs. The `dhi-node:24.9.0-debian13` based image is 40% smaller and has near-zero CVEs. 
+As you can see, the `dhi-node:24.9.0-debian13`–based image is **41 MB (around 40%) smaller**, contains **248 fewer packages**, and has nearly **zero CVEs** compared to the original `node:24.9.0-trixie-slim`–based image.
 
 **Validate that the app works as expected**
 
diff --git a/app.js b/app.js
@@ -1,12 +1,17 @@
-const express = require('express');
+const http = require('http');
 
-const app = express();
 const port = 3000;
 
-app.get('/', (req, res) => {
-  res.send('Hello World!');
+const server = http.createServer((req, res) => {
+  if (req.url === '/' && req.method === 'GET') {
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('Hello World!');
+  } else {
+    res.writeHead(404);
+    res.end('Not Found');
+  }
 });
 
-app.listen(port, () => {
-  console.log(`Example app listening on port ${port}`);
+server.listen(port, () => {
+  console.log(`Server listening on port ${port}`);
 });
diff --git a/package.json b/package.json
@@ -1,35 +1,22 @@
 {
   "name": "@docker/scout-demo-service",
   "version": "0.1.0",
-  "description": "A boilerplate for Node.js web applications",
+  "description": "A simple Node.js service with Jest and Testcontainers",
   "repository": {
     "type": "git",
-    "url": "https://github.com/docker/scout-demo-servixe.git"
+    "url": "https://github.com/docker/scout-demo-service.git"
   },
-  "license": "Apache-2",
+  "license": "Apache-2.0",
   "scripts": {
     "start": "node app.js",
-    "test": "jest --testTimeout=60000",
-    "lint": "eslint \"**/*.js\""
-  },
-  "dependencies": {
-    "express": "4.17.1"
+    "test": "jest --testTimeout=60000"
   },
   "devDependencies": {
-    "axios": "^1.6.0",
-    "eslint": "^7.17.0",
-    "eslint-config-airbnb-base": "^14.2.1",
-    "eslint-plugin-chai-friendly": "^0.6.0",
-    "eslint-plugin-import": "^2.22.1",
     "jest": "^29.7.0",
     "testcontainers": "^10.13.2"
   },
-  "engines": {
-    "node": ">=10.23.1",
-    "npm": ">=6.14.10"
-  },
   "jest": {
     "testEnvironment": "node",
     "testTimeout": 60000
   }
-}
+}
diff --git a/test/app.test.js b/test/app.test.js
@@ -13,7 +13,7 @@ describe('App Integration Tests', () => {
 
     container = await builtContainer
       .withExposedPorts(3000)
-      .withWaitStrategy(Wait.forLogMessage(/Example app listening on port \d+/))
+      .withWaitStrategy(Wait.forLogMessage(/Server listening on port \d+/))
       .start();
 
     // Get the mapped port
