Docker: Use curl static binary

[VietND96]

User description

Thanks for contributing to the Docker-Selenium project!
A PR well described will help maintainers to quickly review and merge it

Before submitting your PR, please check our contributing guidelines, applied for this repository.
Avoid large PRs, help reviewers by making them as simple and short as possible.

Description

Fixes #2719
Current, curl is installed via apt-get only stay with the version v8.5, meanwhile latest upstream is v8.12.1.
Looks like deb repo, they lost the maintenance to bump new version.
Switch to use static curl binary is built from this project https://github.com/moparisthebest/static-curl/releases/ until deb repo could update new version

Motivation and Context

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have read the contributing document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

PR Type

Enhancement

---

Description

• Added support for using a static curl binary.

• Updated dependencies in .ffmpeg/Dockerfile to fix CVEs.

• Modified Base/Dockerfile to include new Ubuntu sources.

• Replaced curl package with a static binary for better compatibility.

---

Changes walkthrough 📝

Relevant files

Enhancement

Dockerfile Updated dependencies and added GO_NET_VERSION argument      .ffmpeg/Dockerfile Added GO_NET_VERSION argument for dependency management. Updated go.mod to include golang.org/x/net version. Enhanced dependency handling to address CVEs. +2/-0      Dockerfile Added Ubuntu sources and static curl binary                            Base/Dockerfile Added new Ubuntu sources for noble distribution. Replaced curl package with a static binary. Ensured compatibility for different architectures with static curl. +10/-1

---

Need help?

Type /help how to ... in the comments thread for any questions about Qodo Merge usage.

Check out the documentation for more information.

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Ubuntu Source Configuration The PR adds Ubuntu Noble sources but doesn't remove the previous sources. This might lead to package conflicts or unexpected behavior during apt operations. RUN echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu noble main restricted universe multiverse\n" > /etc/apt/sources.list \ && echo "deb-src [arch=amd64] http://archive.ubuntu.com/ubuntu noble main restricted universe multiverse\n" >> /etc/apt/sources.list \ && echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse" >> /etc/apt/sources.list \ && echo "deb-src [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse" >> /etc/apt/sources.list Error Handling The curl installation lacks error handling. If the download fails, the build would continue with a potentially missing or corrupted curl binary. RUN ARCH=$(if [ "$(dpkg --print-architecture)" = "arm64" ]; then echo "aarch64"; else echo "$(dpkg --print-architecture)"; fi) \ && wget -q https://github.com/moparisthebest/static-curl/releases/download/v8.11.0/curl-$ARCH -O /usr/bin/curl \ && chmod +x /usr/bin/curl \ && curl --version

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix sources.list configuration The sources.list configuration is overwriting the entire file and only configuring for specific architectures. This will cause issues on other architectures and removes security updates. Use conditional statements or preserve existing entries while adding new ones. Base/Dockerfile [48-51] -RUN echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu noble main restricted universe multiverse\n" > /etc/apt/sources.list \ - && echo "deb-src [arch=amd64] http://archive.ubuntu.com/ubuntu noble main restricted universe multiverse\n" >> /etc/apt/sources.list \ - && echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse" >> /etc/apt/sources.list \ - && echo "deb-src [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse" >> /etc/apt/sources.list +RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \ + echo "deb http://archive.ubuntu.com/ubuntu noble main restricted universe multiverse" >> /etc/apt/sources.list.d/noble.list && \ + echo "deb-src http://archive.ubuntu.com/ubuntu noble main restricted universe multiverse" >> /etc/apt/sources.list.d/noble.list; \ + elif [ "$(dpkg --print-architecture)" = "arm64" ]; then \ + echo "deb http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse" >> /etc/apt/sources.list.d/noble.list && \ + echo "deb-src http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse" >> /etc/apt/sources.list.d/noble.list; \ + fi Apply this suggestion Suggestion importance[1-10]: 9 __ Why: The current implementation overwrites the entire sources.list file and only configures for specific architectures, which could break package management on other architectures and removes security updates. The suggestion provides a more robust solution using conditional statements and separate sources.list.d files.	High
	Add error handling for curl The curl binary installation doesn't handle all possible architectures. If an unsupported architecture is encountered, the download will fail silently. Add error checking and fallback mechanisms to ensure the build doesn't proceed with a missing or broken curl binary. Base/Dockerfile [71-74] RUN ARCH=$(if [ "$(dpkg --print-architecture)" = "arm64" ]; then echo "aarch64"; else echo "$(dpkg --print-architecture)"; fi) \ && wget -q https://github.com/moparisthebest/static-curl/releases/download/v8.11.0/curl-$ARCH -O /usr/bin/curl \ && chmod +x /usr/bin/curl \ - && curl --version + && if ! curl --version; then \ + echo "Static curl binary failed, installing package as fallback" && \ + apt-get update && apt-get install -y curl; \ + fi Apply this suggestion Suggestion importance[1-10]: 8 __ Why: The suggestion adds critical error handling to the curl binary installation process. Without this check, if the static curl binary fails to download or work properly on an unsupported architecture, the build would continue with a broken or missing curl, causing downstream failures.	Medium
Update

[qodo-code-review]

CI Feedback 🧐

(Feedback updated until commit 8890897)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Rerun workflow when failure

Failed stage: Authenticate GitHub CLI for PR [❌]

Failure summary: The action failed because the GitHub token provided to the workflow lacks the required read:org permission scope. When attempting to authenticate with GitHub CLI using the command gh auth login --with-token, the system returned an error: "error validating token: missing required scope 'read:org'" (line 191).

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 22: Issues: write 23: Metadata: read 24: Models: read 25: Packages: write 26: Pages: write 27: PullRequests: write 28: RepositoryProjects: write 29: SecurityEvents: write 30: Statuses: write 31: ##[endgroup] 32: Secret source: Actions 33: Prepare workflow directory 34: Prepare all required actions 35: Getting action download info 36: Download action repository 'actions/checkout@main' (SHA:85e6279cec87321a52edac9c87bce653a07cf6c2) 37: Complete job name: Rerun workflow when failure 38: ##[group]Run actions/checkout@main ... 42: ssh-strict: true 43: ssh-user: git 44: persist-credentials: true 45: clean: true 46: sparse-checkout-cone-mode: true 47: fetch-depth: 1 48: fetch-tags: false 49: show-progress: true 50: lfs: false 51: submodules: false 52: set-safe-directory: true 53: env: 54: GH_CLI_TOKEN: *** 55: GH_CLI_TOKEN_PR: *** 56: RUN_ID: 14011089185 57: RERUN_FAILED_ONLY: true 58: RUN_ATTEMPT: 1 ... 113: Or undo this operation with: 114: git switch - 115: Turn off this advice by setting config variable advice.detachedHead to false 116: HEAD is now at 6378aae Merge 88908974c5b605d909ee706b551b497fec6e6d62 into f0ab6c90d831970ea4cdde667c29bafed168fb5a 117: ##[endgroup] 118: [command]/usr/bin/git log -1 --format=%H 119: 6378aae59a9d64b06733dae368f321fb9f94a378 120: ##[group]Run sudo apt update 121: �[36;1msudo apt update�[0m 122: �[36;1msudo apt install gh�[0m 123: shell: /usr/bin/bash -e {0} 124: env: 125: GH_CLI_TOKEN: *** 126: GH_CLI_TOKEN_PR: *** 127: RUN_ID: 14011089185 128: RERUN_FAILED_ONLY: true 129: RUN_ATTEMPT: 1 ... 173: Reading state information... 174: 54 packages can be upgraded. Run 'apt list --upgradable' to see them. 175: WARNING: apt does not have a stable CLI interface. Use with caution in scripts. 176: Reading package lists... 177: Building dependency tree... 178: Reading state information... 179: gh is already the newest version (2.68.1). 180: 0 upgraded, 0 newly installed, 0 to remove and 54 not upgraded. 181: ##[group]Run echo "$GH_CLI_TOKEN_PR" | gh auth login --with-token 182: �[36;1mecho "$GH_CLI_TOKEN_PR" | gh auth login --with-token�[0m 183: shell: /usr/bin/bash -e {0} 184: env: 185: GH_CLI_TOKEN: *** 186: GH_CLI_TOKEN_PR: *** 187: RUN_ID: 14011089185 188: RERUN_FAILED_ONLY: true 189: RUN_ATTEMPT: 1 190: ##[endgroup] 191: error validating token: missing required scope 'read:org' 192: ##[error]Process completed with exit code 1. 193: Post job cleanup.