From df210839b90689ed74ce895a56a37d867e1530b5 Mon Sep 17 00:00:00 2001 From: Irfana Jaffer Sadhik Date: Mon, 20 Oct 2025 16:45:17 +0530 Subject: [PATCH 1/2] Task-983939- Troubleshoot details added to the UG --- .../HTML-To-PDF/NET/troubleshooting.md | 114 +++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) diff --git a/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md b/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md index da168c46b..faeb1a2ed 100644 --- a/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md +++ b/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md @@ -1568,4 +1568,116 @@ Refer to the following package reference: {% endhighlight %} -{% endtabs %} \ No newline at end of file +{% endtabs %} + +## Installing Chromium on Alpine without using edge to avoid Twistlock/Prisma security alerts + + + + + + + + + + + + \ No newline at end of file From 8c808d6b3ed8614d057f0066aa3e5145e0bf985a Mon Sep 17 00:00:00 2001 From: Irfana Jaffer Sadhik Date: Tue, 21 Oct 2025 17:42:45 +0530 Subject: [PATCH 2/2] Updated Code changes --- .../HTML-To-PDF/NET/troubleshooting.md | 117 +++--------------- 1 file changed, 15 insertions(+), 102 deletions(-) diff --git a/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md b/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md index faeb1a2ed..66ea78a34 100644 --- a/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md +++ b/Document-Processing/PDF/Conversions/HTML-To-PDF/NET/troubleshooting.md @@ -1570,114 +1570,27 @@ Refer to the following package reference: {% endhighlight %} {% endtabs %} -## Installing Chromium on Alpine without using edge to avoid Twistlock/Prisma security alerts +## Installing Chromium in Alpine Linux Docker Without Edge Repository
Issue +Chromium is installed from the Alpine edge/community repository using: +
+apk add chromium --update-cache --repository http://nl.alpinelinux.org/alpine/edge/community +
+This enables HTML-to-PDF conversion but triggers Twistlock/Prisma Cloud security alerts due to packages pulled from the edge repository. +
Reason +The edge repository is rolling/testing and can introduce newer dependencies and CVEs flagged by enterprise scanners. Using edge also reduces build reproducibility across environments. +
Solution +Install Chromium from the stable Alpine repositories (main/community) and include required runtime dependencies. This avoids the edge repo entirely and reduces security findings. +

+Use the following Dockerfile as a reference: +

+ +{% tabs %} +{% highlight C# tabtitle="Dockerfile (Alpine, stable repos)" %} + +FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine AS base + +RUN apk upgrade -U && \ + apk add --no-cache tzdata && \ + apk add --no-cache icu-libs && \ + apk update && \ + apk upgrade && \ + apk add --no-cache openssl && \ + apk update && \ + apk upgrade --available && \ + apk add --update ca-certificates && \ + apk add --no-cache chromium && \ + rm -rf /var/cache/apk/* && \ + apk update && \ + apk upgrade && \ + apk add --no-cache \ + libgdiplus fontconfig freetype ttf-dejavu libjpeg-turbo libpng mpg123 libopenmpt alsa-lib cairo cups-libs dbus-libs \ + expat gdk-pixbuf glib gtk+3.0 nspr nss pango libstdc++ \ + libx11 libxcomposite libxcursor libxdamage \ + libxext libxfixes libxi libxrandr libxrender libxtst \ + mesa-gl mesa-dri-gallium && \ + rm -rf /var/cache/apk/* + +RUN mkdir -p /crashpad && \ + chown -R root:root /crashpad + +ENV XDG_CONFIG_HOME=/tmp/.chromium +ENV XDG_CACHE_HOME=/tmp/.chromium +ENV CHROME_CRASHPAD_DATABASE=/crashpad +ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false + +RUN mkdir -p /var/www/.config/google-chrome/Crashpad + +WORKDIR /app +EXPOSE 8080 + +FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build +ARG BUILD_CONFIGURATION=Release +WORKDIR /src + +COPY ["Directory.Build.targets", "."] +COPY ["NuGet.config", "."] +COPY ["production/Ops.PDFConversionAPI.Web/Ops.PDFConversionAPI.Web.csproj", "production/Ops.PDFConversionAPI.Web/"] + +RUN dotnet restore "./production/Ops.PDFConversionAPI.Web/Ops.PDFConversionAPI.Web.csproj" + +COPY . . + +WORKDIR "/src/production/Ops.PDFConversionAPI.Web" +RUN dotnet build "./Ops.PDFConversionAPI.Web.csproj" -c $BUILD_CONFIGURATION -o /app/build + +FROM build AS publish +ARG BUILD_CONFIGURATION=Release +RUN dotnet publish "./Ops.PDFConversionAPI.Web.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false + +FROM base AS final +WORKDIR /app +COPY --from=publish /app/publish . + +ENTRYPOINT ["dotnet", "Ops.PDFConversionAPI.Web.dll"] +{% endhighlight %} +{% endtabs %} + +Notes: +- No edge repository is referenced; Chromium comes from stable Alpine repos. +- Typical Chromium paths on Alpine: + - /usr/bin/chromium-browser (symlink) or + - /usr/lib/chromium/chromium + Set this path in your converter settings: +{% tabs %} +{% highlight C# tabtitle="C# (BlinkPath)" %} +var settings = new BlinkConverterSettings(); +settings.BlinkPath = "/usr/bin/chromium-browser"; // or "/usr/lib/chromium/chromium" +settings.CommandLineArguments.Add("--no-sandbox"); +settings.CommandLineArguments.Add("--disable-setuid-sandbox"); +settings.CommandLineArguments.Add("--disable-dev-shm-usage"); +{% endhighlight %} +{% endtabs %} + +We have attached the modified docker file for your reference Docker file. + +
- - + - - - - - - - + + - \ No newline at end of file + +
Issue -Chromium is installed from the Alpine edge/community repository using: -
-apk add chromium --update-cache --repository http://nl.alpinelinux.org/alpine/edge/community -
-This enables HTML-to-PDF conversion but triggers Twistlock/Prisma Cloud security alerts due to packages pulled from the edge repository. +		Reason +Using the Alpine Edge repository introduces packages that are not part of the stable release, which can trigger Twist lock security issues. To maintain security compliance, we should install Chromium from the stable repository.
Reason -The edge repository is rolling/testing and can introduce newer dependencies and CVEs flagged by enterprise scanners. Using edge also reduces build reproducibility across environments. -
Solution -Install Chromium from the stable Alpine repositories (main/community) and include required runtime dependencies. This avoids the edge repo entirely and reduces security findings. -

-Use the following Dockerfile as a reference: -

+
Solution +You can install Chromium directly from the stable Alpine repository using the following command: +

+Docker File:

{% tabs %} -{% highlight C# tabtitle="Dockerfile (Alpine, stable repos)" %} - -FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine AS base - -RUN apk upgrade -U && \ - apk add --no-cache tzdata && \ - apk add --no-cache icu-libs && \ - apk update && \ - apk upgrade && \ - apk add --no-cache openssl && \ - apk update && \ - apk upgrade --available && \ - apk add --update ca-certificates && \ - apk add --no-cache chromium && \ - rm -rf /var/cache/apk/* && \ - apk update && \ - apk upgrade && \ - apk add --no-cache \ - libgdiplus fontconfig freetype ttf-dejavu libjpeg-turbo libpng mpg123 libopenmpt alsa-lib cairo cups-libs dbus-libs \ - expat gdk-pixbuf glib gtk+3.0 nspr nss pango libstdc++ \ - libx11 libxcomposite libxcursor libxdamage \ - libxext libxfixes libxi libxrandr libxrender libxtst \ - mesa-gl mesa-dri-gallium && \ - rm -rf /var/cache/apk/* - -RUN mkdir -p /crashpad && \ - chown -R root:root /crashpad - -ENV XDG_CONFIG_HOME=/tmp/.chromium -ENV XDG_CACHE_HOME=/tmp/.chromium -ENV CHROME_CRASHPAD_DATABASE=/crashpad -ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false - -RUN mkdir -p /var/www/.config/google-chrome/Crashpad - -WORKDIR /app -EXPOSE 8080 - -FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build -ARG BUILD_CONFIGURATION=Release -WORKDIR /src - -COPY ["Directory.Build.targets", "."] -COPY ["NuGet.config", "."] -COPY ["production/Ops.PDFConversionAPI.Web/Ops.PDFConversionAPI.Web.csproj", "production/Ops.PDFConversionAPI.Web/"] - -RUN dotnet restore "./production/Ops.PDFConversionAPI.Web/Ops.PDFConversionAPI.Web.csproj" - -COPY . . - -WORKDIR "/src/production/Ops.PDFConversionAPI.Web" -RUN dotnet build "./Ops.PDFConversionAPI.Web.csproj" -c $BUILD_CONFIGURATION -o /app/build - -FROM build AS publish -ARG BUILD_CONFIGURATION=Release -RUN dotnet publish "./Ops.PDFConversionAPI.Web.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false - -FROM base AS final -WORKDIR /app -COPY --from=publish /app/publish . +{% highlight C# tabtitle="C#" %} +RUN apk add --no-cache chromium && \ +rm -rf /var/cache/apk/* -ENTRYPOINT ["dotnet", "Ops.PDFConversionAPI.Web.dll"] {% endhighlight %} {% endtabs %} - -Notes: -- No edge repository is referenced; Chromium comes from stable Alpine repos. -- Typical Chromium paths on Alpine: - - /usr/bin/chromium-browser (symlink) or - - /usr/lib/chromium/chromium - Set this path in your converter settings: -{% tabs %} -{% highlight C# tabtitle="C# (BlinkPath)" %} -var settings = new BlinkConverterSettings(); -settings.BlinkPath = "/usr/bin/chromium-browser"; // or "/usr/lib/chromium/chromium" -settings.CommandLineArguments.Add("--no-sandbox"); -settings.CommandLineArguments.Add("--disable-setuid-sandbox"); -settings.CommandLineArguments.Add("--disable-dev-shm-usage"); -{% endhighlight %} -{% endtabs %} - -We have attached the modified docker file for your reference Docker file. -
\ No newline at end of file