With DAST v5.35.0 we switched to obtaining Chromium Headless Shell from Playwright's compiled binaries : https://gitlab.com/gitlab-org/gitlab/-/issues/511088 Very soon after the switch I realised that the Headless Shell is also being packaged by package managers and hence will be available to us through `apt` and `microdnf`. 1. Available in Debian Bookworm as `chromium-headless-shell`: https://packages.debian.org/bookworm/chromium-headless-shell ``` root@496b960744bd:/browserker# apt search chromium-headless Sorting... Done Full Text Search... Done chromium-headless-shell/stable-security 134.0.6998.35-1~deb12u1 arm64 web browser - old headless shell ``` 2. Available in EPEL 9 as `chromium-headless`: https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/c/chromium-headless-134.0.6998.35-1.el9.x86_64.rpm ``` [root@baf2ad45854d browserker]# microdnf repoquery chromium-headless (microdnf:219): librhsm-WARNING **: 09:27:33.548: Found 0 entitlement certificates (microdnf:219): librhsm-WARNING **: 09:27:33.555: Found 0 entitlement certificates chromium-headless-134.0.6998.35-1.el9.aarch64 ``` The package repos were queried through DAST v5.34.0 images without adding any other repos i.e. the package is available in the same repos that we have historically obtained Chromium from. #### Advantages As Mike and I discussed: * Since Chromium is compiled through whoever is distributing it, it is best to depend on the binary compiled by the distribution's package manager. For example, currently we are downloading Playwright's Chromium binary onto UBI 9, a mismatch in static or dynamic dependencies between where the binary was compiled and where it is being used can easily break the installation. * Additionally, from a vulnerability management perspective it is better to depend on the distribution to compile the package when we are already depending on the distribution for the dependencies and the compiler. * We can use our recently developed caching mechanism once again to not just cache the Chromium package but also its dependencies. #### Suggested Implementation Plan 1. Cut off a branch from commit `92f8c9fd695ac85556ab1a430924bc6dab18951a` . This is the one before the Playwright Chromium integration was merged. 2. Modify the dast-chromium Dockerfile to install the Chromium headless package instead of Chromium. 3. Verify the correct caching of new package