From d35cb2fbb6444e96998061dad4d031e6873550c3 Mon Sep 17 00:00:00 2001 From: Aviv Shavit Date: Fri, 12 Feb 2021 01:25:47 +0200 Subject: [PATCH 1/3] update 21026 dod artifacts update: *add lables and update resource file checksum in hardening.yaml - update to release 5.3 (artifacts generated from server@a2831d5) --- Dockerfile | 21 ++------------- hardening_manifest.yaml | 58 +++++++++++++++++++++++------------------ 2 files changed, 34 insertions(+), 45 deletions(-) diff --git a/Dockerfile b/Dockerfile index 26d7974..5b59626 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,26 +9,10 @@ ARG BASE_TAG=8.3 # FROM statement must reference the base image using the three ARGs established FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -ARG BASE_REGISTRY=registry1.dsop.io -ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal -ARG BASE_TAG=8.3 - -# Aqua release version -ARG AQUA_VERSION=5.3 -# Aqua update version tag -ARG AQUA_TAG=21026-ubi8 -ENV VERSION=${AQUA_VERSION}.${AQUA_TAG} -# Aqua container type -ARG CONTAINER=enforcer -ARG COMPONENT=enforcer -ARG BUILDDATE -ARG COMMIT=1cfdcea - ENV BUILD_ONLY_PACKAGES="tar gzip shadow-utils" RUN microdnf install $BUILD_ONLY_PACKAGES -ARG TARBALL="aquasec-${CONTAINER}-${AQUA_VERSION}.${AQUA_TAG}.tar.gz" +ARG TARBALL="aquasec-enforcer-5.3.21026-ubi8.tar.gz" RUN mkdir -p /build /opt/aquascans @@ -52,7 +36,6 @@ RUN groupadd -g 11433 --system aqua && \ RUN microdnf remove ${BUILD_ONLY_PACKAGES} RUN microdnf clean all - # dodTODO: pending SLK-28283 # Removing of microdnf must be after we use it #COPY _package/remove-vulnerable-packages / @@ -62,7 +45,7 @@ RUN microdnf clean all VOLUME /opt/aquascans WORKDIR /opt/aquasec/ - +LABEL com.aquasec.restart=no HEALTHCHECK --interval=1m --start-period=3m CMD /opt/aquasec/slk ping || exit 1 RUN microdnf install iptables libmnl && \ microdnf clean all diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index be3ebf4..1e990b4 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,21 +1,16 @@ ---- apiVersion: v1 - # The repository name in registry1, excluding /ironbank/ name: "aqua-security/enterprise/enforcer-5.3" - # List of tags to push for the repository in registry1 # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "5.3.21026-ubi8" -- "latest" - + - "5.3.21026-ubi8" + - "latest" # Build args passed to Dockerfile ARGs args: BASE_IMAGE: "redhat/ubi/ubi8-minimal" BASE_TAG: "8.3" - # Docker image labels labels: org.opencontainers.image.title: "enforcer-5.3" @@ -34,28 +29,39 @@ labels: mil.dso.ironbank.image.type: "commercial" ## Product the image belongs to for grouping multiple images # mil.dso.ironbank.product.name: "FIXME" - + name: "Aqua Enterprise enforcer" + maintainer: "admin@aquasec.com" + vendor: "Aqua Security Software Ltd." + summary: "Aqua Security Enterprise - enforcer" + description: "Aqua Security Enterprise - enforcer" + com.aquasec.baseimage: "registry1.dsop.io/ironbank/redhat/ubi/ubi8-minimal:8.3" + com.aquasec.builddate: "2021-01-26T09:24:33" + com.aquasec.component: "agent" + com.aquasec.release: "5.3.21026" + com.aquasec.restart: "no" + com.aquasec.version: "5.3.31833" + com.aquasec.dod.commit: "a2831d5" + com.aquasec.dod.builddate: "2021-02-12T01:25+02:00" # List of resources to make available to the offline build context resources: -- auth: - id: aquasec-credential - type: basic - filename: aquasec-enforcer-5.3.21026-ubi8.tar.gz - url: https://download.aquasec.com/aquasec/csp/enforcer/5.3/aquasec-enforcer-5.3.21026-ubi8.tar.gz - validation: - type: sha256 - value: 199bfbcd615e088e3d76b1184643753ef0a8c738d172cfe022318e4476906a4d - + - auth: + id: aquasec-credential + type: basic + filename: aquasec-enforcer-5.3.21026-ubi8.tar.gz + url: https://download.aquasec.com/aquasec/csp/enforcer/5.3/aquasec-enforcer-5.3.21026-ubi8.tar.gz + validation: + type: sha256 + value: 7cacb22ade763b9c544fc7e3966cdda539540cb5c03289a261016fbdb9087ab7 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist # FIXME: Include any other vendor information if applicable maintainers: -- email: "aviv.shavit@aquasec.com" -# # The name of the current container owner - name: "Aviv Shavit" -# # The gitlab username of the current container owner - username: "avivataqua" -# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT -- name: "Al Fontaine" - username: "alfontaine" - email: "alan.fontaine@centauricorp.com" + - email: "aviv.shavit@aquasec.com" + # # The name of the current container owner + name: "Aviv Shavit" + # # The gitlab username of the current container owner + username: "avivataqua" + # cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT + - name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" -- GitLab From 0d96529ac3230ec799f12797587bfac4d0905573 Mon Sep 17 00:00:00 2001 From: Aviv Shavit Date: Fri, 12 Feb 2021 01:32:30 +0200 Subject: [PATCH 2/3] update 21026 dod artifacts update: *add lables and update resource file checksum in hardening.yaml - update to release 5.3 (artifacts generated from server@a2831d5-dirty) --- Dockerfile | 1 - hardening_manifest.yaml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5b59626..ad0f925 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,7 +45,6 @@ RUN microdnf clean all VOLUME /opt/aquascans WORKDIR /opt/aquasec/ -LABEL com.aquasec.restart=no HEALTHCHECK --interval=1m --start-period=3m CMD /opt/aquasec/slk ping || exit 1 RUN microdnf install iptables libmnl && \ microdnf clean all diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 1e990b4..bebb965 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -40,8 +40,8 @@ labels: com.aquasec.release: "5.3.21026" com.aquasec.restart: "no" com.aquasec.version: "5.3.31833" - com.aquasec.dod.commit: "a2831d5" - com.aquasec.dod.builddate: "2021-02-12T01:25+02:00" + com.aquasec.dod.commit: "a2831d5-dirty" + com.aquasec.dod.builddate: "2021-02-12T01:32+02:00" # List of resources to make available to the offline build context resources: - auth: -- GitLab From fcf169534bda84298d551f4860907cb86bb18369 Mon Sep 17 00:00:00 2001 From: Aviv Shavit Date: Fri, 12 Feb 2021 01:34:06 +0200 Subject: [PATCH 3/3] update 21026 dod artifacts update: *add lables and update resource file checksum in hardening.yaml - update to release 5.3 (artifacts generated from server@df9e1e1) --- hardening_manifest.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index bebb965..23cff98 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -40,8 +40,8 @@ labels: com.aquasec.release: "5.3.21026" com.aquasec.restart: "no" com.aquasec.version: "5.3.31833" - com.aquasec.dod.commit: "a2831d5-dirty" - com.aquasec.dod.builddate: "2021-02-12T01:32+02:00" + com.aquasec.dod.commit: "df9e1e1" + com.aquasec.dod.builddate: "2021-02-12T01:33+02:00" # List of resources to make available to the offline build context resources: - auth: -- GitLab