Merge branch 'development' into 'master'

Development See merge request !12

Merge branch 'development' into 'master'
Development See merge request !12
7e043eff · Al Fontaine · f8ad464a · 200e3df8 · 7e043eff · 7e043eff
Commit 7e043eff authored Nov 30, 2020 by Al Fontaine
6 changed files
--- a/.gitlab/issue_templates/Application - Update.md
+++ b/.gitlab/issue_templates/Application - Update.md
@@ -19,6 +19,9 @@ Hardening:
 - [ ] Container version has been updated in greylist file
 - [ ] Branch has been merged into `development`

+No new findings:
+- [ ] There are no new findings in this update. Skip the Justifications and Approval Process steps and apply the label ~"Approval".
+
 Justifications:
 - [ ] All findings have been justified per the above documentation
 - [ ] Justifications have been provided to the container hardening team

--- a/Dockerfile
+++ b/Dockerfile
+# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \
+# '--build-arg' when building locally to replace these values
+# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image
+# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
+ARG BASE_TAG=8.2
+
+# FROM statement must reference the base image using the three ARGs established
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+# Aqua release version
+ARG AQUA_VERSION=5.0
+# Aqua update version tag
+ARG AQUA_TAG=0-ubi8
+ENV VERSION=${AQUA_VERSION}.${AQUA_TAG}
+# Aqua container type
+ARG CONTAINER=gateway
+ARG BUILDDATE
+ARG COMMIT=103c5e2a51
+
+# 'LABEL' instructions should include at least the following information and any other helpful details.
+LABEL name="Aqua Enterprise Console" \
+      maintainer="admin@aquasec.com" \
+      vendor="Aqua Security" \
+      summary="Aqua Security Enterprise - Console" \
+      description="Aqua Security Enterprise - Console"
+LABEL com.aquasec.release=${VERSION}
+LABEL com.aquasec.version=${VERSION}
+LABEL com.aquasec.component=$CONTAINER
+LABEL com.aquasec.builddate=${BUILDDATE}
+LABEL com.aquasec.commit=${COMMIT}
+
+ENV BUILD_ONLY_PACKAGES="tar gzip shadow-utils"
+RUN microdnf install $BUILD_ONLY_PACKAGES
+
+ARG TARBALL="aquasec-${CONTAINER}-${AQUA_VERSION}.${AQUA_TAG}.tar.gz"
+
+RUN mkdir -p /build /opt/aquascans
+
+COPY ${TARBALL} /build/
+
+RUN cd /build && \
+    tar -zxvf ${TARBALL} && \
+    cd -
+
+RUN if [[ -d /build/licenses ]]; then cp -r /build/licenses/ /licenses/; fi
+RUN cd /build/ && \
+    cp -r aquasec /opt/
+RUN rm -rf /build
+
+COPY scripts/* /
+
+RUN groupadd -g 11433 --system aqua && \
+  adduser --home-dir /home/aqua --comment "aqua user" --shell /sbin/nologin -g aqua --system -u 11433 aqua && \
+  chown -R aqua:root /opt/aquasec && chown -R aqua:root /opt/aquascans
+
+RUN microdnf remove ${BUILD_ONLY_PACKAGES}
+RUN microdnf clean all
+
+
+# dodTODO: pending SLK-28283
+# Removing of microdnf must be after we use it
+#COPY _package/remove-vulnerable-packages /
+#RUN chmod +x /remove-vulnerable-packages && sync && /remove-vulnerable-packages ${ubiver}
+#RUN rm /remove-vulnerable-packages
+
+VOLUME /opt/aquascans
+WORKDIR /opt/aquasec/
+
+EXPOSE 3622 8443
+HEALTHCHECK --start-period=10s CMD curl -f 127.0.0.1:3622 || exit 1
+USER 11433
+CMD ["/gateway-entrypoint.sh"]
--- a/Jenkinsfile
+++ b/Jenkinsfile
+@Library('DCCSCR@master') _
+dccscrPipeline(version: "5.0")
+
+/* The above format is required for all production submissions.  
+*  The version will be the image tag associated with this container for this branch.
+*
+*  You may limit the job to the build stage or the scanning stage only:
+*  dccscrPipeline(version: "1.4.2", scan: false) 
+*  dccscrPipeline(version: "1.0.0", build: false) 
+*
+*  You may also use a different branch of the jenkins-shared-library.
+*  Only do this if you know what you are doing:
+*  @Library('DCCSCR@feature1_branch') _ */
+
+
--- a/LICENSE
+++ b/LICENSE
--- a/download.json
+++ b/download.json
+{
+  "resources": [
+    {
+      "url":"https://download.aquasec.com/aquasec/csp/gateway/5.0/aquasec-gateway-5.0.0-ubi8.tar.gz",
+      "filename":"aquasec-gateway-5.0.0-ubi8.tar.gz",
+      "validation": {
+        "type": "sha256",
+        "value": "a476b7eb0618fd2de0d5afb00de7aa481b2c6fdcb73f12aa10afbc9889d0594c"
+      },
+      "auth": {"type": "basic", "id": "aquasec-credential" },
+      "tls_verify": true
+    }
+  ]
+}
--- a/scripts/gateway-entrypoint.sh
+++ b/scripts/gateway-entrypoint.sh
+#!/bin/sh
+# this entrypoint is shared between several distributions e.g. ubi and DoD
+# entrypoint code common to all gateway distributions should be placed here
+# distribution specific startup code should be copied placed in respective script
+
+# run distribution specific entrypoint code if exists (i.e. we are on that distribution)
+test -x /common-entrypoint-alpine.sh && /common-entrypoint-alpine.sh
+
+#exec is needed in order to make the run be the parent process for accespting docker stop signal
+exec /opt/aquasec/sedocksrv