From 654c14c4ad18e8f938c99a2ac6ab77e81ca9a352 Mon Sep 17 00:00:00 2001 From: Joshua Eason Date: Wed, 5 May 2021 14:57:24 +0000 Subject: [PATCH 1/2] Sato 66 --- Dockerfile | 2 ++ README.md | 3 ++- hardening_manifest.yaml | 5 +++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e1134c8..d23cf63 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,6 +39,8 @@ RUN /opt/bitnami/scripts/airflow/postunpack.sh && \ tar xfz /local/wheels/thrift-0.14.1.tar.gz -C /local/wheels && \ pip install --no-index --no-deps /local/wheels/thrift-0.14.1/lib/py && \ rm -rf /local/wheels/thrift-0.14.1* && \ + # Remove Elasticsearch 7.5.1 due to high findings CVE-2020-7019 CVE-2020-7021 CVE-2020-7020 CVE-2020-7014 CVE-2020-7009 + rm -rf /opt/bitnami/airflow/venv/lib/python3.8/site-packages/elasticsearch && rm -rf /opt/bitnami/airflow/venv/lib/python3.8/site-packages/elasticsearch-7.5* && \ for f in $(ls -l /local/wheels | awk '{print $9}' |sed '/^$/d'); do pip install --no-index --no-deps /local/wheels/$f; done && \ find /opt/bitnami/airflow/venv/lib/python3.8/site-packages -name "*.pem" -o -name "*.key" | egrep ".*test.*/.*\.pem|.*test.*/.*\.key" | xargs rm -f && \ rm -rf /local/* diff --git a/README.md b/README.md index 8d1b926..8093895 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,8 @@ Project template for all Iron Bank container repositories. > Airflow is a platform to programmatically author, schedule and monitor workflows. https://airflow.apache.org/ - +### Ironbank Hardened Image Notes: +apache-airflow-providers-elasticsearch will not work on this image due to vulnerabilities with Elasticsearch 7.5.1 (Removed) # TL;DR ## Docker Compose diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 1667ee7..c7f408e 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -73,6 +73,11 @@ resources: validation: type: sha256 value: 6ad9c7bdf517a808242b998ac20063c41532a570d088d77eec1ee12b0b5574bc +- filename: astroid-2.5.1-py3-none-any.whl + url: https://files.pythonhosted.org/packages/f1/49/d51e5ce77ea234ee416966e489283512a9852f78d9ff125747eae29e7b69/astroid-2.5.1-py3-none-any.whl + validation: + type: sha256 + value: 21d735aab248253531bb0f1e1e6d068f0ee23533e18ae8a6171ff892b98297cf # List of project maintainers maintainers: -- GitLab From e7ae7460a26326d6e66d49eb8a7adb5f737f97af Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Wed, 5 May 2021 15:52:43 +0000 Subject: [PATCH 2/2] Update babel to 2.9.1 --- hardening_manifest.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index c7f408e..40c3ad9 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -78,6 +78,11 @@ resources: validation: type: sha256 value: 21d735aab248253531bb0f1e1e6d068f0ee23533e18ae8a6171ff892b98297cf +- filename: Babel-2.9.1-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/aa/96/4ba93c5f40459dc850d25f9ba93f869a623e77aaecc7a9344e19c01942cf/Babel-2.9.1-py2.py3-none-any.whl + validation: + type: sha256 + value: ab49e12b91d937cd11f0b67cb259a57ab4ad2b59ac7a3b41d6c06c0ac5b0def9 # List of project maintainers maintainers: -- GitLab