From 3828a96156e3745fade3fc9420baf3fa442c4fa6 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 13:47:04 -0500 Subject: [PATCH 01/12] uncommented tar save --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0f15f1c..fa2cf8d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -450,8 +450,8 @@ pipeline { echo signature - //sshPut remote: remote, from: "${SIGNING_KEY}", into: './signingkey' - //signature = sshCommand remote: remote, command: "g=\$(mktemp -d) && f=\$(mktemp) && e=\$(mktemp) && trap \"sudo rm \$e;sudo rm \$f;sudo rm -rf \$g\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo chmod o=r \$e;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ./signingkey ;echo \$e;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$e;/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};rm ./signingkey;cat \$f;" + sshPut remote: remote, from: "${SIGNING_KEY}", into: './signingkey' + signature = sshCommand remote: remote, command: "g=\$(mktemp -d) && f=\$(mktemp) && e=\$(mktemp) && trap \"sudo rm \$e;sudo rm \$f;sudo rm -rf \$g\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo chmod o=r \$e;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ./signingkey ;echo \$e;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$e;/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};rm ./signingkey;cat \$f;" def signatureMatch = signature =~ /(?s)-----BEGIN PGP SIGNATURE-----.*-----END PGP SIGNATURE-----/ def signature = "" -- GitLab From 0907093ae2621be80d44acda38d7203ac72d1bd3 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 13:51:57 -0500 Subject: [PATCH 02/12] changed default image --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index fa2cf8d..2c31c8b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -63,7 +63,7 @@ pipeline { description: "Which tools to run?", name: 'toolsToRun') - string(defaultValue: "up/ubi7-hardened-dev", + string(defaultValue: "up/openjdk-v1.8-ubi7-stigd", name: 'REPO_NAME', description: "Name of repo to be used by Docker, Nexus and all Scanning tools") -- GitLab From 02a1f62bbefd51fd967befb5a076d6a19cd9c89c Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:12:48 -0500 Subject: [PATCH 03/12] added step to copy over image --- Jenkinsfile | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2c31c8b..6fb91ce 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -380,6 +380,32 @@ pipeline { } // stage Push to External Registry + stage('Copying image to S3') { + + steps { + + script { + def remote = [:] + remote.name = "node" + remote.host = "${env.OSCAP_NODE}" + remote.allowAnyHosts = true + + //siging the image + node { + + //store path and name of image on s3 + withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + remote.user = userName + remote.identityFile = identity + + sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" + + + } // withCredentials + } // node + }//script + } // steps + } // stage stage('Signing image') { environment { @@ -447,11 +473,6 @@ pipeline { signature = sh(script: "g=\$(mktemp -d) && f=\$(mktemp) && trap \"rm \$f;rm -rf \$g\" EXIT || exit 255;gpg --homedir \$g --import --batch --passphrase '${SIGNING_KEY_PASSPHRASE}' ${SIGNING_KEY} ;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase '${SIGNING_KEY_PASSPHRASE}' ${S3_MANIFEST_NAME};cat \$f;", returnStdout: true) - echo signature - - - sshPut remote: remote, from: "${SIGNING_KEY}", into: './signingkey' - signature = sshCommand remote: remote, command: "g=\$(mktemp -d) && f=\$(mktemp) && e=\$(mktemp) && trap \"sudo rm \$e;sudo rm \$f;sudo rm -rf \$g\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo chmod o=r \$e;gpg --homedir \$g --import --batch --passphrase ${SIGNING_KEY_PASSPHRASE} ./signingkey ;echo \$e;gpg --detach-sign --homedir \$g -o \$f --armor --yes --batch --passphrase ${SIGNING_KEY_PASSPHRASE} \$e;/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};rm ./signingkey;cat \$f;" def signatureMatch = signature =~ /(?s)-----BEGIN PGP SIGNATURE-----.*-----END PGP SIGNATURE-----/ def signature = "" -- GitLab From 26d4a252ca02d84cf34af45207d801e2180a8131 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:19:56 -0500 Subject: [PATCH 04/12] changed s3 copy to sudo --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6fb91ce..2d9a149 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -398,7 +398,7 @@ pipeline { remote.user = userName remote.identityFile = identity - sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" + sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo /usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" } // withCredentials -- GitLab From 863c7ae9a6c38173b01ceb05bf97788def972c3f Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:30:01 -0500 Subject: [PATCH 05/12] removed sudo from docker save and s3 cp --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2d9a149..05b5448 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -398,7 +398,7 @@ pipeline { remote.user = userName remote.identityFile = identity - sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;sudo docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};sudo /usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" + sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" } // withCredentials -- GitLab From 320ecda76c762c1f66a6f99887de561c18f1e846 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:33:33 -0500 Subject: [PATCH 06/12] testing docker save --- Jenkinsfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 05b5448..ef05fad 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -398,7 +398,9 @@ pipeline { remote.user = userName remote.identityFile = identity - sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" + sshCommand remote: remote, command: "echo 'hello'" + + sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};" } // withCredentials -- GitLab From e4a1ccacf4c0c0443a3aa544be1cef0844b12a10 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:39:01 -0500 Subject: [PATCH 07/12] changed oscap secret to secure-build --- Jenkinsfile | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index ef05fad..8640af0 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -394,13 +394,13 @@ pipeline { node { //store path and name of image on s3 - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { + withCredentials([sshUserPrivateKey(credentialsId: 'secure-build', keyFileVariable: 'identity', usernameVariable: 'userName')]) { remote.user = userName remote.identityFile = identity sshCommand remote: remote, command: "echo 'hello'" - sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};" + sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};" \\ /usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION}; } // withCredentials @@ -420,22 +420,12 @@ pipeline { steps { script { - def remote = [:] - remote.name = "node" - remote.host = "${env.OSCAP_NODE}" - remote.allowAnyHosts = true //siging the image node { echo 'Signing container' - //store path and name of image on s3 - withCredentials([sshUserPrivateKey(credentialsId: 'oscap', keyFileVariable: 'identity', usernameVariable: 'userName')]) { - remote.user = userName - remote.identityFile = identity - - def unixTime = sh( script: 'date +%s', returnStdout: true @@ -500,7 +490,6 @@ pipeline { } //withAWS - } // withCredentials } // node }//script } // steps -- GitLab From ed2e9734190043f50aef4e0234bff795ff69e1ec Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:40:35 -0500 Subject: [PATCH 08/12] put full command back --- Jenkinsfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8640af0..90cae87 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -398,9 +398,7 @@ pipeline { remote.user = userName remote.identityFile = identity - sshCommand remote: remote, command: "echo 'hello'" - - sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};" \\ /usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION}; + sshCommand remote: remote, command: "e=\$(mktemp) && trap \"sudo rm \$e\" EXIT || exit 255;docker save -o \$e ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG};/usr/bin/aws s3 cp \$e s3://${S3_REPORT_BUCKET}/${S3_IMAGE_LOCATION};" } // withCredentials -- GitLab From 1cdebf843130882a7a99fa169b01c204af3a92d6 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:44:07 -0500 Subject: [PATCH 09/12] removing previous runs --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 90cae87..5966c85 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -587,7 +587,7 @@ pipeline { "TwistLock - ${S3_TWISTLOCK_REPORT}
\n" + "Anchore - ${S3_ANCHORE_GATES_REPORT} , ${S3_ANCHORE_SECURITY_REPORT}
\n" + "

" + - previousRuns + + //previousRuns + footerSlug echo newFile -- GitLab From 6d01d45850ec43dafe0d1a63f733ba456edba4ea Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:52:58 -0500 Subject: [PATCH 10/12] added tar link --- Jenkinsfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5966c85..b5d2708 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -40,7 +40,7 @@ pipeline { S3_DOCUMENTATION_LOCATION = "${BASIC_PATH_FOR_DATA}/${S3_DOCUMENTATION_FILENAME}" S3_TAR_FILENAME = " " - S3_TAR_LOCATION = "${BASIC_PATH_FOR_DATA}/" + S3_TAR_LOCATION = " " S3_OSCAP_CVE_REPORT = "report-cve.html" S3_OSCAP_REPORT = "report.html" @@ -88,6 +88,9 @@ pipeline { S3_IMAGE_LOCATION = "${BASIC_PATH_FOR_DATA}/${S3_IMAGE_NAME}" S3_TAR_FILENAME = "${repoNoSlash}-${IMAGE_TAG}-full.tar.gz" + S3_TAR_LOCATION = "${BASIC_PATH_FOR_DATA}/${S3_TAR_FILENAME}" + + } //script } // steps } // stage Finish initializing environment @@ -582,6 +585,7 @@ pipeline { "Image manifest - ${S3_MANIFEST_NAME}
\n" + "PGP Signature - ${S3_SIGNATURE_FILENAME}
\n" + "Version Documentation - ${S3_DOCUMENTATION_FILENAME}
\n" + + "Tar of everything - ${S3_TAR_FILENAME}
\n" + "

Tool reports:

\n" + "OpenSCAP - ${S3_OSCAP_REPORT} , ${S3_OSCAP_CVE_REPORT}
\n" + "TwistLock - ${S3_TWISTLOCK_REPORT}
\n" + -- GitLab From 40b644bcf83ea576e7605753fcb98a18faeaa159 Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 14:55:43 -0500 Subject: [PATCH 11/12] adding back previous runs --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index b5d2708..d26bdfe 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -591,7 +591,7 @@ pipeline { "TwistLock - ${S3_TWISTLOCK_REPORT}
\n" + "Anchore - ${S3_ANCHORE_GATES_REPORT} , ${S3_ANCHORE_SECURITY_REPORT}
\n" + "

" + - //previousRuns + + previousRuns + footerSlug echo newFile -- GitLab From 372fdb316d65ff7987eea01d5c343cacdbf9bf0c Mon Sep 17 00:00:00 2001 From: Will Bunker Date: Wed, 15 May 2019 15:17:40 -0500 Subject: [PATCH 12/12] switch docker cleanup to single image --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index d26bdfe..28dcbf1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -633,7 +633,7 @@ pipeline { remote.user = userName remote.identityFile = identity - sshCommand remote: remote, command: "if [[ \$(sudo docker images -q) ]]; then sudo docker rmi \$(sudo docker images -q) --force; fi && if [[ \$(sudo docker ps -a -q) ]]; then sudo docker rm \$(sudo docker ps -a -q); fi" + sshCommand remote: remote, command: "if [[ \$(sudo docker images -q ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}) ]]; then sudo docker rmi ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG} --force; fi && if [[ \$(sudo docker ps -a -q | grep ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}) ]]; then sudo docker rm ${NEXUS_SERVER}/${REPO_NAME}:${IMAGE_TAG}; fi" } //withCredentials } // node -- GitLab