Merge branch 'development' into 'master'

Development See merge request !13

Merge branch 'development' into 'master'
Development See merge request !13
2444ae72 · Al Fontaine · 55c103b0 · 26b77c1f · 2444ae72 · 2444ae72
Commit 2444ae72 authored Aug 26, 2021 by Al Fontaine
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 216 additions and 0 deletions

Dockerfile Dockerfile +89 -0

LICENSE LICENSE +79 -0

hardening_manifest.yaml hardening_manifest.yaml +48 -0

No files found.
--- a/Dockerfile
+++ b/Dockerfile
+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=redhat/ubi/ubi8
+ARG BASE_TAG=8.4
+#change this for deployment!!!
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+RUN yum -y update \
+  && yum clean all
+#TO fix CCE-80935-0
+#RUN yum -y install crypto-policies
+#RUN  yum -y install gnutls-utils 
+# for https://access.redhat.com/security/cve/CVE-2021-23240
+RUN rm -rf /usr/libexec/sudo/sesh 
+ARG CODESONAR_PACKAGE=codesonar-6.1p0.20210802-x86_64-pc-linux.tar.gz  
+ARG CODESONAR_HOME=/opt/codesonar-6.1p0
+COPY ["${CODESONAR_PACKAGE}", "/opt"]
+RUN tar -zxvf /opt/${CODESONAR_PACKAGE} -C /opt
+RUN rm -rf /opt/${CODESONAR_PACKAGE}
+RUN ln -s ${CODESONAR_HOME} /opt/codesonar
+RUN useradd -ms /bin/bash codesonar
+#This is a hubless installation, so we can remove hub components:
+RUN cd /opt/codesonar
+RUN rm -rf codesonar/doc \
+codesonar/py/hub \
+codesonar/py/processors \
+codesonar/src/api/javadoc \
+codevice \
+csurf/doc \
+csurf/src/api/javadoc \
+csurf/src/feir/api/javadoc \
+third-party/boost \
+third-party/jquery \
+third-party/sqlalchemy 
+RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql
+RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.3
+RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.6
+RUN rm -rf ${CODESONAR_HOME}/csonar-eclipse/com.grammatech.codesonar.jar
+RUN rm -rf ${CODESONAR_HOME}/csonar-eclipse/eclipse_tests/CodeSonarTest_1.0.0.jar
+RUN rm -rf ${CODESONAR_HOME}/csurf/lib/codesonarj-runtimes/androidAPI23/android-6.0.1_r1.jar
+RUN rm -rf ${CODESONAR_HOME}/third-party/python/inst/lib/python3.9/site-packages/urllib3* ${CODESONAR_HOME}/third-party/python/instmt/lib/python3.9/site-packages/urllib3*
+#Remove unused certs
+RUN rm -rf /opt/codesonar-6.1p0/third-party/python/inst/lib/python3.9/test
+RUN rm -rf /opt/codesonar-6.1p0/third-party/python/instmt/lib/python3.9/test
+RUN rm /opt/codesonar-6.1p0/third-party/python/inst/lib/python3.9/site-packages/slapdtest/certs/client.key
+RUN rm /opt/codesonar-6.1p0/third-party/python/inst/lib/python3.9/site-packages/slapdtest/certs/server.key
+RUN rm /opt/codesonar-6.1p0/third-party/python/instmt/lib/python3.9/site-packages/slapdtest/certs/client.key
+RUN rm /opt/codesonar-6.1p0/third-party/python/instmt/lib/python3.9/site-packages/slapdtest/certs/server.key
+#The following is needed as RH8 does not have libnsl.so.1
+RUN ln -s /usr/lib64/libnsl.so.2 /usr/lib64/libnsl.so.1
+VOLUME [ /home/codesonar ]
+#HEALTHCHECK --interval=30s --timeout=30s --start-period=180s --retries=3 CMD /opt/codesonar-health-check.sh
+#adjust some options
+RUN rm /opt/codesonar/UNACCEPTED_LICENSE.txt
+RUN touch /opt/codesonar/TELEMETRY_DISABLED
+USER codesonar
+WORKDIR /home/codesonar
--- a/LICENSE
+++ b/LICENSE
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
+---
+apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "grammatech/codesonar/codesonar-builder"
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+- "6.1.0"
+- "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.4"
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "codesonar-gnu-builder"
+  org.opencontainers.image.description: "CodeSonar GNU Builder"
+  org.opencontainers.image.licenses: "GrammaTech Commercial License"
+  org.opencontainers.image.url: "http://support.grammatech.com/"
+  org.opencontainers.image.vendor: "GrammaTech"
+  org.opencontainers.image.version: "6.1"
+  mil.dso.ironbank.image.keywords: "GrammaTech, CodeSonar, SAST, CI/CD"
+  mil.dso.ironbank.image.type: "commercial"
+  mil.dso.ironbank.product.name: "CodeSonar"
+# List of resources to make available to the offline build context
+resources:
+  - url: "https://download.grammatech.com/diracc2011/codesonar-6.1/codesonar-6.1p0.20210802-x86_64-pc-linux.tar.gz"
+    filename: "codesonar-6.1p0.20210802-x86_64-pc-linux.tar.gz" # [required field] desired staging name for the build context
+    validation:
+      type: "sha256" # supported: sha256, sha512
+      value: "c6fe558a91b460a7ed3377a23bf98ce12f2c1c72b1519835859ceefbb295ffc8" # must be lowercase
+    auth:
+      type: basic
+      id: grammatech
+# List of project maintainers
+maintainers:
+- email: "mhermeling@grammatech.com"
+  # The name of the current container owner
+  name: "Mark Hermeling"
+  # The gitlab username of the current container owner
+  username: "markhermeling"