diff --git a/Dockerfile b/Dockerfile index bf33b23d65953319a17f495305272ace917a4bda..7d28d8806389a20bc92058edd684d30ba2af94e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,33 +22,37 @@ RUN yum -y update \ RUN rm -rf /usr/libexec/sudo/sesh -ARG CODESONAR_PACKAGE=codesonar-5.4p0.20200911-x86_64-pc-linux.tar.gz +ARG CODESONAR_PACKAGE=codesonar-6.1p0.20210802-x86_64-pc-linux.tar.gz +ARG CODESONAR_HOME=/opt/codesonar-6.1p0 COPY ["${CODESONAR_PACKAGE}", "/opt"] RUN tar -zxvf /opt/${CODESONAR_PACKAGE} -C /opt RUN rm -rf /opt/${CODESONAR_PACKAGE} -RUN ln -s /opt/codesonar-5.4p0 /opt/codesonar +RUN ln -s ${CODESONAR_HOME} /opt/codesonar RUN useradd -ms /bin/bash codesonar -# remove some packages that are not needed -RUN rm -rf /opt/codesonar-5.4p0/third-party/julia-sarif -RUN rm -rf /opt/codesonar-5.4p0/third-party/julia-tools +# Remove older software versions no longer needed +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-8.3 +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-8.4 +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.0 +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.1 +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.2 +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.3 +RUN rm -rf ${CODESONAR_HOME}/third-party/postgresql-9.6 -RUN rm -rf /opt/codesonar-5.4p0/third-party/pmd -RUN rm -rf /opt/codesonar-5.4p0/third-party/pmd-5.0.4 +RUN rm -rf ${CODESONAR_HOME}/csonar-eclipse/com.grammatech.codesonar.jar +RUN rm -rf ${CODESONAR_HOME}/csonar-eclipse/eclipse_tests/CodeSonarTest_1.0.0.jar +RUN rm -rf ${CODESONAR_HOME}/csurf/lib/codesonarj-runtimes/androidAPI23/android-6.0.1_r1.jar -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-8.3 -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-8.4 -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-9.0 -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-9.1 -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-9.2 -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-9.3 -RUN rm -rf /opt/codesonar-5.4p0/third-party/postgresql-9.6 +RUN rm -rf ${CODESONAR_HOME}/third-party/python/inst/lib/python3.9/site-packages/urllib3* ${CODESONAR_HOME}/third-party/python/instmt/lib/python3.9/site-packages/urllib3* -RUN rm -rf /opt/codesonar-5.4p0/third-party/python/inst/lib/python2.7/test/*pem /opt/codesonar-5.4p0/third-party/python/instmt/lib/python2.7/test/*pem - -RUN rm -rf /opt/codesonar-5.4p0/third-party/python/inst/lib/python2.7/site-packages/urllib3* /opt/codesonar-5.4p0/third-party/python/instmt/lib/python2.7/site-packages/urllib3* -RUN rm -rf /usr/lib/python3.6/site-packages/urllib3 +#Remove unused certs +RUN rm -rf /opt/codesonar-6.1p0/third-party/python/inst/lib/python3.9/test +RUN rm -rf /opt/codesonar-6.1p0/third-party/python/instmt/lib/python3.9/test +RUN rm /opt/codesonar-6.1p0/third-party/python/inst/lib/python3.9/site-packages/slapdtest/certs/client.key +RUN rm /opt/codesonar-6.1p0/third-party/python/inst/lib/python3.9/site-packages/slapdtest/certs/server.key +RUN rm /opt/codesonar-6.1p0/third-party/python/instmt/lib/python3.9/site-packages/slapdtest/certs/client.key +RUN rm /opt/codesonar-6.1p0/third-party/python/instmt/lib/python3.9/site-packages/slapdtest/certs/server.key RUN mkdir /home/codesonar/hub \ @@ -70,11 +74,7 @@ HEALTHCHECK --interval=30s --timeout=30s --start-period=180s --retries=3 CMD /op RUN rm /opt/codesonar/UNACCEPTED_LICENSE.txt RUN touch /opt/codesonar/TELEMETRY_DISABLED -# CCE-82155-3 -RUN echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su -RUN echo "CtrlAltDelBurstAction=none" >> /etc/systemd/system.conf -#RUN fips-mode-setup --enable -#RUN update-crypto-policies --set FIPS:OSPP + USER codesonar diff --git a/README.md b/README.md index 2fbe557ff8d309db1e08d245a5120b103c576429..6f22199cd37e33b82da3541a53b8d63021032451 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -## CodeSonar 5.4p0 +## CodeSonar 6.1p0 This is a default image that provides the CodeSonar Hub service. Data volumes can be mounted such that data persists. A license from GrammaTech is required to be @@ -21,11 +21,6 @@ Suggested use is to run the container using: This will put all data in the hub volume and route localhost:8080 to the hub and connect the container to network net such that scanners can connect to it. -The hub will have default password for the `Administrator account` set to -`HubSecretPasswd` at creation-time, which can be changed by -`--build-arg HUB_DEFAULT_PWD=YourOwnSecretPWD` during the container build step. -Please change the default password after initial hub creation. This is also the -time to install the run-time license. ## Shutdown Recommended to shutdown the container through diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index e20d1af4a9536134f01b20a5837f86748308e3c4..0675b55c039fb9474618bc731bc95f56bde20d21 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,13 +8,13 @@ name: "grammatech/codesonar/codesonar-hub" # The most specific version should be the first tag and will be shown # on ironbank.dso.mil tags: -- "1.0.0" +- "6.1.0" - "latest" # Build args passed to Dockerfile ARGs args: BASE_IMAGE: "redhat/ubi/ubi8" - BASE_TAG: "8.3" + BASE_TAG: "8.4" # Docker image labels labels: @@ -23,18 +23,18 @@ labels: org.opencontainers.image.licenses: "GrammaTech Commercial License" org.opencontainers.image.url: "http://support.grammatech.com/" org.opencontainers.image.vendor: "GrammaTech" - org.opencontainers.image.version: "5.4" + org.opencontainers.image.version: "6.1" mil.dso.ironbank.image.keywords: "GrammaTech, CodeSonar, SAST, CI/CD" mil.dso.ironbank.image.type: "commercial" mil.dso.ironbank.product.name: "CodeSonar" # List of resources to make available to the offline build context resources: - - url: "https://download.grammatech.com/diracc2011/codesonar-5.4/codesonar-5.4p0.20200911-x86_64-pc-linux.tar.gz" - filename: "codesonar-5.4p0.20200911-x86_64-pc-linux.tar.gz" # [required field] desired staging name for the build context + - url: "https://download.grammatech.com/diracc2011/codesonar-6.1/codesonar-6.1p0.20210802-x86_64-pc-linux.tar.gz" + filename: "codesonar-6.1p0.20210802-x86_64-pc-linux.tar.gz" # [required field] desired staging name for the build context validation: type: "sha256" # supported: sha256, sha512 - value: "1d0d47a2a5cde4e88d04397bcdb107188b6e999b3a2ccde5b4dddb05677b83be" # must be lowercase + value: "c6fe558a91b460a7ed3377a23bf98ce12f2c1c72b1519835859ceefbb295ffc8" # must be lowercase auth: type: basic id: grammatech