UNCLASSIFIED

Skip to content

GitLab

Closed
Created by Humberto Ojeda@humbeeContributor

JFrog Artifactory Status

Hi Mark,

Quick couple of things:

  1. The note you have here about the license is great: https://dccscr.dsop.io/dsop/jfrog/artifactory/artifactory/blob/master/6.12.0/LICENSE. Please also attach a copy of that LICENSE/EULA here.

  2. Scan reports are in. You could find them here: https://dcar.dsop.io/repomap/jfrog/artifactory/artifactory. I have also attached them on this email.

As a reminder regarding dealing with findings:

  • Your image should remediate ALL FINDINGS POSSIBLE, even those found in the base image layers, but the whitelist is there for a reason - there is only so much you can do. That list can be found here: https://dcar.dsop.io/repomap/redhat/ubi/ubi7. I have also attached it.
  • The real justifications should flesh out the reason that this finding should be ignored, or why it isn't actually a finding. I have attached an example of this for the gitaly container.
  • BEFORE SENDING the Justification e-mail, it is expected that your container image comply with ALL checklist items - artifactory is nearly there, just add the LICENSE/EULA.
  • Example email to be sent to Nic Chaillan:
To:  XXXXXXXX@mail.mil
CC: XXXXXXX@.mil, XXXXXXXX@redhat.com (so that we may implement the approval in the pipeline code - please add other Red Hat contacts you may have been working with thus far)
From: gitlab maintainers
Subject:  Gitaly Container Findings
Body:

Mr. Chaillan,

Please see attached.  There were four (4) findings on this container once it's parent (UBI8) whitelist was subtracted.

Thanks,
GitLab

Attachment: XLS spreadsheet of ALL findings (found on the DCAR repomap after each scan, example is included - see "JUSTIFICATION" columns)

Feel free to reach out to us with any questions. Thanks again, Mark!

-Humbe

Hi @mark.a.galpin, we're moving our discussions from email to DCCSCR issues, so I'm bringing our discussion here. I know it's been about 1 month since we last spoke, so I just wanted to make sure everything was good on your end. Last time we communicated, the last step in the process was your justifications/fixes for the vulnerabilities that came up. Just following up and seeing what progress has been made. If you haven't submitted the findings, we will want to run artifactory through the pipeline again. Feel free to reach out, thanks!

Cc: @taylor

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED