Upgrade to Heimdall 2.4.8, container cleanup

The latest upstream version of Heimdall removes all of the build dependencies from the production container. This should significantly reduce the findings on this container. Additionally, this fixes an issue where the Ironbank version of the container would not start properly due to NPM creating a folder at `/home/node/.config` which was owned by root which was causing errors when running as the Heimdall user. Instead of using the Heimdall user, this container is now using the node user that comes with it.

Upgrade to Heimdall 2.4.8, container cleanup
The latest upstream version of Heimdall removes all of the build dependencies from the production container. This should significantly reduce the findings on this container. Additionally, this fixes an issue where the Ironbank version of the container would not start properly due to NPM creating a folder at `/home/node/.config` which was owned by root which was causing errors when running as the Heimdall user. Instead of using the Heimdall user, this container is now using the node user that comes with it.
a5f47e78 · Robert Clark · 89a1487e · a5f47e78 · a5f47e78
Unverified Commit a5f47e78 authored Jun 01, 2021 by Robert Clark
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 14 deletions

Dockerfile Dockerfile +6 -10

hardening_manifest.yaml hardening_manifest.yaml +4 -4

No files found.
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.17.0

-FROM mitre/heimdall2:version-2.4.7 AS source
+FROM mitre/heimdall2:2.4.8 AS source

 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

@@ -12,14 +12,7 @@ WORKDIR /

 USER root

-RUN npm install -g yarn.tar.gz --force
-
-RUN groupadd -g 1002 heimdall && \
-  useradd -r -u 1002 -m -s /sbin/nologin -g heimdall heimdall && \
-  mkdir -p /heimdall/logs && \
-  mkdir -p /heimdall/file && \
-  mkdir -p /heimdall/config && \
-  chown -R heimdall:heimdall /heimdall
+RUN NO_UPDATE_NOTIFIER=true npm install -g yarn.tar.gz --force

 WORKDIR /heimdall

@@ -27,7 +20,10 @@ COPY --from=source /app .

 COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

-USER heimdall
+# Not necessary for normal operation and the trigger scan warnings on IronBank.
+RUN rm -rf /heimdall/apps/backend/node_modules/webfinger/test
+
+USER node

 HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \
  CMD curl -f http://locahost:3000/server || exit 1

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "mitre/saf/heimdall2"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dso.mil
 tags:
- "2.4.7"
+- "2.4.8"
 - "latest"

 # Build args passed to Dockerfile ARGs
@@ -29,7 +29,7 @@ labels:
  # Name of the distributing entity, organization or individual
  org.opencontainers.image.vendor: "MITRE"
  # Authoritative version of the software
-  org.opencontainers.image.version: "2.4.7"
+  org.opencontainers.image.version: "2.4.8"
  # Keywords to help with search (ex. "cicd,gitops,golang")
  mil.dso.ironbank.image.keywords: "saf"
  # This value can be "opensource" or "commercial"
@@ -47,8 +47,8 @@ resources:
      value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e

  # This is the official upstream docker image of Heimdall2
-  - tag: mitre/heimdall2:version-2.4.7
-    url: docker://docker.io/mitre/heimdall2@sha256:c02dfe81c286fb16142e92912c0ae0d67c22748304d591b893361c48c549107a
+  - tag: mitre/heimdall2:2.4.8
+    url: docker://docker.io/mitre/heimdall2@sha256:fe28f450161935947b219d81aa04cd1cdb1aac02b139f6e139d085a7dee6ef2c

 # List of project maintainers
 maintainers: