From a5f47e780216d56bbcc66f497c7da82f3f409121 Mon Sep 17 00:00:00 2001
From: Robert Clark <rbclark@mitre.org>
Date: Tue, 1 Jun 2021 17:41:36 -0400
Subject: [PATCH] Upgrade to Heimdall 2.4.8, container cleanup

The latest upstream version of Heimdall removes all of the build dependencies from the production container. This should significantly reduce the findings on this container.

Additionally, this fixes an issue where the Ironbank version of the container would not start properly due to NPM creating a folder at `/home/node/.config` which was owned by root which was causing errors when running as the Heimdall user.

Instead of using the Heimdall user, this container is now using the node user that comes with it.
---
 Dockerfile              | 16 ++++++----------
 hardening_manifest.yaml |  8 ++++----
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1b4b792..452580e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.17.0
 
-FROM mitre/heimdall2:version-2.4.7 AS source
+FROM mitre/heimdall2:2.4.8 AS source
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
@@ -12,14 +12,7 @@ WORKDIR /
 
 USER root
 
-RUN npm install -g yarn.tar.gz --force
-
-RUN groupadd -g 1002 heimdall && \
-  useradd -r -u 1002 -m -s /sbin/nologin -g heimdall heimdall && \
-  mkdir -p /heimdall/logs && \
-  mkdir -p /heimdall/file && \
-  mkdir -p /heimdall/config && \
-  chown -R heimdall:heimdall /heimdall
+RUN NO_UPDATE_NOTIFIER=true npm install -g yarn.tar.gz --force
 
 WORKDIR /heimdall
 
@@ -27,7 +20,10 @@ COPY --from=source /app .
 
 COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
-USER heimdall
+# Not necessary for normal operation and the trigger scan warnings on IronBank.
+RUN rm -rf /heimdall/apps/backend/node_modules/webfinger/test
+
+USER node
 
 HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \
   CMD curl -f http://locahost:3000/server || exit 1
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 2455616..7df996a 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "mitre/saf/heimdall2"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dso.mil
 tags:
-- "2.4.7"
+- "2.4.8"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -29,7 +29,7 @@ labels:
   # Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "MITRE"
   # Authoritative version of the software
-  org.opencontainers.image.version: "2.4.7"
+  org.opencontainers.image.version: "2.4.8"
   # Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "saf"
   # This value can be "opensource" or "commercial"
@@ -47,8 +47,8 @@ resources:
       value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e
 
   # This is the official upstream docker image of Heimdall2
-  - tag: mitre/heimdall2:version-2.4.7
-    url: docker://docker.io/mitre/heimdall2@sha256:c02dfe81c286fb16142e92912c0ae0d67c22748304d591b893361c48c549107a
+  - tag: mitre/heimdall2:2.4.8
+    url: docker://docker.io/mitre/heimdall2@sha256:fe28f450161935947b219d81aa04cd1cdb1aac02b139f6e139d085a7dee6ef2c
 
 # List of project maintainers
 maintainers:
-- 
GitLab