From 425412bb7065af2a58e4ee3c33385d7f6184a909 Mon Sep 17 00:00:00 2001 From: "sean.melissari" Date: Tue, 23 Jun 2020 15:16:44 +0000 Subject: [PATCH 01/13] initial commit --- Dockerfile | 47 ++++++++++++ Jenkinsfile | 2 + LICENSE | 202 ++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 17 ++++- download.yaml | 8 ++ renovate.json | 22 ++++++ 6 files changed, 297 insertions(+), 1 deletion(-) create mode 100644 Dockerfile create mode 100644 Jenkinsfile create mode 100644 LICENSE create mode 100644 download.yaml create mode 100644 renovate.json diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..af1b9aa --- /dev/null +++ b/Dockerfile @@ -0,0 +1,47 @@ +ARG BASE_REGISTRY=nexus-docker-secure.levelup-dev.io +ARG BASE_IMAGE=ubi8 +ARG BASE_TAG=8.2 + +FROM quay.io/coreos/clair:v2.1.4 as base + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build + +COPY musl.tar.gz / + +RUN dnf install -y gcc make && \ + mkdir -p /usr/local/src/musl && \ + tar -zxf /musl.tar.gz -C /usr/local/src/musl --strip-components=1 && \ + cd /usr/local/src/musl && \ + ./configure && \ + make && \ + make install + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +LABEL org.opencontainers.image.title="clair" \ + org.opencontainers.image.description="Clair is an open source project for the static analysis of vulnerabilities in application containers." \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.url="https://github.com/quay/clair" \ + org.opencontainers.image.version="v2.1.4" \ + maintainer="cht@dsop.io" + +RUN groupadd -g 1000 clair && \ + useradd -r -u 1000 -m -s /sbin/nologin -g clair clair && \ + mkdir /etc/clair && \ + dnf upgrade -y && \ + dnf install -y git xz && \ + dnf clean all && \ + rm -rf /var/cache/dnf + +COPY --from=base /clair /clair +COPY --from=base /usr/bin/dumb-init /usr/bin/dumb-init +COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so +COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 + +USER clair +VOLUME /config +EXPOSE 6060 6061 + +HEALTHCHECK CMD curl -fs http://127.0.0.1:6061/health || curl -fsk https://127.0.0.1:6061/health || exit 1 + +ENTRYPOINT ["/usr/bin/dumb-init", "--", "/clair"] diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..02ef666 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,2 @@ +@Library('DCCSCR@master') _ +dccscrPipeline(version: "v2.1.4") diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..e06d208 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/README.md b/README.md index 5a016b4..83489cb 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,17 @@ -# clair +# Clair +![Clair Logo](https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png) + +Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker). + +1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database. +2. Clients use the Clair API to index their container images; this creates a list of _features_ present in the image and stores them in the database. +3. Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images. +4. When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred. + +Our goal is to enable a more transparent view of the security of container-based infrastructure. +Thus, the project was named `Clair` after the French term which translates to *clear*, *bright*, *transparent*. + +## Documentation + +To learn more about Clair [go to the complete documentation](https://coreos.com/clair/docs/latest/). diff --git a/download.yaml b/download.yaml new file mode 100644 index 0000000..7a33a7d --- /dev/null +++ b/download.yaml @@ -0,0 +1,8 @@ +resources: + - url: "docker://quay.io/coreos/clair@sha256:bd6d3c5102082e3c149716d14689a531c713811f03500a80c968d09cbc82c9a3" + tag: "quay.io/coreos/clair:v2.1.4" + - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" + filename: musl.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..dbda446 --- /dev/null +++ b/renovate.json @@ -0,0 +1,22 @@ +{ + "assignees": ["@sean.melissari"], + "baseBranches": ["development"], + "regexManagers": [ + { + "fileMatch": ["^Dockerfile$"], + "matchStrings": [ + "version=\"(?.*?)\"" + ], + "depNameTemplate": "quay.io/coreos/clair", + "datasourceTemplate": "docker" + }, + { + "fileMatch": ["^Jenkinsfile$"], + "matchStrings": [ + "version:\\s+\"(?.*?)\"" + ], + "depNameTemplate": "quay.io/coreos/clair", + "datasourceTemplate": "docker" + } + ] +} -- GitLab From 5cb5e358e06e2a1e254b8b1d4a017d1d083c1b74 Mon Sep 17 00:00:00 2001 From: Sean Melissari Date: Wed, 24 Jun 2020 10:21:29 -0400 Subject: [PATCH 02/13] remove docs --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index af1b9aa..2156697 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,9 +29,10 @@ RUN groupadd -g 1000 clair && \ useradd -r -u 1000 -m -s /sbin/nologin -g clair clair && \ mkdir /etc/clair && \ dnf upgrade -y && \ - dnf install -y git xz && \ + dnf install --nodocs -y git xz && \ dnf clean all && \ - rm -rf /var/cache/dnf + rm -rf /var/cache/dnf && \ + chmod -s /usr/libexec/openssh/ssh-keysign COPY --from=base /clair /clair COPY --from=base /usr/bin/dumb-init /usr/bin/dumb-init -- GitLab From 3a4b020e8dc6a4f9a92ee0885bf81b1505f082f1 Mon Sep 17 00:00:00 2001 From: renovate Date: Sat, 10 Oct 2020 00:02:25 +0000 Subject: [PATCH 03/13] Update quay.io/coreos/clair Docker tag to v2.1.6 --- Dockerfile | 4 ++-- Jenkinsfile | 2 +- download.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2156697..a57f51b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=nexus-docker-secure.levelup-dev.io ARG BASE_IMAGE=ubi8 ARG BASE_TAG=8.2 -FROM quay.io/coreos/clair:v2.1.4 as base +FROM quay.io/coreos/clair:v2.1.6 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build @@ -22,7 +22,7 @@ LABEL org.opencontainers.image.title="clair" \ org.opencontainers.image.description="Clair is an open source project for the static analysis of vulnerabilities in application containers." \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.url="https://github.com/quay/clair" \ - org.opencontainers.image.version="v2.1.4" \ + org.opencontainers.image.version="v2.1.6" \ maintainer="cht@dsop.io" RUN groupadd -g 1000 clair && \ diff --git a/Jenkinsfile b/Jenkinsfile index 02ef666..ab26f17 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: "v2.1.4") +dccscrPipeline(version: "v2.1.6") diff --git a/download.yaml b/download.yaml index 7a33a7d..68ff41c 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ resources: - - url: "docker://quay.io/coreos/clair@sha256:bd6d3c5102082e3c149716d14689a531c713811f03500a80c968d09cbc82c9a3" - tag: "quay.io/coreos/clair:v2.1.4" + - url: "docker://quay.io/coreos/clair@sha256:ac7ea2811ac7f21a140b048c9b02bd9854b881b62dca0a4f7bfc7220db399710" + tag: "quay.io/coreos/clair:v2.1.6" - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" filename: musl.tar.gz validation: -- GitLab From b6289d8d3b91299d5efb9a76b68a2b7ea46e9d74 Mon Sep 17 00:00:00 2001 From: jeason Date: Wed, 14 Oct 2020 14:38:33 -0600 Subject: [PATCH 04/13] Project template: file templates --- .gitlab/CODEOWNERS | 6 +++ .gitlab/issue_templates/Access Request.md | 16 ++++++++ .../issue_templates/Application - Archive.md | 21 +++++++++++ .../issue_templates/Application - Initial.md | 32 ++++++++++++++++ .../issue_templates/Application - Update.md | 35 ++++++++++++++++++ .gitlab/issue_templates/Bug.md | 37 +++++++++++++++++++ .gitlab/issue_templates/Feature Request.md | 32 ++++++++++++++++ .../issue_templates/Leadership Question.md | 7 ++++ .gitlab/issue_templates/New Findings.md | 20 ++++++++++ .../issue_templates/Onboarding Question.md | 7 ++++ .gitlab/issue_templates/Pipeline Failure.md | 31 ++++++++++++++++ 11 files changed, 244 insertions(+) create mode 100644 .gitlab/CODEOWNERS create mode 100644 .gitlab/issue_templates/Access Request.md create mode 100644 .gitlab/issue_templates/Application - Archive.md create mode 100644 .gitlab/issue_templates/Application - Initial.md create mode 100644 .gitlab/issue_templates/Application - Update.md create mode 100644 .gitlab/issue_templates/Bug.md create mode 100644 .gitlab/issue_templates/Feature Request.md create mode 100644 .gitlab/issue_templates/Leadership Question.md create mode 100644 .gitlab/issue_templates/New Findings.md create mode 100644 .gitlab/issue_templates/Onboarding Question.md create mode 100644 .gitlab/issue_templates/Pipeline Failure.md diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000..64a2c68 --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000..1a7b224 --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000..9f3b5fe --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000..6594a05 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000..caebb3e --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000..1427a0c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000..a0e2f19 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000..4674f82 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000..068d029 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000..77dea11 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000..28b82a9 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file -- GitLab From 38386a71ac521ef90c5c7aaf8be6a8ebd5bae59e Mon Sep 17 00:00:00 2001 From: ironbank-bot Date: Thu, 10 Dec 2020 01:12:15 +0000 Subject: [PATCH 05/13] Migrate to hardening_manifest.yaml --- Dockerfile | 6 ----- Jenkinsfile | 2 -- download.yaml | 8 ------ hardening_manifest.yaml | 60 +++++++++++++++++++++++++++++++++++++++++ renovate.json | 30 ++++++++++++++++----- 5 files changed, 84 insertions(+), 22 deletions(-) delete mode 100644 Jenkinsfile delete mode 100644 download.yaml create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile index a57f51b..eb7644f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,12 +18,6 @@ RUN dnf install -y gcc make && \ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -LABEL org.opencontainers.image.title="clair" \ - org.opencontainers.image.description="Clair is an open source project for the static analysis of vulnerabilities in application containers." \ - org.opencontainers.image.licenses="Apache-2.0" \ - org.opencontainers.image.url="https://github.com/quay/clair" \ - org.opencontainers.image.version="v2.1.6" \ - maintainer="cht@dsop.io" RUN groupadd -g 1000 clair && \ useradd -r -u 1000 -m -s /sbin/nologin -g clair clair && \ diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index ab26f17..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "v2.1.6") diff --git a/download.yaml b/download.yaml deleted file mode 100644 index 68ff41c..0000000 --- a/download.yaml +++ /dev/null @@ -1,8 +0,0 @@ -resources: - - url: "docker://quay.io/coreos/clair@sha256:ac7ea2811ac7f21a140b048c9b02bd9854b881b62dca0a4f7bfc7220db399710" - tag: "quay.io/coreos/clair:v2.1.6" - - url: "https://musl.libc.org/releases/musl-1.2.0.tar.gz" - filename: musl.tar.gz - validation: - type: sha256 - value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..08eb49f --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "opensource/quay/clair" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "v2.1.6" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "clair" + ## Human-readable description of the software packaged in the image + # org.opencontainers.image.description: "FIXME" + ## License(s) under which contained software is distributed + # org.opencontainers.image.licenses: "FIXME" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.version: "v2.1.6" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + # mil.dso.ironbank.image.type: "FIXME" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- tag: quay.io/coreos/clair:v2.1.6 + url: docker://quay.io/coreos/clair@sha256:ac7ea2811ac7f21a140b048c9b02bd9854b881b62dca0a4f7bfc7220db399710 +- filename: musl.tar.gz + url: https://musl.libc.org/releases/musl-1.2.0.tar.gz + validation: + type: sha256 + value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "melissari_sean@bah.com" +# # The name of the current container owner +# name: "FIXME" +# # The gitlab username of the current container owner +# username: "FIXME" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" +# username: "FIXME" +# email: "FIXME" diff --git a/renovate.json b/renovate.json index dbda446..48644b5 100644 --- a/renovate.json +++ b/renovate.json @@ -1,9 +1,15 @@ { - "assignees": ["@sean.melissari"], - "baseBranches": ["development"], + "assignees": [ + "@sean.melissari" + ], + "baseBranches": [ + "development" + ], "regexManagers": [ { - "fileMatch": ["^Dockerfile$"], + "fileMatch": [ + "^Dockerfile$" + ], "matchStrings": [ "version=\"(?.*?)\"" ], @@ -11,12 +17,24 @@ "datasourceTemplate": "docker" }, { - "fileMatch": ["^Jenkinsfile$"], + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" + ], + "depNameTemplate": "quay.io/coreos/clair", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], "matchStrings": [ - "version:\\s+\"(?.*?)\"" + "tags:\\s+-\\s+\"(?.+?)\"" ], "depNameTemplate": "quay.io/coreos/clair", "datasourceTemplate": "docker" } ] -} +} \ No newline at end of file -- GitLab From b743bd52b2d94425d7df27da2f0aa714ff137a42 Mon Sep 17 00:00:00 2001 From: jweatherford Date: Mon, 28 Dec 2020 10:13:58 -0500 Subject: [PATCH 06/13] migration to the hardening manifest --- hardening_manifest.yaml | 43 ++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 08eb49f..165a055 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -19,21 +19,21 @@ args: # Docker image labels labels: org.opencontainers.image.title: "clair" - ## Human-readable description of the software packaged in the image - # org.opencontainers.image.description: "FIXME" - ## License(s) under which contained software is distributed - # org.opencontainers.image.licenses: "FIXME" - ## URL to find more information on the image - # org.opencontainers.image.url: "FIXME" - ## Name of the distributing entity, organization or individual - # org.opencontainers.image.vendor: "FIXME" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Clair is an open source project for the static analysis of vulnerabilities in application containers" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Apache-2.0" + # URL to find more information on the image + org.opencontainers.image.url: "https://github.com/quay/clair" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Red Hat" org.opencontainers.image.version: "v2.1.6" - ## Keywords to help with search (ex. "cicd,gitops,golang") - # mil.dso.ironbank.image.keywords: "FIXME" - ## This value can be "opensource" or "commercial" - # mil.dso.ironbank.image.type: "FIXME" - ## Product the image belongs to for grouping multiple images - # mil.dso.ironbank.product.name: "FIXME" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "security,scanning,container" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "clair" # List of resources to make available to the offline build context resources: @@ -46,15 +46,10 @@ resources: value: c6de7b191139142d3f9a7b5b702c9cae1b5ee6e7f57e582da9328629408fd4e8 # List of project maintainers -# FIXME: Fill in the following details for the current container owner in the whitelist -# FIXME: Include any other vendor information if applicable maintainers: - email: "melissari_sean@bah.com" -# # The name of the current container owner -# name: "FIXME" -# # The gitlab username of the current container owner -# username: "FIXME" -# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT -# - name: "FIXME" -# username: "FIXME" -# email: "FIXME" + # The name of the current container owner + name: "Sean Melissari" + # The gitlab username of the current container owner + username: "melissari_sean" + cht_member: true -- GitLab From 9f9b79dbe04f18ae42c190e507b22ed64a68728f Mon Sep 17 00:00:00 2001 From: renovate Date: Tue, 27 Apr 2021 01:11:29 +0000 Subject: [PATCH 07/13] Update quay.io/coreos/clair Docker tag to v2.1.7 --- Dockerfile | 2 +- hardening_manifest.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index eb7644f..c4f175a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=nexus-docker-secure.levelup-dev.io ARG BASE_IMAGE=ubi8 ARG BASE_TAG=8.2 -FROM quay.io/coreos/clair:v2.1.6 as base +FROM quay.io/coreos/clair:v2.1.7 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 165a055..7ce1ece 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "opensource/quay/clair" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "v2.1.6" +- "v2.1.7" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://github.com/quay/clair" # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Red Hat" - org.opencontainers.image.version: "v2.1.6" + org.opencontainers.image.version: "v2.1.7" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "security,scanning,container" # This value can be "opensource" or "commercial" @@ -37,8 +37,8 @@ labels: # List of resources to make available to the offline build context resources: -- tag: quay.io/coreos/clair:v2.1.6 - url: docker://quay.io/coreos/clair@sha256:ac7ea2811ac7f21a140b048c9b02bd9854b881b62dca0a4f7bfc7220db399710 +- tag: quay.io/coreos/clair:v2.1.7 + url: docker://quay.io/coreos/clair@sha256:0962dd91c2f5de60ea2c0019fb275bc463fce6f59db96597e09e645627439909 - filename: musl.tar.gz url: https://musl.libc.org/releases/musl-1.2.0.tar.gz validation: -- GitLab From 0a9f0e79de9e255ea5485459d6f02965d51d1e11 Mon Sep 17 00:00:00 2001 From: Zachary Sanders Date: Tue, 18 May 2021 17:49:15 +0000 Subject: [PATCH 08/13] renovate-automerge --- renovate.json | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/renovate.json b/renovate.json index 48644b5..9a2a9b8 100644 --- a/renovate.json +++ b/renovate.json @@ -5,17 +5,9 @@ "baseBranches": [ "development" ], + "automerge": true, + "gitLabAutomerge": true, "regexManagers": [ - { - "fileMatch": [ - "^Dockerfile$" - ], - "matchStrings": [ - "version=\"(?.*?)\"" - ], - "depNameTemplate": "quay.io/coreos/clair", - "datasourceTemplate": "docker" - }, { "fileMatch": [ "^hardening_manifest.yaml$" @@ -37,4 +29,4 @@ "datasourceTemplate": "docker" } ] -} \ No newline at end of file +} -- GitLab From 2e2bb59b3625431ed8485369d2c95fb15e528aaf Mon Sep 17 00:00:00 2001 From: "sean.melissari" Date: Thu, 20 May 2021 13:22:56 +0000 Subject: [PATCH 09/13] bump ubi --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 7ce1ece..32c513d 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -14,7 +14,7 @@ tags: # Build args passed to Dockerfile ARGs args: BASE_IMAGE: "redhat/ubi/ubi8" - BASE_TAG: "8.3" + BASE_TAG: "8.4" # Docker image labels labels: -- GitLab From 657625a807916839115f9f583c69891cc81463d1 Mon Sep 17 00:00:00 2001 From: "sean.melissari" Date: Thu, 20 May 2021 22:07:09 +0000 Subject: [PATCH 10/13] Update Dockerfile --- Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c4f175a..0da1ab4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -ARG BASE_REGISTRY=nexus-docker-secure.levelup-dev.io -ARG BASE_IMAGE=ubi8 -ARG BASE_TAG=8.2 +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.4 FROM quay.io/coreos/clair:v2.1.7 as base @@ -18,7 +18,6 @@ RUN dnf install -y gcc make && \ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - RUN groupadd -g 1000 clair && \ useradd -r -u 1000 -m -s /sbin/nologin -g clair clair && \ mkdir /etc/clair && \ -- GitLab From a9d9704ff11f8897f12dc0af7e5740f9044c9dd8 Mon Sep 17 00:00:00 2001 From: renovate Date: Fri, 11 Jun 2021 18:46:52 +0000 Subject: [PATCH 11/13] Update quay.io/coreos/clair Docker tag to v4 --- Dockerfile | 2 +- hardening_manifest.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0da1ab4..fb509ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.4 -FROM quay.io/coreos/clair:v2.1.7 as base +FROM quay.io/coreos/clair:v4.1.0 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 32c513d..5866cf6 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "opensource/quay/clair" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "v2.1.7" +- "v4.1.0" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://github.com/quay/clair" # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Red Hat" - org.opencontainers.image.version: "v2.1.7" + org.opencontainers.image.version: "v4.1.0" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "security,scanning,container" # This value can be "opensource" or "commercial" @@ -37,8 +37,8 @@ labels: # List of resources to make available to the offline build context resources: -- tag: quay.io/coreos/clair:v2.1.7 - url: docker://quay.io/coreos/clair@sha256:0962dd91c2f5de60ea2c0019fb275bc463fce6f59db96597e09e645627439909 +- tag: quay.io/coreos/clair:v4.1.0 + url: docker://quay.io/coreos/clair@sha256:d5900e1f7ac487661acfd70f53f6de9d937035553199c182ffdf5bbdd0c88db8 - filename: musl.tar.gz url: https://musl.libc.org/releases/musl-1.2.0.tar.gz validation: -- GitLab From 07c6cbe8da3b84cd819d484cd57bb2ff8ba586b1 Mon Sep 17 00:00:00 2001 From: Sean Melissari Date: Tue, 15 Jun 2021 12:11:06 -0400 Subject: [PATCH 12/13] fix missing binary --- Dockerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index fb509ff..693a8b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,9 @@ RUN dnf install -y gcc make && \ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +ENV CLAIR_CONF=/config/config.yaml CLAIR_MODE=combo +ENV SSL_CERT_DIR="/etc/ssl/certs:/etc/pki/tls/certs:/var/run/certs" + RUN groupadd -g 1000 clair && \ useradd -r -u 1000 -m -s /sbin/nologin -g clair clair && \ mkdir /etc/clair && \ @@ -27,15 +30,17 @@ RUN groupadd -g 1000 clair && \ rm -rf /var/cache/dnf && \ chmod -s /usr/libexec/openssh/ssh-keysign -COPY --from=base /clair /clair -COPY --from=base /usr/bin/dumb-init /usr/bin/dumb-init +COPY --from=base /bin/clair /bin/clair +COPY --from=base /bin/clairctl /bin/clairctl +COPY --from=base /usr/local/bin/dumb-init /usr/local/bin/dumb-init COPY --from=build /usr/local/musl/lib/libc.so /usr/local/musl/lib/libc.so COPY --from=build /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1 -USER clair +USER 1000 VOLUME /config +WORKDIR /run EXPOSE 6060 6061 HEALTHCHECK CMD curl -fs http://127.0.0.1:6061/health || curl -fsk https://127.0.0.1:6061/health || exit 1 -ENTRYPOINT ["/usr/bin/dumb-init", "--", "/clair"] +ENTRYPOINT ["/usr/local/bin/dumb-init", "--", "/bin/clair"] -- GitLab From e4e734438399cc77d18a558411c4c30a2d4e72f6 Mon Sep 17 00:00:00 2001 From: renovate Date: Wed, 16 Jun 2021 01:15:58 +0000 Subject: [PATCH 13/13] Update quay.io/coreos/clair Docker tag to v4.1.1 --- Dockerfile | 2 +- hardening_manifest.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 693a8b0..8376919 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.4 -FROM quay.io/coreos/clair:v4.1.0 as base +FROM quay.io/coreos/clair:v4.1.1 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 5866cf6..482c7b9 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "opensource/quay/clair" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "v4.1.0" +- "v4.1.1" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://github.com/quay/clair" # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Red Hat" - org.opencontainers.image.version: "v4.1.0" + org.opencontainers.image.version: "v4.1.1" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "security,scanning,container" # This value can be "opensource" or "commercial" @@ -37,8 +37,8 @@ labels: # List of resources to make available to the offline build context resources: -- tag: quay.io/coreos/clair:v4.1.0 - url: docker://quay.io/coreos/clair@sha256:d5900e1f7ac487661acfd70f53f6de9d937035553199c182ffdf5bbdd0c88db8 +- tag: quay.io/coreos/clair:v4.1.1 + url: docker://quay.io/coreos/clair@sha256:fe4b5f32b8bbc6f4ba276d441e4aaf57bbf6e55092e5f4497f8767aa65fc7c4a - filename: musl.tar.gz url: https://musl.libc.org/releases/musl-1.2.0.tar.gz validation: -- GitLab