diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..624eacdc8ce2486735449ddffd8bcb6de2354f42 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +**/*.gz +**/*.tgz diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..f25eb87bc887168efb4178811494dfac873bfb06 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,41 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 +ARG BASE_TAG=14.17.0 + +# Friends don't let friends bloat containers +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as extractor + +ARG sde_version=5.14.14 + +COPY /"sde-reporting-${sde_version}.tgz" / + +USER root +RUN set -x \ + && mkdir /sde \ + && tar --extract --gzip --file=/sde-reporting-${sde_version}.tgz --directory=/sde + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +ARG sde_version=5.14.14 + +COPY --from=extractor /sde/package/environmentVariables.js /reporting/environmentVariables.js +COPY --from=extractor /sde/package/index.js /reporting/index.js +COPY --from=extractor /sde/package/node_modules /reporting/node_modules +COPY --from=extractor /sde/package/package.json /reporting/package.json +COPY --from=extractor /sde/package/schema /reporting/schema + +WORKDIR /reporting + +USER root +RUN set -x \ + && dnf --assumeyes upgrade \ + && echo "sde_${sde_version}" >> /.IMAGE_TAG + +COPY /scripts/run_cube.sh /bin/run_cube.sh + +USER node + +ENTRYPOINT ["/bin/run_cube.sh"] +CMD ["yarn", "start"] + +HEALTHCHECK --interval=15s --timeout=10s --retries=3 CMD which node diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..b728b68c85805aea114ddd011adb57ce224ed471 --- /dev/null +++ b/LICENSE @@ -0,0 +1,177 @@ +SD ELEMENTS END USER LICENSE AGREEMENT + +This End User License Agreement (this “Agreement”) is a legal contract between you, as either an +individual, Entity or Government Agency (as per the Order), and Infotek Solutions Inc. dba Security +Compass, or its affiliates (collectively “Security Compass”). + +THIS SOFTWARE IS COPYRIGHTED AND IT IS LICENSED TO YOU UNDER THIS AGREEMENT, NOT +SOLD TO YOU. BY DOWNLOADING, INSTALLING, OBTAINING A LICENSE KEY, OR OTHERWISE +ACCESSING OR USING THIS SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS +AGREEMENT, YOU UNDERSTAND IT, AND THAT YOU ACCEPT AND AGREE TO BE BOUND BY ITS +TERMS. + +IF YOU ARE ACCEPTING THIS AGREEMENT ON BEHALF OF A COMPANY, ORGANIZATION, OR +OTHER LEGAL ENTITY (AN “ENTITY”), YOU REPRESENT AND WARRANT THAT YOU HAVE FULL +POWER AND AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS, AND REFERENCES TO “YOU” +OR “YOUR” HEREIN REFER TO BOTH YOU, THE INDIVIDUAL END USER, AND THE ENTITY ON +WHOSE BEHALF YOU ARE ACCEPTING THIS AGREEMENT. + +1. Intellectual Property Rights. Security Compass or its licensors retain ownership of all intellectual +property rights in and to the Software, including any modifications, translations, or derivatives thereof, +even if unauthorized, and all applicable rights in patents, copyrights, trade secrets, and trademarks. +The Software is valuable, proprietary, and unique, and you agree to be bound by and observe the +proprietary nature thereof. The Software contains material that is protected by patent, copyright, and +trade secret laws. Your rights to use the Software are limited to those expressly granted by this +Agreement. All rights not granted to you in this Agreement are reserved to Security Compass. No +ownership of the Software passes to you. Security Compass may make changes to the Software at any +time without notice. You may not remove any proprietary notice of Security Compass or any third party +from the Software. + + +2. Protection and Restrictions. + +2.1. You agree to take all reasonable steps to safeguard access to the Software to ensure that no +unauthorized person has access thereto and that no unauthorized copy, publication, disclosure, +or distribution, in whole or in part, in any form is made. + +2.2. You acknowledge that the Software contains valuable, confidential information and trade secrets +and that unauthorized use and/or copying is harmful to Security Compass. You also understand +and agree that the copying or modifying of the Documentation provided with or as part of the +Software is strictly prohibited. Any third-party software included in the Software may not be used +independently from the Software. + +2.3. You will not, and will not allow a third party to, directly or indirectly: sell, sublicense, transfer, assign, +publish, display, disclose, rent, lease, timeshare, modify, loan, distribute, market, commercialize, +or create derivative works based on the Software or any part thereof, incorporate the Software into +or with other products, or use the Software for timesharing or service bureau purposes. + +2.4. You will not reverse engineer, decompile, translate, adapt, or disassemble the Software, nor will +you attempt to reconstruct or discover any source code, underlying ideas, algorithms, file formats +or programming interfaces of the Software by any means whatsoever (except and only to the +extent that applicable law prohibits or restricts reverse engineering restrictions, and then only with +prior written notice to Security Compass). + + +3. Limitation of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, UNDER NO +CIRCUMSTANCES WILL SECURITY COMPASS, ITS AFFILIATES, ITS LICENSORS OR +RESELLERS BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE OR + +SD Elements Corporate End User License Agreement (July 2017) +INCIDENTAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, ARISING OUT OF +OR RELATED TO THIS AGREEMENT INCLUDING, BUT NOT LIMITED TO CLAIMS FOR +INACCURACY, LOSS OF DATA, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES, GOODWILL, OPPORTUNITY, REVENUE, PROFITS, OR USE OF THE PRODUCTS, +INTERRUPTION IN USE OR AVAILABILITY OF DATA, STOPPAGE OF OTHER WORK OR +IMPAIRMENT OF OTHER ASSETS OR OTHER BUSINESS LOSS, PRIVACY, NEGLIGENCE, +BREACH OF CONTRACT, TORT OR OTHERWISE AND THIRD PARTY CLAIMS, EVEN IF +SECURITY COMPASS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO +EVENT WILL SECURITY COMPASS’ AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO +THIS AGREEMENT, BASED ON ANY LEGAL THEORY, INCLUDING BUT NOT LIMITED TO +CONTRACT, TORT, BREACH OF WARRANTY INFRINGEMENT OR OTHERWISE, EXCEED THE +TOTAL AMOUNT ACTUALLY PAID BY YOU TO SECURITY COMPASS FOR THE LICENSE. + + +4. Usage Review. Where you host the Software, Security Compass may at its option request from you a +record of your usage to review and ensure compliance with this Agreement. You agree to cooperate +with Security Compass’ audit and provide reasonable assistance and access to information. Any such +audit shall not unreasonably interfere with your normal business operations. If any audit reveals a +breach of this Agreement by you, you will reimburse any amount revealed to be due to Security +Compass as a result of such breach within thirty (30) days after receipt of an invoice. +5. SD Elements Specific Terms. Your use of SD Elements shall be subject to Licensor’s per-application usage +and pricing terms and conditions as set out in Schedule A to this Agreement. + + +SCHEDULE A + +PER-APPLICATION PRICING TERMS AND CONDITIONS + +Additional or alternate terms and conditions that apply to SD Elements are provided below and form part of the +Agreement. + + +1. Definitions + +1.1. “Active Application(s)” shall mean an Application being developed within the SD Elements Software, which +has not been archived, and for which at least one (1) Project has been created. + +1.2. “Application” shall have the meaning set out in Section 3.1 below. + +1.3. “Archived Application(s)” shall mean an Active Application which has been moved to an archive within the +Software, whereupon it shall cease to be an Active Application. + +1.4. “Licensee” shall mean the individual, entity or government agency entering into this Agreement + +1.5. “License Year” shall mean a license year within the License Term + +1.6. “Project” shall mean an instance, component or release of Licensee’s software code base(s) being +developed/managed within an Application + +1.7. All Capitalized terms not defined in this Schedule shall have the meanings assigned to such terms in the +Agreement + + +2. License Metric + +2.1. The License granted to the SD Elements Software shall entitle Licensee to utilize the Software in the +development of a maximum number of Applications stated in the Order Form (hereinafter the “License +Limit”). + +2.2. Active Applications shall apply towards the usage of the License Limit. Archiving an Active Application shall +not free up the license for the Archived Application in the current License Year. + +2.3. The License Limit utilization cycle shall be reset upon the expiry of a License Year. As of the first day of the +renewal License Year, only Active Applications shall apply towards the License Limit. + + +3. Application + +3.1. For the purpose of the Agreement, an “Application” is a set of software instructions (source code, bytecode), +which compile and/or execute in a single run time environment within the Software, subject to any exception +stated below: + +(a) Licensee may create an unlimited number of new releases as Projects within an Application. Such +new releases shall not count as additional usage against the License Limit + +(b) Where Licensee utilizes the Software in the development of a web application, the browser space +code and server side code may be considered different parts of the same Application where the +technical profile of each code base is intended to produce a single list of requirements within the SD +Elements Software. + +(c) Technologies that operate as independent Licensee Applications shall be considered separate +Applications. This includes but is not limited to Java applets and browser plugins. The development +of the same Application for different mobile operating systems shall be considered to be separate +Applications, whereby each such Application shall apply as usage against the License Limit. + +(d) Server side applications which include components that run in a different run time space may be +considered the same Application where (i) a similar technology stack is utilized; and (ii) a single list +of requirements is intended for all components. + +(e) Where the Software is used to develop micro services architecture, all services shall be considered +to be a single application for the purpose of licensing where (i) all services use a similar technology +stack; and (ii) a single list of requirements is intended for all services. + + +4. Usage reporting obligations and auditing + +4.1. Where Licensee hosts the SD Elements Software On-Site, Licensee shall be required to report the number +of Applications developed using the Software, once at the end of each quarter in each License Year. A quarter +shall be measured as each three (3) month period starting from the License Effective Date stated on the +Order Form. Licensor reserves the right to refuse access to Standard Technical Support and Software +Updates until Licensee usage data is provided to Licensor. Usage reports shall be sent to +usagereport@sdelements.com + + +5. Pricing + +5.1. Pricing for the SD Elements Software is stated in the Order Form. Prices represent the License Limit and +SD Elements Corporate End User License Agreement (July 2017) +type of license granted. All prices are in United States Dollars, and are based upon an annual subscription +with a minimum one (1) year License Term. + + +6. Over-Usage + +6.1. At any time during the License Term, where Licensee’s usage exceeds the License Limit, Licensee shall pay +Licensor over-usage fees for the number of Active Applications used in excess of the License Limit at the per +Application rate set forth in the Order. Over-usage fees shall be calculated and invoiced annually after each +License Year. diff --git a/README.md b/README.md index 5dc6fa6db4361c22da2f35edf0544d83ba6001e2..858e693a7cb21da9a897a7abad1d62f8a6eb99a0 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,23 @@ -# +# reporting -Project template for all Iron Bank container repositories. \ No newline at end of file +## Summary + +This container hosts the SDElements Reporting module using CubeJS to serve reporting analytics + +## Local build + +1. Download artifacts defined in `hardening_manifest.yaml`. The URLs below are used as examples. + + ```bash + # SDE + wget --http-user=user --ask-password https://artifact.sdelements.com/prod/reporting/sde-reporting-5.14.14.tgz + ``` + +2. Use this command to build locally: + + ```bash + clear && \ + export sde_version='5.14.14' && \ + docker build . -t localhost/security-compass/sd-elements/reporting:"local" \ + --build-arg sde_version="${sde_version}" + ``` diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8d95d0577a676d4c54c5f65cb1929339c9acb285 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "security-compass/sd-elements/reporting" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "5.14.14" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "opensource/nodejs/nodejs14" + BASE_TAG: "14.17.0" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "reporting" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "SD Elements automatically identifies and classifies risks and translates complex requirements into actionable tasks that are assigned to your personnel to improve your security posture. It automates Risk Assessments, Threat Modeling, Secure Development, and Regulatory Compliance - at scale." + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Commercial" + # URL to find more information on the image + org.opencontainers.image.url: "https://docs.sdelements.com" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Security Compass Ltd." + # Authoritative version of the software + org.opencontainers.image.version: "5.14.14" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "webserver,cubejs,nodejs,security,appsec,code,secure" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "security-compass/sd-elements" + +# List of resources to make available to the offline build context +resources: + - url: "https://artifact.sdelements.com/prod/reporting/sde-reporting-5.14.14.tgz" + filename: "sde-reporting-5.14.14.tgz" + validation: + type: sha256 + value: "9afdc7a125464d738be6fc14ac8b9613a0346c23304ff3378efd3eb599e4983a" + auth: + type: "basic" + id: "scompass-credential" + +# List of project maintainers +maintainers: +- name: "Hrdayesh Patel" + username: "hpatel" + email: "hpatel@securitycompass.com" +- name: "Matthew Chum" + username: "mchum" + email: "mchum@securitycompass.com" +- name: "Adam Gilbert" + username: "agilbert" + email: "agilbert@securitycompass.com" +- name: "Kevinkumar Patel" + username: "kevinptl4" + email: "kevinptl4@securitycompass.com" diff --git a/scripts/run_cube.sh b/scripts/run_cube.sh new file mode 100755 index 0000000000000000000000000000000000000000..7b9ce4d02b374393708de7ce232804db6757b780 --- /dev/null +++ b/scripts/run_cube.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# shellcheck disable=SC2034,SC2015,SC2119 +# +# Copyright (c) 2020 SD Elements Inc. +# +# All Rights Reserved. +# +# NOTICE: All information contained herein is, and remains +# the property of SD Elements Incorporated and its suppliers, +# if any. The intellectual and technical concepts contained +# herein are proprietary to SD Elements Incorporated +# and its suppliers and may be covered by U.S., Canadian and other Patents, +# patents in process, and are protected by trade secret or copyright law. +# Dissemination of this information or reproduction of this material +# is strictly forbidden unless prior written permission is obtained +# from SD Elements Inc.. + +# Set strict mode +set -eu + +# Version +version='0.0.1' + +# Bootstrap database name like `run_wsgi.sh` +# NOTE: if this bootstrapping changes, ensure you change `bin/run_wsgi.sh` as well +if [ -z "${CUBEJS_DB_NAME:-}" ]; then + tag_file='/.IMAGE_TAG' + if [ -e "${tag_file}" ]; then + echo "Attempting to open '${tag_file}'" + export CUBEJS_DB_NAME="$(cat "${tag_file}")" + echo "CUBEJS_DB_NAME=${CUBEJS_DB_NAME}" + fi +fi + +# Continue running the commands to start cube/reporting +exec "$@"