Merge branch '5.2.4' into 'master'

Merge restructured build for 5.2.4 to master

See merge request !4

5.2.4/Dockerfile

@@ -3,23 +3,20 @@ ARG BASE_IMAGE=ubi7/ubi
 ARG BASE_TAG=7.8
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
-MAINTAINER terrana_steven@bah.com
-
 ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-ARG OWASP_DEP_CHK_VERSION=5.2.4
-LABEL name="Solutions Delivery Platform: OWASP Dependency Checker" \
+LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \
       maintainer="terrana_steven@bah.com" \
       vendor="Booz Allen Hamilton" \
-      version="${OWASP_DEP_CHK_VERSION}" \
-      release="${OWASP_DEP_CHK_VERSION}" \
-      summary="An OWASP Dependency Checker container" \
+      version="5.2.4" \
+      release="5.2.4" \
+      summary="OWASP Dependency Check container" \
       description="The OWASP Dependency Check container image for the Solutions Delivery Platform"
 
 ### add licenses to this directory
 COPY LICENSE /licenses
 
-### Add necessary Red Hat repos and packages here
-RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip" && \
+### Install packages from ubi base repo 
+RUN INSTALL_PKGS="java-1.8.0-openjdk-devel ruby unzip" && \
     yum update -y \
         --nogpgcheck \
         --disablerepo=unified_platform_ubi8_os \
@@ -36,21 +33,35 @@ RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip" && \
         --disableplugin=subscription-manager \
         --setopt=tsflags=nodocs
 
-### Install your application here -- add all other necessary items to build your image
-ARG user=dependencycheck
+### Environment variables
+ENV user dependencycheck
+ENV OWASP_DEP_CHECK_VERSION 5.2.4
+
+### Fetch dependency bundle
+
+RUN mkdir /root/tmp
+RUN cd /root/tmp && \
+    curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz -O 
 
-RUN gem install "rubygems-update:<3.0.0" --no-document                      && \
-    update_rubygems                                                         && \
-    gem install bundle-audit                                                && \
+### Install mono-devel
+RUN cd /root/tmp && tar -xzf owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz &&  rpm -ivh --replacepkgs --replacefiles /root/tmp/dependencies/mono-devel/*.rpm && rm /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz
+
+### Install ruby dependencies
+RUN cd /root/tmp && \
+    gem install --force --local /root/tmp/dependencies/rubygems-update/*.gem && \
+    update_rubygems && \
+    gem install --force --local /root/tmp/dependencies/bundle-audit/*.gem && \
     gem cleanup
 
-RUN file="owaspdepchk-${OWASP_DEP_CHK_VERSION}"                             && \
-    curl -LOJkfu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} \
-        https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/${file} -O && \
-    unzip ${file}                                                           && \
-    rm ${file}                                                              && \
+### Install OWASP Dependency Check binaries
+RUN cd /root/tmp/dependencies/owasp && \
+    unzip dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip    && \
+    rm dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip       && \
     mv dependency-check /usr/share/                                         && \
-    useradd -ms /bin/bash ${user}                                           && \
+    rm -rf /root/tmp/dependencies
+
+# Add user, create required directories  and cleanup
+RUN useradd -ms /bin/bash ${user}                                           && \
     chown -R ${user}:${user} /usr/share/dependency-check                    && \
     mkdir /report                                                           && \
     chown -R ${user}:${user} /report                                        && \
@@ -59,8 +70,11 @@ RUN file="owaspdepchk-${OWASP_DEP_CHK_VERSION}"                             && \
 USER ${user}
 
 VOLUME ["/src" "/usr/share/dependency-check/data" "/report"]
-
 WORKDIR /src
 
 CMD ["--help"]
-ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"]
+ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"]
\ No newline at end of file
+
+
+
+

5.2.4/scripts/BAH-public.key

+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBF4worQBEACsIaK9upBTpLrZUKQdGsYMwFs62iFQ2LFpe20X+cWDzHyjAs6C
+c0b+QJK/WFEh61rWkSu74IUfAgLrbAzZV6dYwcNYaa/FNR9NLFBpn/7HK4lE2M7A
+MqdujCKAELS74JHpJ8+bjLbgV59MkPfQSTHn0BOo02JiWuqxpFKSlVTTtdiymhXQ
+USiqZ8FSgrVH9GiibRdCBloT1HFrrxs2LMnRsgCN6FXtyPF7jQSipklBfASCe0lS
+i4UNyx+d5G1lpXqZiwYxVYMw79Z5b9l/ZcYAar10o5EQpnr76rxMCIf2vlEZp/Yj
+aZVIHpTTtA4g9lsrIhDoJ8hABnOsNfz5M1zLMXbZaIrwQi+1ZhHlKSGxYlXgy2ay
++zOWzjz4ub5t7yxI3MPLlEIcJTrJwC9LMUzGhqLDnOi0m5vdrXksUvIQ9JQHqHOd
+iQdtTqJErVQl7rBMepLUBdNSJ1PqjR5AZRljGOCdZPedb5/U+5n/pxv23xbWWs2/
+pad31FISlY8y3eEhaA1Y2GcP+Y4LAtNm4LyM4Uk/nvniG+rI0TBzxERn1Y6Pax8x
+JhTUcgcBLGHbwFAQ/gTDRkg+9DnR0m8ZCKuJ8bPx1qmM1iR39Ks44AbtZsgrkZF+
+DrHXaiaIxtEHyRw7JLQ4auNhZb3FQfy7YrENqnF3eEhyg4cx0LEJJcl+wwARAQAB
+tDBiYWxhbi1rYXJwYWdhbSA8YmFsYW4ta2FycGFnYW1AdXNlcnMuZ2l0aHViLmNv
+bT6JAj8EEwECACkFAl4worQCGwMFCRLMAwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRCRo0uHmCFZ3ECvD/9Ix0fSV4zOwnJ5KQZEp5tEnOGPJBPcBZ6hBJQc
+9/R7DcmcN2LsOm6weMvax12/7Jo7Dbpl2rH11vwqrMrPmnm4BO6YcdmxmfE5ikyu
+2EU4pzYgAFOGrahNaaSzEXFnMvDAKHLPT6xOJ35Re/RYxQOoiW+dmxPaceZv+lf4
+Jpfm8AtreMqpWLwl1+EN6zJzMF0yJjxUNxsZzaf4G6IxqZ+xwh9Auh2R6ga7UUz5
+0sNDIMdFUNE0aQNsd8UX5pJQApwd63xE9MrnqnCPs3y39b1V+gSwYWv3sMTGDpyE
+rlDazVIJgSdBytpjAqoC0+wlm/fSgMI5YL6sJnhAfKUKp5u+5Dsr3xPFfq8s62cs
+TD14tQ0ees62I3yysStfo2w8lRUE+7fXLhgPaeYoN56/XsIheO0cXIbiNgLdS6kl
+MH+RtdyvwOBLdUgH1N5V/ctqeXbs38w4i4jPeyt/z6XYRli7Xkh7g3m1JpL4Hn6Q
+tqvuvx0FwdfXjcbuHIAHrY4kAkvKNi+dDsJ3tP8CYotmI/RlNCKjweMcOKN7qXAz
+/3qOUNXP546eObg3obOn0g0npyfQ9hojwFCl2KqNzHcr45y1Jw4peFXjthBq8B7Z
+cn6mKauJ+0K3H+fjlKR3W2TUD/p3FKqILbbw10J3sFulRppTDqzhRetUs0dQgtuK
+DpivCLkCDQReMKK0ARAA0sOzOfKuinhmzybri25NkXvyp9SbNcg8pZAmOkXsJ0Hy
+S5VK4a6aHoRs1pGsikaBYNdxJ2gwA3CeiaAJW54od8gA1RVzETfyKWjYsO7AB4I0
+LRmZSEYisnVjfTxzfpbTqjem3yyq2KG2pv4FEsv6jF9dGrdQ9EgZHf/ZebI55JS/
+TPVVau/EW3urVPFLlz+2TOzks5ysHtdCZl5A7+it70lPnaqg2LO5Kp9OnmUpIpLF
+piorHnNYXv6kUoCYblj65djCmvnRoN1rKfrh12vhIupXfRfyO/hovIMnEHFhXhBY
+yJAdusapk6A+mkbjS3g0E2igV5g0lW1XR/vN6ElGs3JfCLLmFYJCWyIg5ykrHj3I
+S8cf1uaMfSQcArIBewc8RZdN1YZUc6WCH3BImBKI1di8QdNACfUnZSkNdMrN4Dmn
+MLD38ACsSTe/D68MHxr5ee5tH7iFxTWBn8l5bZQot5qsL9glDxTT4bNiK9HzZJZN
+ks4r3kg8mUcNb8LTi4Fn9ITEv0COzPMOs7ibIMeFv+r5LGK2DHo/o+oLgSzNcx2W
+PAzhFscXtCRFZHWjN1wLAjT1mPjkF8WRKfNwp3azU1VdZ4V7uR2FlsjwaL8QZs5g
+ZpyeyZLMEsN47LoIaMvmTCc6HzsZoJAtz9GNwBlFmQoxodIkGYiwNRGWD/eNPEEA
+EQEAAYkCJQQYAQIADwUCXjCitAIbDAUJEswDAAAKCRCRo0uHmCFZ3CyYEACN5wsX
+vH+jNxYxQ+2FvObZyHT/LjD1DgFGCxE+dMqtaR84OgVgpHxhka8fbSaNlwey0J9h
+jo7dgcx9pc4TpxmIiRFqKRUbMMEVfeksy1wC4T5UZHaL3QNy6I/vnpGmPkUmEK1F
+RKERbpK/lCj4LDZpZr5hBnQ+5IcuSGR5JJ28vm58UMuiwwbE84hgbu0XcBqNkEcM
+sg9jVVJJ7ZgV6TKjEa/335LwT8gQRBKBuef/ENWps8XOxY7tYD6XvHI4Hgxk5W3g
+XuaaXs5SXR/bTgUgIYSqfSnjwbKVQJh8fXivs2N1kgFzZBA80O6oecB3+5sTmEMJ
+SzBpX01+B0WQZ+AY/FAYTZhqG0eD0pn8MHdVr4emoZYAgkW9iCjrnN9+TS8Lpb0I
+L3SxTyU07NCJKXZajCaSFuSm2OAM4E979HIZUargYKmA06v6bFXh/TdQKaONN+Eh
+qR9E5AM1N12ekN0ORxSARRQuOXUMFZ+beco+MMGhkbtu4Q4dSJviF26gxgvdPDq9
+5uMF/MKyo4Th6g1Yf3Y+UNaP9i+XHqvmExoDf6VN08Pto7sYIPHS1yqcEqJxPIw0
+Q3R1n6FGi9YcfTSVpgLQa97FSzmzh5qT3Ef0puJsCzB916Itmwax1aeduZjURp3H
+TWKZU0fI5Q5MLqyVTV3podyo7oDD4WySM3BYlQ==
+=MD6X
+-----END PGP PUBLIC KEY BLOCK-----

5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256

+4e885b2cf44aa7a27dd16727e8e3e01011498ab9b5fca2e27dc1fc6935b0d3f3

5.2.4/scripts/prebuild.sh

@@ -5,6 +5,8 @@ set -e
 
 ### Environment Variables ###
 OWASP_DEP_CHK_VERSION=5.2.4
+SDP_DCAR_OWASP_DEP_CHK_VERSION=dcar-0.3
+
 VENDOR=BAH
 
 # DSOP Nexus repo
@@ -14,25 +16,15 @@ NEXUS_PASSWORD=${NEXUS_PASSWORD}
 
 ### Download files/dependencies ###
 # temporarily place binaries locally in /tmp/${VENDOR}/
-curl -LO --create-dirs https://dl.bintray.com/jeremy-long/owasp/dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip \
-    -o /tmp/${VENDOR}/owaspdepchk-${OWASP_DEP_CHK_VERSION}
-
-### SHA256 Verification ###
-# Verifying the files with the SHA256 is a requirement for all files
-# Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo
-cd /tmp/${VENDOR}
-for file in owaspdepchk-${OWASP_DEP_CHK_VERSION}
-do
-    sha256sum ${file} | awk '{print $1}' > ${file}.sha256 \
-    && echo "$(cat ${file}.sha256) ${file}" | sha256sum --check --status \
-    && if [ $? == '0' ]; then printf "\nSHA256 check for ${file} succeeded\n\n"; \
-    else printf "SHA256 check for ${file} failed\n\n"; fi
-done
-
-### Nexus Repo Upload ###
-for package in owaspdepchk-${OWASP_DEP_CHK_VERSION} owaspdepchk-${OWASP_DEP_CHK_VERSION}.sha256
-do
-    curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/${package} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/${package}
-done
-
-cd -
+curl --create-dirs -sSLo /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://github.com/boozallen/sdp-images/releases/download/$SDP_DCAR_OWASP_DEP_CHK_VERSION/owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.tar.gz
+
+### Verify downloaded dependency bundle
+gpg --import BAH-public.key
+gpg --verify owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sig  /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz
+
+echo "$(cat owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sha256) /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz" | sha256sum --check --status
+
+### Upload dependency bundle to Nexus
+curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz
+
+