From b7a40ebc25508d06413517073d4d760d3fa18b88 Mon Sep 17 00:00:00 2001 From: jeason Date: Wed, 14 Oct 2020 16:07:37 -0600 Subject: [PATCH 01/18] Project template: file templates --- .gitlab/CODEOWNERS | 6 +++ .gitlab/issue_templates/Access Request.md | 16 ++++++++ .../issue_templates/Application - Archive.md | 21 +++++++++++ .../issue_templates/Application - Initial.md | 32 ++++++++++++++++ .../issue_templates/Application - Update.md | 35 ++++++++++++++++++ .gitlab/issue_templates/Bug.md | 37 +++++++++++++++++++ .gitlab/issue_templates/Feature Request.md | 32 ++++++++++++++++ .../issue_templates/Leadership Question.md | 7 ++++ .gitlab/issue_templates/New Findings.md | 20 ++++++++++ .../issue_templates/Onboarding Question.md | 7 ++++ .gitlab/issue_templates/Pipeline Failure.md | 31 ++++++++++++++++ 11 files changed, 244 insertions(+) create mode 100644 .gitlab/CODEOWNERS create mode 100644 .gitlab/issue_templates/Access Request.md create mode 100644 .gitlab/issue_templates/Application - Archive.md create mode 100644 .gitlab/issue_templates/Application - Initial.md create mode 100644 .gitlab/issue_templates/Application - Update.md create mode 100644 .gitlab/issue_templates/Bug.md create mode 100644 .gitlab/issue_templates/Feature Request.md create mode 100644 .gitlab/issue_templates/Leadership Question.md create mode 100644 .gitlab/issue_templates/New Findings.md create mode 100644 .gitlab/issue_templates/Onboarding Question.md create mode 100644 .gitlab/issue_templates/Pipeline Failure.md diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000..64a2c68 --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000..1a7b224 --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000..9f3b5fe --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000..6594a05 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000..caebb3e --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000..1427a0c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000..a0e2f19 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000..4674f82 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000..068d029 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000..77dea11 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000..28b82a9 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file -- GitLab From cf4b1313e1c0db8854b6ad6bd44491c1e8dd15af Mon Sep 17 00:00:00 2001 From: CSpicer-BAH Date: Mon, 2 Nov 2020 16:45:54 -0500 Subject: [PATCH 02/18] added healthcheck and temporary directory --- Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9b4fb27..0307adf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ ARG BASE_REGISTRY=registry.access.redhat.com ARG BASE_IMAGE=ubi8/ubi ARG BASE_TAG=8.2 -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +#FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +FROM registry.access.redhat.com/ubi8/ubi:8.2 ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ @@ -63,13 +64,20 @@ RUN useradd -ms /bin/bash ${user} && \ chown -R ${user}:${user} /usr/share/dependency-check && \ mkdir /report && \ chown -R ${user}:${user} /report && \ + mkdir /tempdir && \ + chown -R ${user}:${user} /tempdir && \ yum -y -v clean all && \ [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum USER ${user} +ENV URL=https://google.com +ARG JAVA_OPTS +ENV JAVA ${JAVA_OPTS:- '-Djava.io.tmp=/tempdir'} + VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] WORKDIR /src CMD [] ENTRYPOINT [ "/bin/sh", "/usr/share/dependency-check/bin/container-entrypoint.sh" ] +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD curl $URL -- GitLab From 6568f749d85bed2f0b9ac533d6a359f7d9716511 Mon Sep 17 00:00:00 2001 From: CSpicer-BAH Date: Mon, 2 Nov 2020 16:58:36 -0500 Subject: [PATCH 03/18] corrected FROM statement --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0307adf..f513bcf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,7 @@ ARG BASE_REGISTRY=registry.access.redhat.com ARG BASE_IMAGE=ubi8/ubi ARG BASE_TAG=8.2 -#FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -FROM registry.access.redhat.com/ubi8/ubi:8.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ -- GitLab From af525c777621c289ff2ffc6cf527ddfa9086c470 Mon Sep 17 00:00:00 2001 From: CSpicer-BAH Date: Tue, 3 Nov 2020 13:13:57 -0500 Subject: [PATCH 04/18] removed healthcheck --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index f513bcf..c2d481a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -69,8 +69,7 @@ RUN useradd -ms /bin/bash ${user} && \ [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum USER ${user} - -ENV URL=https://google.com +#Point java to use a dedicated directory for ephemeral use ARG JAVA_OPTS ENV JAVA ${JAVA_OPTS:- '-Djava.io.tmp=/tempdir'} @@ -79,4 +78,3 @@ WORKDIR /src CMD [] ENTRYPOINT [ "/bin/sh", "/usr/share/dependency-check/bin/container-entrypoint.sh" ] -HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD curl $URL -- GitLab From 6fe3d07fee763f193fc9c130b506d63b44b2c32f Mon Sep 17 00:00:00 2001 From: Al Fontaine Date: Tue, 17 Nov 2020 15:22:39 +0000 Subject: [PATCH 05/18] Update Dockerfile --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index c2d481a..c4c61ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8/ubi -ARG BASE_TAG=8.2 +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -- GitLab From 3fc410c08a3f46b1381c0428dc73df5de7087ebd Mon Sep 17 00:00:00 2001 From: cspicer Date: Fri, 4 Dec 2020 13:34:48 -0500 Subject: [PATCH 06/18] rebased to openjdk8:1.8.0 image, updated application to version 6.0.3 --- Dockerfile | 17 ++++++++++------- Jenkinsfile | 2 +- README.md | 4 ++-- download.yaml | 6 +++--- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index c4c61ab..db9399e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,25 @@ ARG BASE_REGISTRY=registry1.dsop.io -ARG BASE_IMAGE=redhat/ubi/ubi8 -ARG BASE_TAG=8.3 +ARG BASE_IMAGE=redhat/openjdk/openjdk8 +ARG BASE_TAG=1.8.0 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ maintainer="terrana_steven@bah.com" \ vendor="Booz Allen Hamilton" \ - version="5.3.2" \ - release="5.3.2" \ + version="6.0.3" \ + release="6.0.3" \ summary="OWASP Dependency Check container" \ description="The OWASP Dependency Check container image for the Solutions Delivery Platform" +USER root + ### add licenses to this directory COPY LICENSE /licenses ### Install packages from ubi base repo -RUN INSTALL_PKGS="java-1.8.0-openjdk ruby unzip" && \ +RUN INSTALL_PKGS="ruby unzip" && \ yum clean metadata && \ yum -y update --setopt=tsflags=nodocs && \ yum -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} && \ @@ -27,8 +30,8 @@ RUN INSTALL_PKGS="java-1.8.0-openjdk ruby unzip" && \ ### Arguments and Environment variables ENV user dependencycheck -ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-1.1" -ENV OWASP_DEP_CHK_VERSION 5.3.2 +ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-1.7" +ENV OWASP_DEP_CHK_VERSION 6.0.3 ### Fetch dependency bundle RUN mkdir /root/tmp diff --git a/Jenkinsfile b/Jenkinsfile index 9490995..bc0fefd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: "5.3.2") +dccscrPipeline(version: "6.0.3") diff --git a/README.md b/README.md index 0378ce5..f32785c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# OWASP Dependency Check Container Version 5.3.2 +# OWASP Dependency Check Container Version 6.0.3 ## Introduction @@ -11,7 +11,7 @@ The following is a list of variables: ARG BASE_REGISTRY = defines the registry portion of the OS image to be used in the FROM command. ARG BASE_IMAGE = defines the image portion of the OS image to be used in the FROM command. ARG BASE_TAG = defines the tag portion of the OS image to be used in the FROM command. -ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-0.9 +ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-1.7 ``` Recommended resources for the image: diff --git a/download.yaml b/download.yaml index f8e13bd..68b3941 100644 --- a/download.yaml +++ b/download.yaml @@ -1,6 +1,6 @@ resources: - - url: "https://github.com/boozallen/sdp-images/releases/download/dcar-1.1/owasp-dep-check-dependencies-dcar-1.1.tar.gz" - filename: "owasp-dep-check-dependencies-dcar-1.1.tar.gz" + - url: "https://github.com/boozallen/sdp-images/releases/download/dcar-1.7/owasp-dep-check-dependencies-dcar-1.7.tar.gz" + filename: "owasp-dep-check-dependencies-dcar-1.7.tar.gz" validation: type: "sha256" - value: "650c054fba0881434aa50d099fbdf1f0d7bbca7add3eb2aaf6e672158997e448" + value: "5149b91bbb24ea18da7e692e15aa1cd0c61262072125830d263ccc1be43f54ad" -- GitLab From 71bb559d3c862ebef67d7d9cf67a5cededf68a68 Mon Sep 17 00:00:00 2001 From: ironbank-bot Date: Thu, 10 Dec 2020 01:24:45 +0000 Subject: [PATCH 07/18] Migrate to hardening_manifest.yaml --- Dockerfile | 7 ----- Jenkinsfile | 2 -- download.yaml | 6 ----- hardening_manifest.yaml | 58 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 58 insertions(+), 15 deletions(-) delete mode 100644 Jenkinsfile delete mode 100644 download.yaml create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile index db9399e..47750b7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,13 +5,6 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ - maintainer="terrana_steven@bah.com" \ - vendor="Booz Allen Hamilton" \ - version="6.0.3" \ - release="6.0.3" \ - summary="OWASP Dependency Check container" \ - description="The OWASP Dependency Check container image for the Solutions Delivery Platform" USER root diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index bc0fefd..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "6.0.3") diff --git a/download.yaml b/download.yaml deleted file mode 100644 index 68b3941..0000000 --- a/download.yaml +++ /dev/null @@ -1,6 +0,0 @@ -resources: - - url: "https://github.com/boozallen/sdp-images/releases/download/dcar-1.7/owasp-dep-check-dependencies-dcar-1.7.tar.gz" - filename: "owasp-dep-check-dependencies-dcar-1.7.tar.gz" - validation: - type: "sha256" - value: "5149b91bbb24ea18da7e692e15aa1cd0c61262072125830d263ccc1be43f54ad" diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..69cd941 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "solutions-delivery-platform/dependency-check/dependency-check" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "6.0.3" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "dependency-check" + ## Human-readable description of the software packaged in the image + # org.opencontainers.image.description: "FIXME" + ## License(s) under which contained software is distributed + # org.opencontainers.image.licenses: "FIXME" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.version: "6.0.3" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + # mil.dso.ironbank.image.type: "FIXME" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- filename: owasp-dep-check-dependencies-dcar-1.7.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.7/owasp-dep-check-dependencies-dcar-1.7.tar.gz + validation: + type: sha256 + value: 5149b91bbb24ea18da7e692e15aa1cd0c61262072125830d263ccc1be43f54ad + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "hojeda@redhat.com" +# # The name of the current container owner +# name: "FIXME" +# # The gitlab username of the current container owner +# username: "FIXME" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" +# username: "FIXME" +# email: "FIXME" -- GitLab From 2f11021ce092d6ca5df7b73c18756774f1946474 Mon Sep 17 00:00:00 2001 From: Al Fontaine Date: Fri, 11 Dec 2020 17:58:42 +0000 Subject: [PATCH 08/18] Update hardening_manifest.yaml --- hardening_manifest.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 69cd941..2e68eb3 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -47,12 +47,12 @@ resources: # FIXME: Fill in the following details for the current container owner in the whitelist # FIXME: Include any other vendor information if applicable maintainers: -- email: "hojeda@redhat.com" +- email: "spicer_casey@bah.com" # # The name of the current container owner -# name: "FIXME" + name: "Casey Spicer" # # The gitlab username of the current container owner -# username: "FIXME" + username: "cspicer" # cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT -# - name: "FIXME" -# username: "FIXME" -# email: "FIXME" +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" -- GitLab From cdbddff27c6ae073bd6764089ccc2fa70967b526 Mon Sep 17 00:00:00 2001 From: Al Fontaine Date: Fri, 11 Dec 2020 17:59:02 +0000 Subject: [PATCH 09/18] Update hardening_manifest.yaml --- hardening_manifest.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 2e68eb3..295a1bb 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -20,13 +20,13 @@ args: labels: org.opencontainers.image.title: "dependency-check" ## Human-readable description of the software packaged in the image - # org.opencontainers.image.description: "FIXME" + org.opencontainers.image.description: "FIXME" ## License(s) under which contained software is distributed - # org.opencontainers.image.licenses: "FIXME" + org.opencontainers.image.licenses: "FIXME" ## URL to find more information on the image # org.opencontainers.image.url: "FIXME" ## Name of the distributing entity, organization or individual - # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.vendor: "FIXME" org.opencontainers.image.version: "6.0.3" ## Keywords to help with search (ex. "cicd,gitops,golang") # mil.dso.ironbank.image.keywords: "FIXME" -- GitLab From 53ad5b8e24a71e75f296d2da98a640592e732bc0 Mon Sep 17 00:00:00 2001 From: cspicer Date: Mon, 11 Jan 2021 17:00:23 -0500 Subject: [PATCH 10/18] updated hardening_manifest.yaml --- hardening_manifest.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 295a1bb..c581575 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -13,20 +13,20 @@ tags: # Build args passed to Dockerfile ARGs args: - BASE_IMAGE: "redhat/ubi/ubi8" - BASE_TAG: "8.3" + BASE_IMAGE: "redhat/openjdk/openjdk8" + BASE_TAG: "1.8.0" # Docker image labels labels: org.opencontainers.image.title: "dependency-check" ## Human-readable description of the software packaged in the image - org.opencontainers.image.description: "FIXME" + org.opencontainers.image.description: "OWASP Dependency Check for vulnerability scanning code dependency files" ## License(s) under which contained software is distributed - org.opencontainers.image.licenses: "FIXME" + org.opencontainers.image.licenses: "https://github.com/boozallen/sdp-images/blob/master/LICENSE.md" ## URL to find more information on the image # org.opencontainers.image.url: "FIXME" ## Name of the distributing entity, organization or individual - org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.vendor: "Booz Allen Hamilton" org.opencontainers.image.version: "6.0.3" ## Keywords to help with search (ex. "cicd,gitops,golang") # mil.dso.ironbank.image.keywords: "FIXME" -- GitLab From 8d2dd6874b31ffe57869cce3c6fba83b37afc724 Mon Sep 17 00:00:00 2001 From: cspicer Date: Mon, 25 Jan 2021 14:58:02 -0500 Subject: [PATCH 11/18] updated hardening_manifest.yaml --- hardening_manifest.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index c581575..5744d64 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -24,16 +24,16 @@ labels: ## License(s) under which contained software is distributed org.opencontainers.image.licenses: "https://github.com/boozallen/sdp-images/blob/master/LICENSE.md" ## URL to find more information on the image - # org.opencontainers.image.url: "FIXME" + org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Booz Allen Hamilton" org.opencontainers.image.version: "6.0.3" ## Keywords to help with search (ex. "cicd,gitops,golang") - # mil.dso.ironbank.image.keywords: "FIXME" + mil.dso.ironbank.image.keywords: "OWASP, dependency, check, dependency-check, SDP, cve, scanner, scan" ## This value can be "opensource" or "commercial" - # mil.dso.ironbank.image.type: "FIXME" + mil.dso.ironbank.image.type: "opensource" ## Product the image belongs to for grouping multiple images - # mil.dso.ironbank.product.name: "FIXME" + mil.dso.ironbank.product.name: "Solutions Delivery Platform" # List of resources to make available to the offline build context resources: -- GitLab From e9058675ba345c3285bc2165c1798b9bd0291986 Mon Sep 17 00:00:00 2001 From: cspicer Date: Mon, 25 Jan 2021 15:12:35 -0500 Subject: [PATCH 12/18] corrected license in manifest --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 5744d64..1b478c4 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -22,7 +22,7 @@ labels: ## Human-readable description of the software packaged in the image org.opencontainers.image.description: "OWASP Dependency Check for vulnerability scanning code dependency files" ## License(s) under which contained software is distributed - org.opencontainers.image.licenses: "https://github.com/boozallen/sdp-images/blob/master/LICENSE.md" + org.opencontainers.image.licenses: "Booz Allen Public License v1.0" ## URL to find more information on the image org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" ## Name of the distributing entity, organization or individual -- GitLab From 207cf26a27bffe14a0c70396cebd39f70bfda43a Mon Sep 17 00:00:00 2001 From: Jeffrey Weatherford Date: Mon, 1 Feb 2021 17:17:29 +0000 Subject: [PATCH 13/18] Update Dockerfile to remove the comment line that was causing the pre-flight to throw a warning. --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 47750b7..18e7754 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,8 +4,6 @@ ARG BASE_TAG=1.8.0 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels - USER root ### add licenses to this directory -- GitLab From 22c282b9945675b8ee1a9f9696f5fd79386d217d Mon Sep 17 00:00:00 2001 From: Casey Spicer Date: Mon, 15 Mar 2021 15:47:29 +0000 Subject: [PATCH 14/18] 6.1.1 --- Dockerfile | 8 ++------ README.md | 4 ++-- hardening_manifest.yaml | 10 +++++----- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 18e7754..21c901e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,6 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=redhat/openjdk/openjdk8 ARG BASE_TAG=1.8.0 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - - USER root ### add licenses to this directory @@ -17,12 +15,10 @@ RUN INSTALL_PKGS="ruby unzip" && \ yum -y -v clean all && \ [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum - - ### Arguments and Environment variables ENV user dependencycheck -ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-1.7" -ENV OWASP_DEP_CHK_VERSION 6.0.3 +ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-1.8" +ENV OWASP_DEP_CHK_VERSION 6.1.1 ### Fetch dependency bundle RUN mkdir /root/tmp diff --git a/README.md b/README.md index f32785c..7bfb7b5 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# OWASP Dependency Check Container Version 6.0.3 +# OWASP Dependency Check Container Version 6.1.1 ## Introduction @@ -11,7 +11,7 @@ The following is a list of variables: ARG BASE_REGISTRY = defines the registry portion of the OS image to be used in the FROM command. ARG BASE_IMAGE = defines the image portion of the OS image to be used in the FROM command. ARG BASE_TAG = defines the tag portion of the OS image to be used in the FROM command. -ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-1.7 +ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-1.8 ``` Recommended resources for the image: diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 1b478c4..21aa9e6 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "solutions-delivery-platform/dependency-check/dependency-check" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "6.0.3" +- "6.1.1" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Booz Allen Hamilton" - org.opencontainers.image.version: "6.0.3" + org.opencontainers.image.version: "6.1.1" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "OWASP, dependency, check, dependency-check, SDP, cve, scanner, scan" ## This value can be "opensource" or "commercial" @@ -37,11 +37,11 @@ labels: # List of resources to make available to the offline build context resources: -- filename: owasp-dep-check-dependencies-dcar-1.7.tar.gz - url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.7/owasp-dep-check-dependencies-dcar-1.7.tar.gz +- filename: owasp-dep-check-dependencies-dcar-1.8.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/owasp-dep-check-dependencies-dcar-1.8.tar.gz validation: type: sha256 - value: 5149b91bbb24ea18da7e692e15aa1cd0c61262072125830d263ccc1be43f54ad + value: 70031abeaf417204a50333269c2c6cd51926bb4734c4fef9d62bcd4f4808c40d # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From dfb1052a99cfd16dc6f8e7bb6f08a1259f3ea81f Mon Sep 17 00:00:00 2001 From: Michael Desantis Date: Wed, 19 May 2021 21:44:09 +0000 Subject: [PATCH 15/18] Updated to version 6.1.6 --- Dockerfile | 4 ++-- README.md | 4 ++-- hardening_manifest.yaml | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 21c901e..b4955b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,8 +17,8 @@ RUN INSTALL_PKGS="ruby unzip" && \ ### Arguments and Environment variables ENV user dependencycheck -ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-1.8" -ENV OWASP_DEP_CHK_VERSION 6.1.1 +ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-2.0" +ENV OWASP_DEP_CHK_VERSION 6.1.6 ### Fetch dependency bundle RUN mkdir /root/tmp diff --git a/README.md b/README.md index 7bfb7b5..75df5ed 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# OWASP Dependency Check Container Version 6.1.1 +# OWASP Dependency Check Container Version 6.1.6 ## Introduction @@ -11,7 +11,7 @@ The following is a list of variables: ARG BASE_REGISTRY = defines the registry portion of the OS image to be used in the FROM command. ARG BASE_IMAGE = defines the image portion of the OS image to be used in the FROM command. ARG BASE_TAG = defines the tag portion of the OS image to be used in the FROM command. -ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-1.8 +ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-2.0 ``` Recommended resources for the image: diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 21aa9e6..fdcde91 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "solutions-delivery-platform/dependency-check/dependency-check" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "6.1.1" +- "6.1.6" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Booz Allen Hamilton" - org.opencontainers.image.version: "6.1.1" + org.opencontainers.image.version: "6.1.6" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "OWASP, dependency, check, dependency-check, SDP, cve, scanner, scan" ## This value can be "opensource" or "commercial" @@ -37,11 +37,11 @@ labels: # List of resources to make available to the offline build context resources: -- filename: owasp-dep-check-dependencies-dcar-1.8.tar.gz - url: https://github.com/boozallen/sdp-images/releases/download/dcar-1.8/owasp-dep-check-dependencies-dcar-1.8.tar.gz +- filename: owasp-dep-check-dependencies-dcar-2.0.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-2.0/owasp-dep-check-dependencies-dcar-2.0.tar.gz validation: type: sha256 - value: 70031abeaf417204a50333269c2c6cd51926bb4734c4fef9d62bcd4f4808c40d + value: d7b63bd74d7e916f0dd43d297dc393138452d2a0cef458ae4a4109093979e86d # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 3f21d16098ffab9d8f0325d9c017147e0510f947 Mon Sep 17 00:00:00 2001 From: Michael Desantis Date: Thu, 20 May 2021 19:08:00 +0000 Subject: [PATCH 16/18] Updating dependency tar file --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index fdcde91..0a2e699 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com/boozallen/sdp-images/releases/download/dcar-2.0/owasp-dep-check-dependencies-dcar-2.0.tar.gz validation: type: sha256 - value: d7b63bd74d7e916f0dd43d297dc393138452d2a0cef458ae4a4109093979e86d + value: bd913f06fe82cc09cb9dc882397fdc921a04caf4ebc8479ec5772f2ff932c444 # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From 20e2d6537d3420751d039dd3c8b4cafb1cd13266 Mon Sep 17 00:00:00 2001 From: Michael Desantis Date: Thu, 27 May 2021 17:10:22 +0000 Subject: [PATCH 17/18] updated rdoc to latest version for CVE-2021-31799 --- Dockerfile | 4 +++- hardening_manifest.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b4955b6..10a3667 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,10 +30,12 @@ RUN cd /root/tmp && \ rpm -ivh --replacepkgs --replacefiles --force /root/tmp/dependencies/mono-complete/*.rpm && \ rm /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz -### Install ruby dependencies +### Install ruby dependencies and update rdoc RUN cd /root/tmp && \ gem install --force --local /root/tmp/dependencies/bundle-audit/*.gem --no-document --no-rdoc --no-ri && \ + gem install rdoc && \ gem cleanup + ### Install OWASP Dependency Check binaries RUN cd /root/tmp/dependencies/owasp && \ diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 0a2e699..46f2c60 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -41,7 +41,7 @@ resources: url: https://github.com/boozallen/sdp-images/releases/download/dcar-2.0/owasp-dep-check-dependencies-dcar-2.0.tar.gz validation: type: sha256 - value: bd913f06fe82cc09cb9dc882397fdc921a04caf4ebc8479ec5772f2ff932c444 + value: 0bfbeedf54fea7b3633103a9e9fdc20ab1427b1a0f48921d88551717316647ec # List of project maintainers # FIXME: Fill in the following details for the current container owner in the whitelist -- GitLab From e978cc1c42ec6d5873981ac387f6abc66f01bba4 Mon Sep 17 00:00:00 2001 From: Michael Desantis Date: Thu, 27 May 2021 17:26:29 +0000 Subject: [PATCH 18/18] fix issue in dockerfile --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 10a3667..38292ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,6 @@ RUN cd /root/tmp && \ ### Install ruby dependencies and update rdoc RUN cd /root/tmp && \ gem install --force --local /root/tmp/dependencies/bundle-audit/*.gem --no-document --no-rdoc --no-ri && \ - gem install rdoc && \ gem cleanup -- GitLab