diff --git a/5.2.4/Dockerfile b/5.2.4/Dockerfile index 5a0d6c01de168ebe3a0b97e4c768d16716e91271..c2de20dc27c6a453d8a343dce2e4a28ec48ef01a 100644 --- a/5.2.4/Dockerfile +++ b/5.2.4/Dockerfile @@ -3,23 +3,20 @@ ARG BASE_IMAGE=ubi7/ubi ARG BASE_TAG=7.8 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -MAINTAINER terrana_steven@bah.com - ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -ARG OWASP_DEP_CHK_VERSION=5.2.4 -LABEL name="Solutions Delivery Platform: OWASP Dependency Checker" \ +LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ maintainer="terrana_steven@bah.com" \ vendor="Booz Allen Hamilton" \ - version="${OWASP_DEP_CHK_VERSION}" \ - release="${OWASP_DEP_CHK_VERSION}" \ - summary="An OWASP Dependency Checker container" \ + version="5.2.4" \ + release="5.2.4" \ + summary="OWASP Dependency Check container" \ description="The OWASP Dependency Check container image for the Solutions Delivery Platform" ### add licenses to this directory COPY LICENSE /licenses -### Add necessary Red Hat repos and packages here -RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip" && \ +### Install packages from ubi base repo +RUN INSTALL_PKGS="java-1.8.0-openjdk-devel ruby unzip" && \ yum update -y \ --nogpgcheck \ --disablerepo=unified_platform_ubi8_os \ @@ -36,21 +33,35 @@ RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip" && \ --disableplugin=subscription-manager \ --setopt=tsflags=nodocs -### Install your application here -- add all other necessary items to build your image -ARG user=dependencycheck +### Environment variables +ENV user dependencycheck +ENV OWASP_DEP_CHECK_VERSION 5.2.4 + +### Fetch dependency bundle + +RUN mkdir /root/tmp +RUN cd /root/tmp && \ + curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz -O -RUN gem install "rubygems-update:<3.0.0" --no-document && \ - update_rubygems && \ - gem install bundle-audit && \ +### Install mono-devel +RUN cd /root/tmp && tar -xzf owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz && rpm -ivh --replacepkgs --replacefiles /root/tmp/dependencies/mono-devel/*.rpm && rm /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz + +### Install ruby dependencies +RUN cd /root/tmp && \ + gem install --force --local /root/tmp/dependencies/rubygems-update/*.gem && \ + update_rubygems && \ + gem install --force --local /root/tmp/dependencies/bundle-audit/*.gem && \ gem cleanup -RUN file="owaspdepchk-${OWASP_DEP_CHK_VERSION}" && \ - curl -LOJkfu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} \ - https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/${file} -O && \ - unzip ${file} && \ - rm ${file} && \ +### Install OWASP Dependency Check binaries +RUN cd /root/tmp/dependencies/owasp && \ + unzip dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip && \ + rm dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip && \ mv dependency-check /usr/share/ && \ - useradd -ms /bin/bash ${user} && \ + rm -rf /root/tmp/dependencies + +# Add user, create required directories and cleanup +RUN useradd -ms /bin/bash ${user} && \ chown -R ${user}:${user} /usr/share/dependency-check && \ mkdir /report && \ chown -R ${user}:${user} /report && \ @@ -59,8 +70,11 @@ RUN file="owaspdepchk-${OWASP_DEP_CHK_VERSION}" && \ USER ${user} VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] - WORKDIR /src CMD ["--help"] -ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] \ No newline at end of file +ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] + + + + diff --git a/5.2.4/scripts/BAH-public.key b/5.2.4/scripts/BAH-public.key new file mode 100644 index 0000000000000000000000000000000000000000..c5185e5065f7c70f3c5676e39d7221c2e01c3c46 --- /dev/null +++ b/5.2.4/scripts/BAH-public.key @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQINBF4worQBEACsIaK9upBTpLrZUKQdGsYMwFs62iFQ2LFpe20X+cWDzHyjAs6C +c0b+QJK/WFEh61rWkSu74IUfAgLrbAzZV6dYwcNYaa/FNR9NLFBpn/7HK4lE2M7A +MqdujCKAELS74JHpJ8+bjLbgV59MkPfQSTHn0BOo02JiWuqxpFKSlVTTtdiymhXQ +USiqZ8FSgrVH9GiibRdCBloT1HFrrxs2LMnRsgCN6FXtyPF7jQSipklBfASCe0lS +i4UNyx+d5G1lpXqZiwYxVYMw79Z5b9l/ZcYAar10o5EQpnr76rxMCIf2vlEZp/Yj +aZVIHpTTtA4g9lsrIhDoJ8hABnOsNfz5M1zLMXbZaIrwQi+1ZhHlKSGxYlXgy2ay ++zOWzjz4ub5t7yxI3MPLlEIcJTrJwC9LMUzGhqLDnOi0m5vdrXksUvIQ9JQHqHOd +iQdtTqJErVQl7rBMepLUBdNSJ1PqjR5AZRljGOCdZPedb5/U+5n/pxv23xbWWs2/ +pad31FISlY8y3eEhaA1Y2GcP+Y4LAtNm4LyM4Uk/nvniG+rI0TBzxERn1Y6Pax8x +JhTUcgcBLGHbwFAQ/gTDRkg+9DnR0m8ZCKuJ8bPx1qmM1iR39Ks44AbtZsgrkZF+ +DrHXaiaIxtEHyRw7JLQ4auNhZb3FQfy7YrENqnF3eEhyg4cx0LEJJcl+wwARAQAB +tDBiYWxhbi1rYXJwYWdhbSA8YmFsYW4ta2FycGFnYW1AdXNlcnMuZ2l0aHViLmNv +bT6JAj8EEwECACkFAl4worQCGwMFCRLMAwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe +AQIXgAAKCRCRo0uHmCFZ3ECvD/9Ix0fSV4zOwnJ5KQZEp5tEnOGPJBPcBZ6hBJQc +9/R7DcmcN2LsOm6weMvax12/7Jo7Dbpl2rH11vwqrMrPmnm4BO6YcdmxmfE5ikyu +2EU4pzYgAFOGrahNaaSzEXFnMvDAKHLPT6xOJ35Re/RYxQOoiW+dmxPaceZv+lf4 +Jpfm8AtreMqpWLwl1+EN6zJzMF0yJjxUNxsZzaf4G6IxqZ+xwh9Auh2R6ga7UUz5 +0sNDIMdFUNE0aQNsd8UX5pJQApwd63xE9MrnqnCPs3y39b1V+gSwYWv3sMTGDpyE +rlDazVIJgSdBytpjAqoC0+wlm/fSgMI5YL6sJnhAfKUKp5u+5Dsr3xPFfq8s62cs +TD14tQ0ees62I3yysStfo2w8lRUE+7fXLhgPaeYoN56/XsIheO0cXIbiNgLdS6kl +MH+RtdyvwOBLdUgH1N5V/ctqeXbs38w4i4jPeyt/z6XYRli7Xkh7g3m1JpL4Hn6Q +tqvuvx0FwdfXjcbuHIAHrY4kAkvKNi+dDsJ3tP8CYotmI/RlNCKjweMcOKN7qXAz +/3qOUNXP546eObg3obOn0g0npyfQ9hojwFCl2KqNzHcr45y1Jw4peFXjthBq8B7Z +cn6mKauJ+0K3H+fjlKR3W2TUD/p3FKqILbbw10J3sFulRppTDqzhRetUs0dQgtuK +DpivCLkCDQReMKK0ARAA0sOzOfKuinhmzybri25NkXvyp9SbNcg8pZAmOkXsJ0Hy +S5VK4a6aHoRs1pGsikaBYNdxJ2gwA3CeiaAJW54od8gA1RVzETfyKWjYsO7AB4I0 +LRmZSEYisnVjfTxzfpbTqjem3yyq2KG2pv4FEsv6jF9dGrdQ9EgZHf/ZebI55JS/ +TPVVau/EW3urVPFLlz+2TOzks5ysHtdCZl5A7+it70lPnaqg2LO5Kp9OnmUpIpLF +piorHnNYXv6kUoCYblj65djCmvnRoN1rKfrh12vhIupXfRfyO/hovIMnEHFhXhBY +yJAdusapk6A+mkbjS3g0E2igV5g0lW1XR/vN6ElGs3JfCLLmFYJCWyIg5ykrHj3I +S8cf1uaMfSQcArIBewc8RZdN1YZUc6WCH3BImBKI1di8QdNACfUnZSkNdMrN4Dmn +MLD38ACsSTe/D68MHxr5ee5tH7iFxTWBn8l5bZQot5qsL9glDxTT4bNiK9HzZJZN +ks4r3kg8mUcNb8LTi4Fn9ITEv0COzPMOs7ibIMeFv+r5LGK2DHo/o+oLgSzNcx2W +PAzhFscXtCRFZHWjN1wLAjT1mPjkF8WRKfNwp3azU1VdZ4V7uR2FlsjwaL8QZs5g +ZpyeyZLMEsN47LoIaMvmTCc6HzsZoJAtz9GNwBlFmQoxodIkGYiwNRGWD/eNPEEA +EQEAAYkCJQQYAQIADwUCXjCitAIbDAUJEswDAAAKCRCRo0uHmCFZ3CyYEACN5wsX +vH+jNxYxQ+2FvObZyHT/LjD1DgFGCxE+dMqtaR84OgVgpHxhka8fbSaNlwey0J9h +jo7dgcx9pc4TpxmIiRFqKRUbMMEVfeksy1wC4T5UZHaL3QNy6I/vnpGmPkUmEK1F +RKERbpK/lCj4LDZpZr5hBnQ+5IcuSGR5JJ28vm58UMuiwwbE84hgbu0XcBqNkEcM +sg9jVVJJ7ZgV6TKjEa/335LwT8gQRBKBuef/ENWps8XOxY7tYD6XvHI4Hgxk5W3g +XuaaXs5SXR/bTgUgIYSqfSnjwbKVQJh8fXivs2N1kgFzZBA80O6oecB3+5sTmEMJ +SzBpX01+B0WQZ+AY/FAYTZhqG0eD0pn8MHdVr4emoZYAgkW9iCjrnN9+TS8Lpb0I +L3SxTyU07NCJKXZajCaSFuSm2OAM4E979HIZUargYKmA06v6bFXh/TdQKaONN+Eh +qR9E5AM1N12ekN0ORxSARRQuOXUMFZ+beco+MMGhkbtu4Q4dSJviF26gxgvdPDq9 +5uMF/MKyo4Th6g1Yf3Y+UNaP9i+XHqvmExoDf6VN08Pto7sYIPHS1yqcEqJxPIw0 +Q3R1n6FGi9YcfTSVpgLQa97FSzmzh5qT3Ef0puJsCzB916Itmwax1aeduZjURp3H +TWKZU0fI5Q5MLqyVTV3podyo7oDD4WySM3BYlQ== +=MD6X +-----END PGP PUBLIC KEY BLOCK----- diff --git a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 new file mode 100644 index 0000000000000000000000000000000000000000..0ea0fd10a45c990a1ba2f8b9dac4a49c67b492b4 --- /dev/null +++ b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 @@ -0,0 +1 @@ +4e885b2cf44aa7a27dd16727e8e3e01011498ab9b5fca2e27dc1fc6935b0d3f3 diff --git a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig new file mode 100644 index 0000000000000000000000000000000000000000..6d17d929d4ced21a9dd2696cf72fc5e91846aac3 Binary files /dev/null and b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig differ diff --git a/5.2.4/scripts/prebuild.sh b/5.2.4/scripts/prebuild.sh old mode 100644 new mode 100755 index 83ccc4d0d5b49c27d802ed6d262f01317ffa5d0b..76be70b9b8de5828896690e1f283c9237c350e83 --- a/5.2.4/scripts/prebuild.sh +++ b/5.2.4/scripts/prebuild.sh @@ -5,6 +5,8 @@ set -e ### Environment Variables ### OWASP_DEP_CHK_VERSION=5.2.4 +SDP_DCAR_OWASP_DEP_CHK_VERSION=dcar-0.3 + VENDOR=BAH # DSOP Nexus repo @@ -14,25 +16,15 @@ NEXUS_PASSWORD=${NEXUS_PASSWORD} ### Download files/dependencies ### # temporarily place binaries locally in /tmp/${VENDOR}/ -curl -LO --create-dirs https://dl.bintray.com/jeremy-long/owasp/dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip \ - -o /tmp/${VENDOR}/owaspdepchk-${OWASP_DEP_CHK_VERSION} - -### SHA256 Verification ### -# Verifying the files with the SHA256 is a requirement for all files -# Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo -cd /tmp/${VENDOR} -for file in owaspdepchk-${OWASP_DEP_CHK_VERSION} -do - sha256sum ${file} | awk '{print $1}' > ${file}.sha256 \ - && echo "$(cat ${file}.sha256) ${file}" | sha256sum --check --status \ - && if [ $? == '0' ]; then printf "\nSHA256 check for ${file} succeeded\n\n"; \ - else printf "SHA256 check for ${file} failed\n\n"; fi -done - -### Nexus Repo Upload ### -for package in owaspdepchk-${OWASP_DEP_CHK_VERSION} owaspdepchk-${OWASP_DEP_CHK_VERSION}.sha256 -do - curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/${package} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/${package} -done - -cd - +curl --create-dirs -sSLo /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://github.com/boozallen/sdp-images/releases/download/$SDP_DCAR_OWASP_DEP_CHK_VERSION/owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.tar.gz + +### Verify downloaded dependency bundle +gpg --import BAH-public.key +gpg --verify owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sig /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz + +echo "$(cat owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sha256) /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz" | sha256sum --check --status + +### Upload dependency bundle to Nexus +curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz + +