From 0f258526e78445d7cf694ecc21dab5196bc002f8 Mon Sep 17 00:00:00 2001 From: Karpagam Balan Date: Tue, 18 Feb 2020 17:21:45 -0500 Subject: [PATCH 1/2] Fixed build to be based on UBI7 7.8 --- 5.2.4/Dockerfile | 47 +++++++++++++++++++---------------------------- 1 file changed, 19 insertions(+), 28 deletions(-) diff --git a/5.2.4/Dockerfile b/5.2.4/Dockerfile index 5a0d6c0..a7c1479 100644 --- a/5.2.4/Dockerfile +++ b/5.2.4/Dockerfile @@ -3,50 +3,40 @@ ARG BASE_IMAGE=ubi7/ubi ARG BASE_TAG=7.8 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -MAINTAINER terrana_steven@bah.com - ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -ARG OWASP_DEP_CHK_VERSION=5.2.4 -LABEL name="Solutions Delivery Platform: OWASP Dependency Checker" \ +LABEL name="Solutions Delivery Platform: Jenkins Master" \ maintainer="terrana_steven@bah.com" \ vendor="Booz Allen Hamilton" \ - version="${OWASP_DEP_CHK_VERSION}" \ - release="${OWASP_DEP_CHK_VERSION}" \ - summary="An OWASP Dependency Checker container" \ + version="1.0" \ + release="1.0" \ + summary="A Jenkins Master container" \ description="The OWASP Dependency Check container image for the Solutions Delivery Platform" ### add licenses to this directory COPY LICENSE /licenses ### Add necessary Red Hat repos and packages here -RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip" && \ - yum update -y \ - --nogpgcheck \ - --disablerepo=unified_platform_ubi8_os \ - --disablerepo=unified_platform_ubi8_appstream \ - --disableplugin=subscription-manager \ - --setopt=tsflags=nodocs \ - --security \ - --sec-severity=Important \ - --sec-severity=Critical && \ - yum install ${INSTALL_PKGS} -y \ - --nogpgcheck \ - --disablerepo=unified_platform_ubi8_os \ - --disablerepo=unified_platform_ubi8_appstream \ - --disableplugin=subscription-manager \ - --setopt=tsflags=nodocs +RUN echo -e "[centos] \nname=CentOS-7\nbaseurl=http://mirror.vcu.edu/pub/gnu_linux/centos/7/os/x86_64/\nenabled=1\ngpgcheck=1\ngpgkey=http://mirror.vcu.edu/pub/gnu_linux/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7" > /etc/yum.repos.d/centos.repo +RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip wget" && \ + rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef" && \ + su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo' && \ + yum --nogpgcheck --disablerepo unified_platform_ubi8_appstream --disablerepo unified_platform_ubi8_os --disableplugin=subscription-manager -y update --setopt=tsflags=nodocs \ + --security --sec-severity=Important --sec-severity=Critical && \ + yum --nogpgcheck --disablerepo unified_platform_ubi8_appstream --disablerepo unified_platform_ubi8_os --disableplugin=subscription-manager -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} ### Install your application here -- add all other necessary items to build your image -ARG user=dependencycheck + +ENV user=dependencycheck +ENV version=5.2.4 +ENV download_url=https://dl.bintray.com/jeremy-long/owasp RUN gem install "rubygems-update:<3.0.0" --no-document && \ update_rubygems && \ gem install bundle-audit && \ gem cleanup -RUN file="owaspdepchk-${OWASP_DEP_CHK_VERSION}" && \ - curl -LOJkfu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} \ - https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/${file} -O && \ +RUN file="dependency-check-${version}-release.zip" && \ + wget "$download_url/$file" && \ unzip ${file} && \ rm ${file} && \ mv dependency-check /usr/share/ && \ @@ -63,4 +53,5 @@ VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] WORKDIR /src CMD ["--help"] -ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] \ No newline at end of file +ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] + -- GitLab From 917ecad39d6006edd5270fec3632eeb474b5ad6f Mon Sep 17 00:00:00 2001 From: Karpagam Balan Date: Thu, 27 Feb 2020 15:56:47 -0500 Subject: [PATCH 2/2] Restructured files to build from pre-assembled dependency bundle --- 5.2.4/Dockerfile | 73 ++++++++++++------ 5.2.4/scripts/BAH-public.key | 52 +++++++++++++ ...asp-dep-check-dependencies-dcar-0.3.sha256 | 1 + .../owasp-dep-check-dependencies-dcar-0.3.sig | Bin 0 -> 543 bytes 5.2.4/scripts/prebuild.sh | 36 ++++----- 5 files changed, 115 insertions(+), 47 deletions(-) create mode 100644 5.2.4/scripts/BAH-public.key create mode 100644 5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 create mode 100644 5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig mode change 100644 => 100755 5.2.4/scripts/prebuild.sh diff --git a/5.2.4/Dockerfile b/5.2.4/Dockerfile index a7c1479..c2de20d 100644 --- a/5.2.4/Dockerfile +++ b/5.2.4/Dockerfile @@ -4,43 +4,64 @@ ARG BASE_TAG=7.8 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -LABEL name="Solutions Delivery Platform: Jenkins Master" \ +LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ maintainer="terrana_steven@bah.com" \ vendor="Booz Allen Hamilton" \ - version="1.0" \ - release="1.0" \ - summary="A Jenkins Master container" \ + version="5.2.4" \ + release="5.2.4" \ + summary="OWASP Dependency Check container" \ description="The OWASP Dependency Check container image for the Solutions Delivery Platform" ### add licenses to this directory COPY LICENSE /licenses -### Add necessary Red Hat repos and packages here -RUN echo -e "[centos] \nname=CentOS-7\nbaseurl=http://mirror.vcu.edu/pub/gnu_linux/centos/7/os/x86_64/\nenabled=1\ngpgcheck=1\ngpgkey=http://mirror.vcu.edu/pub/gnu_linux/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7" > /etc/yum.repos.d/centos.repo -RUN INSTALL_PKGS="java-1.8.0-openjdk-devel mono-devel ruby unzip wget" && \ - rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef" && \ - su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo' && \ - yum --nogpgcheck --disablerepo unified_platform_ubi8_appstream --disablerepo unified_platform_ubi8_os --disableplugin=subscription-manager -y update --setopt=tsflags=nodocs \ - --security --sec-severity=Important --sec-severity=Critical && \ - yum --nogpgcheck --disablerepo unified_platform_ubi8_appstream --disablerepo unified_platform_ubi8_os --disableplugin=subscription-manager -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} +### Install packages from ubi base repo +RUN INSTALL_PKGS="java-1.8.0-openjdk-devel ruby unzip" && \ + yum update -y \ + --nogpgcheck \ + --disablerepo=unified_platform_ubi8_os \ + --disablerepo=unified_platform_ubi8_appstream \ + --disableplugin=subscription-manager \ + --setopt=tsflags=nodocs \ + --security \ + --sec-severity=Important \ + --sec-severity=Critical && \ + yum install ${INSTALL_PKGS} -y \ + --nogpgcheck \ + --disablerepo=unified_platform_ubi8_os \ + --disablerepo=unified_platform_ubi8_appstream \ + --disableplugin=subscription-manager \ + --setopt=tsflags=nodocs -### Install your application here -- add all other necessary items to build your image +### Environment variables +ENV user dependencycheck +ENV OWASP_DEP_CHECK_VERSION 5.2.4 -ENV user=dependencycheck -ENV version=5.2.4 -ENV download_url=https://dl.bintray.com/jeremy-long/owasp +### Fetch dependency bundle -RUN gem install "rubygems-update:<3.0.0" --no-document && \ - update_rubygems && \ - gem install bundle-audit && \ +RUN mkdir /root/tmp +RUN cd /root/tmp && \ + curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz -O + +### Install mono-devel +RUN cd /root/tmp && tar -xzf owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz && rpm -ivh --replacepkgs --replacefiles /root/tmp/dependencies/mono-devel/*.rpm && rm /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz + +### Install ruby dependencies +RUN cd /root/tmp && \ + gem install --force --local /root/tmp/dependencies/rubygems-update/*.gem && \ + update_rubygems && \ + gem install --force --local /root/tmp/dependencies/bundle-audit/*.gem && \ gem cleanup -RUN file="dependency-check-${version}-release.zip" && \ - wget "$download_url/$file" && \ - unzip ${file} && \ - rm ${file} && \ +### Install OWASP Dependency Check binaries +RUN cd /root/tmp/dependencies/owasp && \ + unzip dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip && \ + rm dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip && \ mv dependency-check /usr/share/ && \ - useradd -ms /bin/bash ${user} && \ + rm -rf /root/tmp/dependencies + +# Add user, create required directories and cleanup +RUN useradd -ms /bin/bash ${user} && \ chown -R ${user}:${user} /usr/share/dependency-check && \ mkdir /report && \ chown -R ${user}:${user} /report && \ @@ -49,9 +70,11 @@ RUN file="dependency-check-${version}-release.zip" && \ USER ${user} VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] - WORKDIR /src CMD ["--help"] ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] + + + diff --git a/5.2.4/scripts/BAH-public.key b/5.2.4/scripts/BAH-public.key new file mode 100644 index 0000000..c5185e5 --- /dev/null +++ b/5.2.4/scripts/BAH-public.key @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQINBF4worQBEACsIaK9upBTpLrZUKQdGsYMwFs62iFQ2LFpe20X+cWDzHyjAs6C +c0b+QJK/WFEh61rWkSu74IUfAgLrbAzZV6dYwcNYaa/FNR9NLFBpn/7HK4lE2M7A +MqdujCKAELS74JHpJ8+bjLbgV59MkPfQSTHn0BOo02JiWuqxpFKSlVTTtdiymhXQ +USiqZ8FSgrVH9GiibRdCBloT1HFrrxs2LMnRsgCN6FXtyPF7jQSipklBfASCe0lS +i4UNyx+d5G1lpXqZiwYxVYMw79Z5b9l/ZcYAar10o5EQpnr76rxMCIf2vlEZp/Yj +aZVIHpTTtA4g9lsrIhDoJ8hABnOsNfz5M1zLMXbZaIrwQi+1ZhHlKSGxYlXgy2ay ++zOWzjz4ub5t7yxI3MPLlEIcJTrJwC9LMUzGhqLDnOi0m5vdrXksUvIQ9JQHqHOd +iQdtTqJErVQl7rBMepLUBdNSJ1PqjR5AZRljGOCdZPedb5/U+5n/pxv23xbWWs2/ +pad31FISlY8y3eEhaA1Y2GcP+Y4LAtNm4LyM4Uk/nvniG+rI0TBzxERn1Y6Pax8x +JhTUcgcBLGHbwFAQ/gTDRkg+9DnR0m8ZCKuJ8bPx1qmM1iR39Ks44AbtZsgrkZF+ +DrHXaiaIxtEHyRw7JLQ4auNhZb3FQfy7YrENqnF3eEhyg4cx0LEJJcl+wwARAQAB +tDBiYWxhbi1rYXJwYWdhbSA8YmFsYW4ta2FycGFnYW1AdXNlcnMuZ2l0aHViLmNv +bT6JAj8EEwECACkFAl4worQCGwMFCRLMAwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe +AQIXgAAKCRCRo0uHmCFZ3ECvD/9Ix0fSV4zOwnJ5KQZEp5tEnOGPJBPcBZ6hBJQc +9/R7DcmcN2LsOm6weMvax12/7Jo7Dbpl2rH11vwqrMrPmnm4BO6YcdmxmfE5ikyu +2EU4pzYgAFOGrahNaaSzEXFnMvDAKHLPT6xOJ35Re/RYxQOoiW+dmxPaceZv+lf4 +Jpfm8AtreMqpWLwl1+EN6zJzMF0yJjxUNxsZzaf4G6IxqZ+xwh9Auh2R6ga7UUz5 +0sNDIMdFUNE0aQNsd8UX5pJQApwd63xE9MrnqnCPs3y39b1V+gSwYWv3sMTGDpyE +rlDazVIJgSdBytpjAqoC0+wlm/fSgMI5YL6sJnhAfKUKp5u+5Dsr3xPFfq8s62cs +TD14tQ0ees62I3yysStfo2w8lRUE+7fXLhgPaeYoN56/XsIheO0cXIbiNgLdS6kl +MH+RtdyvwOBLdUgH1N5V/ctqeXbs38w4i4jPeyt/z6XYRli7Xkh7g3m1JpL4Hn6Q +tqvuvx0FwdfXjcbuHIAHrY4kAkvKNi+dDsJ3tP8CYotmI/RlNCKjweMcOKN7qXAz +/3qOUNXP546eObg3obOn0g0npyfQ9hojwFCl2KqNzHcr45y1Jw4peFXjthBq8B7Z +cn6mKauJ+0K3H+fjlKR3W2TUD/p3FKqILbbw10J3sFulRppTDqzhRetUs0dQgtuK +DpivCLkCDQReMKK0ARAA0sOzOfKuinhmzybri25NkXvyp9SbNcg8pZAmOkXsJ0Hy +S5VK4a6aHoRs1pGsikaBYNdxJ2gwA3CeiaAJW54od8gA1RVzETfyKWjYsO7AB4I0 +LRmZSEYisnVjfTxzfpbTqjem3yyq2KG2pv4FEsv6jF9dGrdQ9EgZHf/ZebI55JS/ +TPVVau/EW3urVPFLlz+2TOzks5ysHtdCZl5A7+it70lPnaqg2LO5Kp9OnmUpIpLF +piorHnNYXv6kUoCYblj65djCmvnRoN1rKfrh12vhIupXfRfyO/hovIMnEHFhXhBY +yJAdusapk6A+mkbjS3g0E2igV5g0lW1XR/vN6ElGs3JfCLLmFYJCWyIg5ykrHj3I +S8cf1uaMfSQcArIBewc8RZdN1YZUc6WCH3BImBKI1di8QdNACfUnZSkNdMrN4Dmn +MLD38ACsSTe/D68MHxr5ee5tH7iFxTWBn8l5bZQot5qsL9glDxTT4bNiK9HzZJZN +ks4r3kg8mUcNb8LTi4Fn9ITEv0COzPMOs7ibIMeFv+r5LGK2DHo/o+oLgSzNcx2W +PAzhFscXtCRFZHWjN1wLAjT1mPjkF8WRKfNwp3azU1VdZ4V7uR2FlsjwaL8QZs5g +ZpyeyZLMEsN47LoIaMvmTCc6HzsZoJAtz9GNwBlFmQoxodIkGYiwNRGWD/eNPEEA +EQEAAYkCJQQYAQIADwUCXjCitAIbDAUJEswDAAAKCRCRo0uHmCFZ3CyYEACN5wsX +vH+jNxYxQ+2FvObZyHT/LjD1DgFGCxE+dMqtaR84OgVgpHxhka8fbSaNlwey0J9h +jo7dgcx9pc4TpxmIiRFqKRUbMMEVfeksy1wC4T5UZHaL3QNy6I/vnpGmPkUmEK1F +RKERbpK/lCj4LDZpZr5hBnQ+5IcuSGR5JJ28vm58UMuiwwbE84hgbu0XcBqNkEcM +sg9jVVJJ7ZgV6TKjEa/335LwT8gQRBKBuef/ENWps8XOxY7tYD6XvHI4Hgxk5W3g +XuaaXs5SXR/bTgUgIYSqfSnjwbKVQJh8fXivs2N1kgFzZBA80O6oecB3+5sTmEMJ +SzBpX01+B0WQZ+AY/FAYTZhqG0eD0pn8MHdVr4emoZYAgkW9iCjrnN9+TS8Lpb0I +L3SxTyU07NCJKXZajCaSFuSm2OAM4E979HIZUargYKmA06v6bFXh/TdQKaONN+Eh +qR9E5AM1N12ekN0ORxSARRQuOXUMFZ+beco+MMGhkbtu4Q4dSJviF26gxgvdPDq9 +5uMF/MKyo4Th6g1Yf3Y+UNaP9i+XHqvmExoDf6VN08Pto7sYIPHS1yqcEqJxPIw0 +Q3R1n6FGi9YcfTSVpgLQa97FSzmzh5qT3Ef0puJsCzB916Itmwax1aeduZjURp3H +TWKZU0fI5Q5MLqyVTV3podyo7oDD4WySM3BYlQ== +=MD6X +-----END PGP PUBLIC KEY BLOCK----- diff --git a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 new file mode 100644 index 0000000..0ea0fd1 --- /dev/null +++ b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 @@ -0,0 +1 @@ +4e885b2cf44aa7a27dd16727e8e3e01011498ab9b5fca2e27dc1fc6935b0d3f3 diff --git a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig new file mode 100644 index 0000000000000000000000000000000000000000..6d17d929d4ced21a9dd2696cf72fc5e91846aac3 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;1JAte9`2@sK^ONW>tS=mWX$5^Szz`Ewng&cdHW|2eAd8IR8NJ9~iP=Cxo z$gPYEwS#K@=RYiweJ{&*C%m43@9!Kn-;C3vPmY&4yy7m^ zX5*$Ikg43^wZ@G-n718N7_XG0CH)(y&`kVu+u}zucr0qq& zGpn6hWLMRc3S`~yX(zfbshVw4!QCmWTCO%wsbk(>U}Fr{Dmb3JO7G9I@Qu<7+>MNo zR?kHL@~c4Q{L}FqnB=E*=Kw)!A)eq=!v1^>5?qwp0|~1GEUiZ}e#0Jd8x~-_0w@Bf z(L?rz*R5UA$p~ERM^~Pp6Hol@##th4E_}XQ{O^IA2fbVM9YRYEgb{@~-?mmpR128; zMSm-13alQTh7SfJc%mge*UTPgq!}(+h=- literal 0 HcmV?d00001 diff --git a/5.2.4/scripts/prebuild.sh b/5.2.4/scripts/prebuild.sh old mode 100644 new mode 100755 index 83ccc4d..76be70b --- a/5.2.4/scripts/prebuild.sh +++ b/5.2.4/scripts/prebuild.sh @@ -5,6 +5,8 @@ set -e ### Environment Variables ### OWASP_DEP_CHK_VERSION=5.2.4 +SDP_DCAR_OWASP_DEP_CHK_VERSION=dcar-0.3 + VENDOR=BAH # DSOP Nexus repo @@ -14,25 +16,15 @@ NEXUS_PASSWORD=${NEXUS_PASSWORD} ### Download files/dependencies ### # temporarily place binaries locally in /tmp/${VENDOR}/ -curl -LO --create-dirs https://dl.bintray.com/jeremy-long/owasp/dependency-check-${OWASP_DEP_CHK_VERSION}-release.zip \ - -o /tmp/${VENDOR}/owaspdepchk-${OWASP_DEP_CHK_VERSION} - -### SHA256 Verification ### -# Verifying the files with the SHA256 is a requirement for all files -# Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo -cd /tmp/${VENDOR} -for file in owaspdepchk-${OWASP_DEP_CHK_VERSION} -do - sha256sum ${file} | awk '{print $1}' > ${file}.sha256 \ - && echo "$(cat ${file}.sha256) ${file}" | sha256sum --check --status \ - && if [ $? == '0' ]; then printf "\nSHA256 check for ${file} succeeded\n\n"; \ - else printf "SHA256 check for ${file} failed\n\n"; fi -done - -### Nexus Repo Upload ### -for package in owaspdepchk-${OWASP_DEP_CHK_VERSION} owaspdepchk-${OWASP_DEP_CHK_VERSION}.sha256 -do - curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/${package} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/${package} -done - -cd - +curl --create-dirs -sSLo /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://github.com/boozallen/sdp-images/releases/download/$SDP_DCAR_OWASP_DEP_CHK_VERSION/owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.tar.gz + +### Verify downloaded dependency bundle +gpg --import BAH-public.key +gpg --verify owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sig /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz + +echo "$(cat owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sha256) /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz" | sha256sum --check --status + +### Upload dependency bundle to Nexus +curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz + + -- GitLab