diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000000000000000000000000000000000000..64a2c68c3ababda8d526d6cd995f02cd36f837ab --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000000000000000000000000000000000000..1a7b224d6ccdad95fef69b5c8be1ce2b543f338e --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000000000000000000000000000000000000..9f3b5fe4d8d43ae9f82411a391b200d4b43f2668 --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000000000000000000000000000000000000..6594a0580b941815c0c7c6264cdfc42e28231f57 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000000000000000000000000000000000000..caebb3e9aab279c7f109ec0fbfa246b8add6d972 --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000000000000000000000000000000000000..1427a0caed1833bccd3b1e5f8c5f6eafde05266c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000000000000000000000000000000000000..a0e2f195dc66e4187264381c5e96e8aa96db8a09 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000000000000000000000000000000000000..4674f82f930085f34f51b4ecbb4d396519f53192 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000000000000000000000000000000000000..068d029d89cb62dd4d4da5e03924c608172d97d6 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000000000000000000000000000000000000..77dea11e56c87d3fb65a1cf2ce7901621058f970 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000000000000000000000000000000000000..28b82a9454358a542efaa4b9c1c99542e3487fd6 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 9b4fb272b25b35503d47afee90d4e11723e43233..38292aca28d13611d54f1832b631a56853d25b65 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,34 +1,24 @@ -ARG BASE_REGISTRY=registry.access.redhat.com -ARG BASE_IMAGE=ubi8/ubi -ARG BASE_TAG=8.2 +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=redhat/openjdk/openjdk8 +ARG BASE_TAG=1.8.0 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels -LABEL name="Solutions Delivery Platform: OWASP Dependency Check" \ - maintainer="terrana_steven@bah.com" \ - vendor="Booz Allen Hamilton" \ - version="5.3.2" \ - release="5.3.2" \ - summary="OWASP Dependency Check container" \ - description="The OWASP Dependency Check container image for the Solutions Delivery Platform" +USER root ### add licenses to this directory COPY LICENSE /licenses ### Install packages from ubi base repo -RUN INSTALL_PKGS="java-1.8.0-openjdk ruby unzip" && \ +RUN INSTALL_PKGS="ruby unzip" && \ yum clean metadata && \ yum -y update --setopt=tsflags=nodocs && \ yum -y install --setopt=tsflags=nodocs ${INSTALL_PKGS} && \ yum -y -v clean all && \ [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum - - ### Arguments and Environment variables ENV user dependencycheck -ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-1.1" -ENV OWASP_DEP_CHK_VERSION 5.3.2 +ARG SDP_BUILD_DEPENDENCY_VERSION="dcar-2.0" +ENV OWASP_DEP_CHK_VERSION 6.1.6 ### Fetch dependency bundle RUN mkdir /root/tmp @@ -40,10 +30,11 @@ RUN cd /root/tmp && \ rpm -ivh --replacepkgs --replacefiles --force /root/tmp/dependencies/mono-complete/*.rpm && \ rm /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz -### Install ruby dependencies +### Install ruby dependencies and update rdoc RUN cd /root/tmp && \ gem install --force --local /root/tmp/dependencies/bundle-audit/*.gem --no-document --no-rdoc --no-ri && \ gem cleanup + ### Install OWASP Dependency Check binaries RUN cd /root/tmp/dependencies/owasp && \ @@ -63,10 +54,15 @@ RUN useradd -ms /bin/bash ${user} && \ chown -R ${user}:${user} /usr/share/dependency-check && \ mkdir /report && \ chown -R ${user}:${user} /report && \ + mkdir /tempdir && \ + chown -R ${user}:${user} /tempdir && \ yum -y -v clean all && \ [ ! -d /var/cache/yum ] || rm -rf /var/cache/yum USER ${user} +#Point java to use a dedicated directory for ephemeral use +ARG JAVA_OPTS +ENV JAVA ${JAVA_OPTS:- '-Djava.io.tmp=/tempdir'} VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] WORKDIR /src diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 949099586546d6db0e414ca3f27d6c9b91d97321..0000000000000000000000000000000000000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "5.3.2") diff --git a/README.md b/README.md index 0378ce539aebdaf109089a6a36bd0414959dbb1f..75df5ed403016f0230afc03b9dab5d82bf041fbf 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# OWASP Dependency Check Container Version 5.3.2 +# OWASP Dependency Check Container Version 6.1.6 ## Introduction @@ -11,7 +11,7 @@ The following is a list of variables: ARG BASE_REGISTRY = defines the registry portion of the OS image to be used in the FROM command. ARG BASE_IMAGE = defines the image portion of the OS image to be used in the FROM command. ARG BASE_TAG = defines the tag portion of the OS image to be used in the FROM command. -ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-0.9 +ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled from - default dcar-2.0 ``` Recommended resources for the image: diff --git a/download.yaml b/download.yaml deleted file mode 100644 index f8e13bd5e9b5e2c744337a8ec949f78f399f3ad5..0000000000000000000000000000000000000000 --- a/download.yaml +++ /dev/null @@ -1,6 +0,0 @@ -resources: - - url: "https://github.com/boozallen/sdp-images/releases/download/dcar-1.1/owasp-dep-check-dependencies-dcar-1.1.tar.gz" - filename: "owasp-dep-check-dependencies-dcar-1.1.tar.gz" - validation: - type: "sha256" - value: "650c054fba0881434aa50d099fbdf1f0d7bbca7add3eb2aaf6e672158997e448" diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..46f2c60b93ca69b04d63b55c6991dad131c7ab11 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "solutions-delivery-platform/dependency-check/dependency-check" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "6.1.6" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk8" + BASE_TAG: "1.8.0" + +# Docker image labels +labels: + org.opencontainers.image.title: "dependency-check" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "OWASP Dependency Check for vulnerability scanning code dependency files" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Booz Allen Public License v1.0" + ## URL to find more information on the image + org.opencontainers.image.url: "https://github.com/boozallen/sdp-images" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Booz Allen Hamilton" + org.opencontainers.image.version: "6.1.6" + ## Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "OWASP, dependency, check, dependency-check, SDP, cve, scanner, scan" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + ## Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Solutions Delivery Platform" + +# List of resources to make available to the offline build context +resources: +- filename: owasp-dep-check-dependencies-dcar-2.0.tar.gz + url: https://github.com/boozallen/sdp-images/releases/download/dcar-2.0/owasp-dep-check-dependencies-dcar-2.0.tar.gz + validation: + type: sha256 + value: 0bfbeedf54fea7b3633103a9e9fdc20ab1427b1a0f48921d88551717316647ec + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "spicer_casey@bah.com" +# # The name of the current container owner + name: "Casey Spicer" +# # The gitlab username of the current container owner + username: "cspicer" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com"