diff --git a/5.2.4/Dockerfile b/5.2.4/Dockerfile index c2de20dc27c6a453d8a343dce2e4a28ec48ef01a..5bf4d4525a2484d75a649275356c56133e638a41 100644 --- a/5.2.4/Dockerfile +++ b/5.2.4/Dockerfile @@ -33,15 +33,15 @@ RUN INSTALL_PKGS="java-1.8.0-openjdk-devel ruby unzip" && \ --disableplugin=subscription-manager \ --setopt=tsflags=nodocs -### Environment variables +### Arguments and Environment variables ENV user dependencycheck +ARG SDP_BUILD_DEPENDENCY_VERSION dcar-0.4 ENV OWASP_DEP_CHECK_VERSION 5.2.4 ### Fetch dependency bundle RUN mkdir /root/tmp -RUN cd /root/tmp && \ - curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz -O +COPY owasp-dep-check-dependencies-$SDP_BUILD_DEPENDENCY_VERSION.tar.gz /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz ### Install mono-devel RUN cd /root/tmp && tar -xzf owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz && rpm -ivh --replacepkgs --replacefiles /root/tmp/dependencies/mono-devel/*.rpm && rm /root/tmp/owasp-dep-check-dependencies-$OWASP_DEP_CHECK_VERSION.tar.gz @@ -73,6 +73,7 @@ VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] WORKDIR /src CMD ["--help"] +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD stat /usr/share/dependency-check/bin/dependency-check.sh ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] diff --git a/5.2.4/README.md b/5.2.4/README.md index 0200ed376c5aa1b7bc02a87fdd1657e3f5769b4f..8957c330766603d45c82f9fe8b7e754e2e970a4f 100644 --- a/5.2.4/README.md +++ b/5.2.4/README.md @@ -1,2 +1,19 @@ -# dependency-check +# OWASP Dependency Check Container +## Introduction + +This container hosts the OWASP Dependency Check application to be used as part of the Solution Delivery Platform. + +## Container Variables + +The following is a list of variables: +``` +ARG BASE_REGISTRY = defines the registry portion of the OS image to be used in the FROM command. +ARG BASE_IMAGE = defines the image portion of the OS image to be used in the FROM command. +ARG BASE_TAG = defines the tag portion of the OS image to be used in the FROM command. +ARG SDP_BUILD_DEPENDENCY_VERSION = defines the release in https://github.com/boozallen/sdp-images/releases that the dependency bundle should be pulled form - default dcar-0.4 +``` + +Recommended resources for the image: + +The Jenkins agent on the Solutions Delivery Platform will run this container as pasrt of thebuild pipeline. All resources are inherited at runtime from the Jenkins Agent container. diff --git a/5.2.4/download.json b/5.2.4/download.json new file mode 100644 index 0000000000000000000000000000000000000000..19bfd1f942b4e8a3ef3dfc420f4889537e4ce5ca --- /dev/null +++ b/5.2.4/download.json @@ -0,0 +1,9 @@ +{ "resources": + [ + { "url" : "https://github.com/boozallen/sdp-images/releases/download/dcar-0.3/owasp-dep-check-dependencies-dcar-0.3.tar.gz", + "filename": "owasp-dep-check-dependencies-dcar-0.3.tar.gz", + "sha256": "4e885b2cf44aa7a27dd16727e8e3e01011498ab9b5fca2e27dc1fc6935b0d3f3" + } +] } + + diff --git a/5.2.4/scripts/BAH-public.key b/5.2.4/scripts/BAH-public.key deleted file mode 100644 index c5185e5065f7c70f3c5676e39d7221c2e01c3c46..0000000000000000000000000000000000000000 --- a/5.2.4/scripts/BAH-public.key +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.22 (GNU/Linux) - -mQINBF4worQBEACsIaK9upBTpLrZUKQdGsYMwFs62iFQ2LFpe20X+cWDzHyjAs6C -c0b+QJK/WFEh61rWkSu74IUfAgLrbAzZV6dYwcNYaa/FNR9NLFBpn/7HK4lE2M7A -MqdujCKAELS74JHpJ8+bjLbgV59MkPfQSTHn0BOo02JiWuqxpFKSlVTTtdiymhXQ -USiqZ8FSgrVH9GiibRdCBloT1HFrrxs2LMnRsgCN6FXtyPF7jQSipklBfASCe0lS -i4UNyx+d5G1lpXqZiwYxVYMw79Z5b9l/ZcYAar10o5EQpnr76rxMCIf2vlEZp/Yj -aZVIHpTTtA4g9lsrIhDoJ8hABnOsNfz5M1zLMXbZaIrwQi+1ZhHlKSGxYlXgy2ay -+zOWzjz4ub5t7yxI3MPLlEIcJTrJwC9LMUzGhqLDnOi0m5vdrXksUvIQ9JQHqHOd -iQdtTqJErVQl7rBMepLUBdNSJ1PqjR5AZRljGOCdZPedb5/U+5n/pxv23xbWWs2/ -pad31FISlY8y3eEhaA1Y2GcP+Y4LAtNm4LyM4Uk/nvniG+rI0TBzxERn1Y6Pax8x -JhTUcgcBLGHbwFAQ/gTDRkg+9DnR0m8ZCKuJ8bPx1qmM1iR39Ks44AbtZsgrkZF+ -DrHXaiaIxtEHyRw7JLQ4auNhZb3FQfy7YrENqnF3eEhyg4cx0LEJJcl+wwARAQAB -tDBiYWxhbi1rYXJwYWdhbSA8YmFsYW4ta2FycGFnYW1AdXNlcnMuZ2l0aHViLmNv -bT6JAj8EEwECACkFAl4worQCGwMFCRLMAwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe -AQIXgAAKCRCRo0uHmCFZ3ECvD/9Ix0fSV4zOwnJ5KQZEp5tEnOGPJBPcBZ6hBJQc -9/R7DcmcN2LsOm6weMvax12/7Jo7Dbpl2rH11vwqrMrPmnm4BO6YcdmxmfE5ikyu -2EU4pzYgAFOGrahNaaSzEXFnMvDAKHLPT6xOJ35Re/RYxQOoiW+dmxPaceZv+lf4 -Jpfm8AtreMqpWLwl1+EN6zJzMF0yJjxUNxsZzaf4G6IxqZ+xwh9Auh2R6ga7UUz5 -0sNDIMdFUNE0aQNsd8UX5pJQApwd63xE9MrnqnCPs3y39b1V+gSwYWv3sMTGDpyE -rlDazVIJgSdBytpjAqoC0+wlm/fSgMI5YL6sJnhAfKUKp5u+5Dsr3xPFfq8s62cs -TD14tQ0ees62I3yysStfo2w8lRUE+7fXLhgPaeYoN56/XsIheO0cXIbiNgLdS6kl -MH+RtdyvwOBLdUgH1N5V/ctqeXbs38w4i4jPeyt/z6XYRli7Xkh7g3m1JpL4Hn6Q -tqvuvx0FwdfXjcbuHIAHrY4kAkvKNi+dDsJ3tP8CYotmI/RlNCKjweMcOKN7qXAz -/3qOUNXP546eObg3obOn0g0npyfQ9hojwFCl2KqNzHcr45y1Jw4peFXjthBq8B7Z -cn6mKauJ+0K3H+fjlKR3W2TUD/p3FKqILbbw10J3sFulRppTDqzhRetUs0dQgtuK -DpivCLkCDQReMKK0ARAA0sOzOfKuinhmzybri25NkXvyp9SbNcg8pZAmOkXsJ0Hy -S5VK4a6aHoRs1pGsikaBYNdxJ2gwA3CeiaAJW54od8gA1RVzETfyKWjYsO7AB4I0 -LRmZSEYisnVjfTxzfpbTqjem3yyq2KG2pv4FEsv6jF9dGrdQ9EgZHf/ZebI55JS/ -TPVVau/EW3urVPFLlz+2TOzks5ysHtdCZl5A7+it70lPnaqg2LO5Kp9OnmUpIpLF -piorHnNYXv6kUoCYblj65djCmvnRoN1rKfrh12vhIupXfRfyO/hovIMnEHFhXhBY -yJAdusapk6A+mkbjS3g0E2igV5g0lW1XR/vN6ElGs3JfCLLmFYJCWyIg5ykrHj3I -S8cf1uaMfSQcArIBewc8RZdN1YZUc6WCH3BImBKI1di8QdNACfUnZSkNdMrN4Dmn -MLD38ACsSTe/D68MHxr5ee5tH7iFxTWBn8l5bZQot5qsL9glDxTT4bNiK9HzZJZN -ks4r3kg8mUcNb8LTi4Fn9ITEv0COzPMOs7ibIMeFv+r5LGK2DHo/o+oLgSzNcx2W -PAzhFscXtCRFZHWjN1wLAjT1mPjkF8WRKfNwp3azU1VdZ4V7uR2FlsjwaL8QZs5g -ZpyeyZLMEsN47LoIaMvmTCc6HzsZoJAtz9GNwBlFmQoxodIkGYiwNRGWD/eNPEEA -EQEAAYkCJQQYAQIADwUCXjCitAIbDAUJEswDAAAKCRCRo0uHmCFZ3CyYEACN5wsX -vH+jNxYxQ+2FvObZyHT/LjD1DgFGCxE+dMqtaR84OgVgpHxhka8fbSaNlwey0J9h -jo7dgcx9pc4TpxmIiRFqKRUbMMEVfeksy1wC4T5UZHaL3QNy6I/vnpGmPkUmEK1F -RKERbpK/lCj4LDZpZr5hBnQ+5IcuSGR5JJ28vm58UMuiwwbE84hgbu0XcBqNkEcM -sg9jVVJJ7ZgV6TKjEa/335LwT8gQRBKBuef/ENWps8XOxY7tYD6XvHI4Hgxk5W3g -XuaaXs5SXR/bTgUgIYSqfSnjwbKVQJh8fXivs2N1kgFzZBA80O6oecB3+5sTmEMJ -SzBpX01+B0WQZ+AY/FAYTZhqG0eD0pn8MHdVr4emoZYAgkW9iCjrnN9+TS8Lpb0I -L3SxTyU07NCJKXZajCaSFuSm2OAM4E979HIZUargYKmA06v6bFXh/TdQKaONN+Eh -qR9E5AM1N12ekN0ORxSARRQuOXUMFZ+beco+MMGhkbtu4Q4dSJviF26gxgvdPDq9 -5uMF/MKyo4Th6g1Yf3Y+UNaP9i+XHqvmExoDf6VN08Pto7sYIPHS1yqcEqJxPIw0 -Q3R1n6FGi9YcfTSVpgLQa97FSzmzh5qT3Ef0puJsCzB916Itmwax1aeduZjURp3H -TWKZU0fI5Q5MLqyVTV3podyo7oDD4WySM3BYlQ== -=MD6X ------END PGP PUBLIC KEY BLOCK----- diff --git a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 deleted file mode 100644 index 0ea0fd10a45c990a1ba2f8b9dac4a49c67b492b4..0000000000000000000000000000000000000000 --- a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sha256 +++ /dev/null @@ -1 +0,0 @@ -4e885b2cf44aa7a27dd16727e8e3e01011498ab9b5fca2e27dc1fc6935b0d3f3 diff --git a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig b/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig deleted file mode 100644 index 6d17d929d4ced21a9dd2696cf72fc5e91846aac3..0000000000000000000000000000000000000000 Binary files a/5.2.4/scripts/owasp-dep-check-dependencies-dcar-0.3.sig and /dev/null differ diff --git a/5.2.4/scripts/prebuild.sh b/5.2.4/scripts/prebuild.sh deleted file mode 100755 index 76be70b9b8de5828896690e1f283c9237c350e83..0000000000000000000000000000000000000000 --- a/5.2.4/scripts/prebuild.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -#OWASP Dependency Checker prebuild script -set -e - -### Environment Variables ### -OWASP_DEP_CHK_VERSION=5.2.4 -SDP_DCAR_OWASP_DEP_CHK_VERSION=dcar-0.3 - -VENDOR=BAH - -# DSOP Nexus repo -NEXUS_SERVER=${NEXUS_SERVER} -NEXUS_USERNAME=${NEXUS_USERNAME} -NEXUS_PASSWORD=${NEXUS_PASSWORD} - -### Download files/dependencies ### -# temporarily place binaries locally in /tmp/${VENDOR}/ -curl --create-dirs -sSLo /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://github.com/boozallen/sdp-images/releases/download/$SDP_DCAR_OWASP_DEP_CHK_VERSION/owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.tar.gz - -### Verify downloaded dependency bundle -gpg --import BAH-public.key -gpg --verify owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sig /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz - -echo "$(cat owasp-dep-check-dependencies-$SDP_DCAR_OWASP_DEP_CHK_VERSION.sha256) /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz" | sha256sum --check --status - -### Upload dependency bundle to Nexus -curl -k -fu ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T /tmp/${VENDOR}/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz https://${NEXUS_SERVER}/repository/dsop/solutions-delivery-platform/dependency-check/owasp-dep-check-dependencies-$OWASP_DEP_CHK_VERSION.tar.gz - -