From df36b363719917d2542a69d8cd350e123e5bf9d1 Mon Sep 17 00:00:00 2001 From: renovate Date: Thu, 10 Dec 2020 01:09:12 +0000 Subject: [PATCH 1/4] Update dependency SonarSource/docker-sonarqube to v8.6 --- Kptfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Kptfile b/Kptfile index 41f2d4b..a559843 100644 --- a/Kptfile +++ b/Kptfile @@ -9,5 +9,5 @@ dependencies: git: repo: https://github.com/SonarSource/docker-sonarqube directory: /8/enterprise - ref: 8.5.1 + ref: 8.6 updateStrategy: resource-merge -- GitLab From 2bb6a3ef524f5d2805c5a89d7e51d3bf75f133ab Mon Sep 17 00:00:00 2001 From: ironbank-bot Date: Thu, 10 Dec 2020 01:10:41 +0000 Subject: [PATCH 2/4] Migrate to hardening_manifest.yaml --- Dockerfile | 5 ---- Jenkinsfile | 2 -- download.yaml | 4 --- hardening_manifest.yaml | 55 +++++++++++++++++++++++++++++++++++++++++ renovate.json | 55 ++++++++++++++++++++++++++++++----------- 5 files changed, 96 insertions(+), 25 deletions(-) delete mode 100644 Jenkinsfile delete mode 100644 download.yaml create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile index 9ff41cb..5c0abc5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,6 @@ FROM sonarqube:8.5-enterprise AS build FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -LABEL org.opencontainers.image.title="SonarQube" \ - org.opencontainers.image.description="SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code." \ - org.opencontainers.image.licenses="All rights reserved" \ - org.opencontainers.image.version="8.5-enterprise" \ - maintainer="SonarSource" ARG SONARQUBE_VERSION="8.5-enterprise" ENV SONAR_VERSION="${SONARQUBE_VERSION}" \ diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index a1186ab..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "8.5-enterprise") diff --git a/download.yaml b/download.yaml deleted file mode 100644 index 2360c98..0000000 --- a/download.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -resources: - - url: "docker://docker.io/library/sonarqube@sha256:a06e03b30d68ed4ffcc3a9f2b4192e804f5ec83ffe00a93a57a8ef46416411c0" - tag: "sonarqube:8.5-enterprise" diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..15971a8 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "sonarsource/sonarqube/sonarqube8-enterprise" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "8.5-enterprise" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/openjdk/openjdk11" + BASE_TAG: "1.11" + +# Docker image labels +labels: + org.opencontainers.image.title: "sonarqube8-enterprise" + ## Human-readable description of the software packaged in the image + # org.opencontainers.image.description: "FIXME" + ## License(s) under which contained software is distributed + # org.opencontainers.image.licenses: "FIXME" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.version: "8.5-enterprise" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + # mil.dso.ironbank.image.type: "FIXME" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- tag: sonarqube:8.5-enterprise + url: docker://docker.io/library/sonarqube@sha256:a06e03b30d68ed4ffcc3a9f2b4192e804f5ec83ffe00a93a57a8ef46416411c0 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "melissari_sean@bah.com" +# # The name of the current container owner +# name: "FIXME" +# # The gitlab username of the current container owner +# username: "FIXME" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" +# username: "FIXME" +# email: "FIXME" diff --git a/renovate.json b/renovate.json index 69654f7..1ff40b9 100644 --- a/renovate.json +++ b/renovate.json @@ -1,13 +1,23 @@ { - "assignees": ["@sean.melissari"], - "baseBranches": ["development"], + "assignees": [ + "@sean.melissari" + ], + "baseBranches": [ + "development" + ], "postUpgradeTasks": { - "commands": ["kpt pkg sync ."], - "fileFilters": ["scripts/*"] + "commands": [ + "kpt pkg sync ." + ], + "fileFilters": [ + "scripts/*" + ] }, "regexManagers": [ { - "fileMatch": ["^Dockerfile$"], + "fileMatch": [ + "^Dockerfile$" + ], "matchStrings": [ "version=\"(?.*?)\"" ], @@ -16,7 +26,9 @@ "versioningTemplate": "docker" }, { - "fileMatch": ["^Dockerfile$"], + "fileMatch": [ + "^Dockerfile$" + ], "matchStrings": [ "SONARQUBE_VERSION=\"(?.*?)\"" ], @@ -25,22 +37,37 @@ "versioningTemplate": "docker" }, { - "fileMatch": ["^Jenkinsfile$"], + "fileMatch": [ + "^Kptfile$" + ], + "matchStrings": [ + "\\s+ref:\\s+(?.*?)\n" + ], + "depNameTemplate": "SonarSource/docker-sonarqube", + "datasourceTemplate": "github-tags", + "versioningTemplate": "loose" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], "matchStrings": [ - "version:\\s+\"(?.*?)\"" + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" ], "depNameTemplate": "sonarqube", "datasourceTemplate": "docker", "versioningTemplate": "docker" }, { - "fileMatch": ["^Kptfile$"], + "fileMatch": [ + "^hardening_manifest.yaml$" + ], "matchStrings": [ - "\\s+ref:\\s+(?.*?)\n" + "tags:\\s+-\\s+\"(?.+?)\"" ], - "depNameTemplate": "SonarSource/docker-sonarqube", - "datasourceTemplate": "github-tags", - "versioningTemplate": "loose" + "depNameTemplate": "sonarqube", + "datasourceTemplate": "docker", + "versioningTemplate": "docker" } ] -} +} \ No newline at end of file -- GitLab From 3861b875521d2c376f2ab724e8af853eb5ca94b9 Mon Sep 17 00:00:00 2001 From: tobias-trabelsi-sonarsource Date: Thu, 10 Dec 2020 08:39:37 +0100 Subject: [PATCH 3/4] adressed FIXME annotations in hardening manifest --- hardening_manifest.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 15971a8..02a155d 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -20,20 +20,20 @@ args: labels: org.opencontainers.image.title: "sonarqube8-enterprise" ## Human-readable description of the software packaged in the image - # org.opencontainers.image.description: "FIXME" + org.opencontainers.image.description: "SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code." ## License(s) under which contained software is distributed - # org.opencontainers.image.licenses: "FIXME" + org.opencontainers.image.licenses: "All rights reserved" ## URL to find more information on the image - # org.opencontainers.image.url: "FIXME" + org.opencontainers.image.url: "https://docs.sonarqube.org/latest/" ## Name of the distributing entity, organization or individual - # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.vendor: "SonarSource SA" org.opencontainers.image.version: "8.5-enterprise" ## Keywords to help with search (ex. "cicd,gitops,golang") - # mil.dso.ironbank.image.keywords: "FIXME" + mil.dso.ironbank.image.keywords: "cicd,devops,sast,review" ## This value can be "opensource" or "commercial" - # mil.dso.ironbank.image.type: "FIXME" + mil.dso.ironbank.image.type: "commercial" ## Product the image belongs to for grouping multiple images - # mil.dso.ironbank.product.name: "FIXME" + mil.dso.ironbank.product.name: "sonarqube" # List of resources to make available to the offline build context resources: @@ -44,12 +44,12 @@ resources: # FIXME: Fill in the following details for the current container owner in the whitelist # FIXME: Include any other vendor information if applicable maintainers: -- email: "melissari_sean@bah.com" + - email: "melissari_sean@bah.com" # # The name of the current container owner -# name: "FIXME" + name: "Sean Melissari" # # The gitlab username of the current container owner -# username: "FIXME" -# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT -# - name: "FIXME" + username: "sean.melissari" + cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" # username: "FIXME" # email: "FIXME" -- GitLab From 6809b802512b534baacc3ef84a1db05e4888e143 Mon Sep 17 00:00:00 2001 From: renovate Date: Fri, 11 Dec 2020 01:07:40 +0000 Subject: [PATCH 4/4] Update sonarqube Docker tag to v8.6 --- Dockerfile | 6 +++--- Jenkinsfile | 2 +- download.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9ff41cb..cb7501d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,17 +2,17 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=redhat/openjdk/openjdk11 ARG BASE_TAG=1.11 -FROM sonarqube:8.5-enterprise AS build +FROM sonarqube:8.6-enterprise AS build FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL org.opencontainers.image.title="SonarQube" \ org.opencontainers.image.description="SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code." \ org.opencontainers.image.licenses="All rights reserved" \ - org.opencontainers.image.version="8.5-enterprise" \ + org.opencontainers.image.version="8.6-enterprise" \ maintainer="SonarSource" -ARG SONARQUBE_VERSION="8.5-enterprise" +ARG SONARQUBE_VERSION="8.6-enterprise" ENV SONAR_VERSION="${SONARQUBE_VERSION}" \ SONARQUBE_HOME="/opt/sonarqube" \ SQ_DATA_DIR="/opt/sonarqube/data" \ diff --git a/Jenkinsfile b/Jenkinsfile index a1186ab..5ee5278 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: "8.5-enterprise") +dccscrPipeline(version: "8.6-enterprise") diff --git a/download.yaml b/download.yaml index 2360c98..3e2c2a2 100644 --- a/download.yaml +++ b/download.yaml @@ -1,4 +1,4 @@ --- resources: - - url: "docker://docker.io/library/sonarqube@sha256:a06e03b30d68ed4ffcc3a9f2b4192e804f5ec83ffe00a93a57a8ef46416411c0" - tag: "sonarqube:8.5-enterprise" + - url: "docker://docker.io/library/sonarqube@sha256:d8d2ee0bb81584c2becbf8daafce42c9209c8dc923236e3b54f6644ac0c4fceb" + tag: "sonarqube:8.6-enterprise" -- GitLab