Docker tag sha validation (!1470) · Merge requests · Iron Bank / ironbank-pipeline · GitLab

UNCLASSIFIED - NO CUI

ATTENTION: Immediate action is required to maintain compatibility with P1 services. Please visit https://p1notifications.dso.mil and see the "DSO.MIL Certificates Renewal" announcement under the "Notifications" section for more details.

Nicolas Anderson requested to merge docker-tag-sha-validation into master Dec 18, 2024

Description

https://repo1.dso.mil/ironbank-tools/infra/ironbank-bootstrap/-/issues/2091

This MR supports https://repo1.dso.mil/ironbank-tools/infra/ironbank-bootstrap/-/issues/2091 by making a change to the validate_checksum function in the abstract_artifacts.py to get the sha from the digest of the tag based url's in the hardening manifest:

Risk

Unsure.

Rollback Plan

Can revert changes and go back to manually disabling cache on tag based manifests

Testing

https://code-ib-mario.staging.dso.mil/dsop/nicolas.anderson/boxship/-/pipelines/87856 Here's the staging pipeline I was testing my ironbank-pipeline code on (boxship is tag based)

https://code-ib-mario.staging.dso.mil/ironbank-tools/ironbank-pipeline/-/pipelines/87860 Here is the pipeline results for codechecking my code pushed to ironbank-pipeline

PASSED openjdk17-runtime-ubi9(https://code-ib-mario.staging.dso.mil/dsop/redhat/openjdk/openjdk17.x/openjdk17-runtime-ubi9-slim/-/pipelines/87878) PASSED fluent-bit(https://code-ib-mario.staging.dso.mil/dsop/opensource/fluent/fluent-bit/-/pipelines/87874) PASSED bci-base(https://code-ib-mario.staging.dso.mil/dsop/suse/bci/bci-base/-/pipelines/87877) PASSED istio-proxy(https://code-ib-mario.staging.dso.mil/dsop/opensource/istio/1.21/proxyv2/-/pipelines/87872) PASSED java21-debian(https://code-ib-mario.staging.dso.mil/dsop/opensource/debian/debian12.x/java21-debian12/-/pipelines/87881)

Edited Dec 18, 2024 by Nicolas Anderson

UNCLASSIFIED - NO CUI