diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..5567c04 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# Accept the risk +CVE-2016-1000027 + diff --git a/Dockerfile b/Dockerfile index f4435a3..72f22f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,11 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.6 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.71 \ + TOMCAT_VERSION=9.0.73 \ ##shib-idp \ VERSION=4.3.0 \ ##TIER \ - TIERVERSION=20230118_rocky8_multiarch \ + TIERVERSION=20230313_rocky8_multiarch \ #################### \ #### OTHER VARS #### \ #################### \ diff --git a/Jenkinsfile b/Jenkinsfile index 3ec5f8a..afb1619 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -97,11 +97,11 @@ pipeline { // Scan container for all vulnerability levels echo "Scanning for all vulnerabilities..." sh 'mkdir -p reports' - // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked - // sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" - sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" - // sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" - sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + // 2 commented scans below are OS-only, in case timeout issues occur + sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" publishHTML target : [ allowMissing: true, alwaysLinkToLastBuild: true, diff --git a/tests/checktomcatver.sh b/tests/checktomcatver.sh index 3c1abd0..1ce353e 100755 --- a/tests/checktomcatver.sh +++ b/tests/checktomcatver.sh @@ -51,8 +51,7 @@ if [ -z "$(echo $tomcatver | xargs)" ]; then fi #check if that version of tomcat is available in the download area (return is 0 if current, non-zero if not current) -wget -q --spider https://mirrors.gigenet.com/apache/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz -#wget -q --spider http://apache.mirrors.ionfish.org/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz +wget -q --spider https://dlcdn.apache.org/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz if [ $? == '0' ]; then echo "Running Tomcat version (${tomcatver}) is current!"