diff --git a/Dockerfile b/Dockerfile index 382e50e..90021d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM rockylinux/rockylinux:8.4 +FROM rockylinux/rockylinux:8.6 ######################## ### VERSION SETTINGS ### @@ -6,11 +6,11 @@ FROM rockylinux/rockylinux:8.4 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.52 \ + TOMCAT_VERSION=9.0.65 \ ##shib-idp \ - VERSION=4.1.4 \ + VERSION=4.2.1 \ ##TIER \ - TIERVERSION=20210811_rocky84 \ + TIERVERSION=20220815_rocky8 \ #################### \ #### OTHER VARS #### \ #################### \ @@ -160,9 +160,9 @@ ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml #use log4j for tomcat logging -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/ -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/ -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/ RUN cd /usr/local/tomcat/; \ chmod +r bin/log4j-*.jar; ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/ @@ -189,6 +189,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \ #set cron to not require a login session RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond +#upgrade pip to remove sec vuln +RUN pip3 install --upgrade pip + # Expose the port tomcat will be serving on EXPOSE 443 diff --git a/Jenkinsfile b/Jenkinsfile index 4ac70a4..71faa38 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -73,7 +73,32 @@ node('docker') { sh "rm -f ./debug" handleError(message) } - + + stage('Scan') { + steps { + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + sh 'mkdir -p reports' + sh 'trivy image --ignore-unfixed --vuln-type os,library --no-progress --format template --template "@html.tpl" -o reports/container-scan.html ${imagename}:${tag}' + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + + // Scan again and fail on CRITICAL vulns + sh 'trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}:${tag}' + + } + } + stage 'Push' docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { diff --git a/container_files/idp/idp.installer.properties b/container_files/idp/idp.installer.properties index 3f4414b..5b45554 100644 --- a/container_files/idp/idp.installer.properties +++ b/container_files/idp/idp.installer.properties @@ -1,4 +1,4 @@ -idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.1.4 +idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.2.1 idp.target.dir=/opt/shibboleth-idp idp.host.name=idp.example.org idp.sealer.password=changeit