bump tomcat to 9.0.83

.trivyignore

@@ -0,0 +1,3 @@
+# Accept the risk
+CVE-2016-1000027
+

Dockerfile

@@ -1,16 +1,16 @@
-FROM centos:centos7
+FROM --platform=$TARGETPLATFORM rockylinux:8.8
 
 ########################
 ### VERSION SETTINGS ###
 ########################
 #
 ##tomcat \
 ENV TOMCAT_MAJOR=9 \
-    TOMCAT_VERSION=9.0.50 \
+    TOMCAT_VERSION=9.0.83 \
 ##shib-idp \
-    VERSION=4.1.4 \
+    VERSION=4.3.1 \
 ##TIER \
-    TIERVERSION=20210802 \
+    TIERVERSION=20231128_rocky8_multiarch \
 #################### \
 #### OTHER VARS #### \
 #################### \
@@ -52,7 +52,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
 
 # Install base deps
 RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \
-    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor fontconfig && \
+    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim rsyslog cronie krb5-workstation openssl-devel supervisor fontconfig findutils && \
     yum -y clean all && \
     mkdir -p /opt/tier && \
 # Install Trusted Certificates
@@ -69,54 +69,12 @@ RUN update-ca-trust extract
 # To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
 #####     ENV TIER_BEACON_OPT_OUT True
 
-# Install Corretto Java JDK
-#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
-ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
-ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
-COPY container_files/java-corretto/corretto-signing-key.pub .
-RUN curl -O -L $CORRETTO_URL_PERM \
-    && rpm --import corretto-signing-key.pub \
-    && rpm -K $CORRETTO_RPM \
-    && rpm -i $CORRETTO_RPM \
-    && rm -r corretto-signing-key.pub $CORRETTO_RPM
+# Install Corretto Java JDK (from Amazon repo, more arch independent)
+RUN rpm --import https://yum.corretto.aws/corretto.key \
+    && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \
+    && yum install -y java-11-amazon-corretto-devel
 ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
 
-# To use Zulu Java:
-#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
-#	&& curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
-#	&& yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
-#install Zulu JCE
-#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \
-#	&& cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \
-#	&& unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \
-#	&& rm -rf /tmp/ZuluJCEPolicies.zip
-#ENV JAVA_HOME=/usr \
-
-# To use Oracle java/JCE:
-#
-#ENV JAVA_VERSION=8u171 \
-#    BUILD_VERSION=b11 \
-#    JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \
-#
-# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image.  
-#     ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
-# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
-#     yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
-#     rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
-#     alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
-#     alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
-#     alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
-
-# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.  
-#     ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
-# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
-#     http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \
-#     && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59  jce_policy-8.zip" | sha256sum -c - \
-#     && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \
-#     && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \
-#     && rm jce_policy-8.zip \
-#     && chmod -R 640 $JAVA_HOME/jre/lib/security/
-
 # Copy IdP installer properties file(s)
 ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/
 
@@ -142,27 +100,27 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
 
 # Install tomcat
 RUN mkdir -p "$CATALINA_HOME" && set -x \
-	&& wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
-	&& wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
-	&& wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
-    && gpg --import $CATALINA_HOME/KEYS \
-    && gpg $CATALINA_HOME/tomcat.tar.gz.asc \
+        && curl -s -o $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
+        && curl -s -o $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
+	&& curl -s -L -o $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
+        && gpg --import $CATALINA_HOME/KEYS \
+        && gpg $CATALINA_HOME/tomcat.tar.gz.asc \
 	&& gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \
 	&& tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \
 	&& rm $CATALINA_HOME/bin/*.bat \
-	&& rm $CATALINA_HOME/tomcat.tar.gz* \
-    && mkdir -p $CATALINA_HOME/conf/Catalina \
-    && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar \
+	&& rm $CATALINA_HOME/tomcat.tar.gz*
+RUN mkdir -p $CATALINA_HOME/conf/Catalina \
 	&& rm -rf /usr/local/tomcat/webapps/* \
 	&& ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
-
+
+ADD container_files/tomcat/jstl-1.2.jar /usr/local/tomcat/lib/	
 ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
 ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml
 
 #use log4j for tomcat logging
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/
 RUN cd /usr/local/tomcat/; \
     chmod +r bin/log4j-*.jar;
 ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
@@ -189,6 +147,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
 #set cron to not require a login session
 RUN sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
 
+#upgrade pip to remove sec vuln
+#RUN pip3 install --upgrade pip
+
 # Expose the port tomcat will be serving on
 EXPOSE 443