From 1683cdf605380583b06b3ecaa057387524172bc4 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 19 Aug 2019 18:56:56 +0000 Subject: [PATCH 1/4] bump tomcat and Java --- Dockerfile | 8 ++--- .../java-corretto/corretto-signing-key.pub | 32 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index fdee3a5..8de23ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,11 @@ FROM centos:centos7 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.22 \ + TOMCAT_VERSION=9.0.24 \ ##shib-idp \ VERSION=3.4.4 \ ##TIER \ - TIERVERSION=20190702 \ + TIERVERSION=20190801 \ ################## \ ### OTHER VARS ### \ ################## \ @@ -71,8 +71,8 @@ RUN update-ca-trust extract # Install Corretto Java JDK #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html -ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_212.b04-2.x86_64.rpm -ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.212.04.2 +ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm +ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1 COPY container_files/java-corretto/corretto-signing-key.pub . RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \ && rpm --import corretto-signing-key.pub \ diff --git a/container_files/java-corretto/corretto-signing-key.pub b/container_files/java-corretto/corretto-signing-key.pub index d736975..b3d901d 100644 --- a/container_files/java-corretto/corretto-signing-key.pub +++ b/container_files/java-corretto/corretto-signing-key.pub @@ -1,20 +1,20 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) -mQENBFy7d2UBCADO3YKtB7/le47DP4R+x69bzQoAr/o/RI0YS4LRpj012VwlWdu5 -ttr4VJiS5r0d4QcOYrdHKULhkLeljvISODh+alpAW3S48k3XfTR9Fa1YugmGinkx -Xg1aCrT6ap3UAmSGQOWPczajfPjosEYr757G+UPtDyeLho3MMTavDhTBzRcxnJWP -0EXvXjkqeUHiKx4pc+qA3AA6hezKqGqOZvmoZxEqYWBEA2nBES2+PzY20lrDDT6j -WWjfXJZYFyfEKBlWV5z967QPi6v70WwF3FzE9CQAzy60ATDOCC2PuTC1b/s5BVLg -tATO6NtrcvnmhixtWPGLMGyXRDlrXi6APX7XABEBAAG0UkFtYXpvbiBTZXJ2aWNl -cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjEyLjA0LjIgcmVsZWFzZSkgPGNvcnJl -dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAly7d2UCGy8FCQlmAYAHCwkI -BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCl5PZH0EPoO2hYB/40AeZ4z78BKcni -jAv/3y2Zp+n7PH2XyrTHXaJQoKEeR3EC9YKGVkwh3vLJY495Wm1uWoLv6fnhngM3 -6O5bH1pCSy14ib4xAzweIY9fRcjvpgjyXwwe4EgRhzHy41I3g07ym+SkNEE5lST3 -Oie/NJJDDmunovoE/e0a0NJe2pTYPd/DAjJIfdA1QUwcBNXD2nFWFpnrq5T5BFZu -Cy5ih456G/PayPSmsG0JfDqSyWRRlrOGamsYy6ZaxsIrS92XGOlL8O3Y4wz6ELhP -1sGRfI0AVZiOdcxpfuB15mNzgZOHc2rZh3HMxTKCNa13O+xkJEYm51f8cqc1RGmP -XFjxUMQd -=WyaZ +mQENBF0uBDoBCACvZR8N0drCT+9XmesLbldPf8X9wGHf96dw6ZDnSBypMNVZp9o4 +u1VUJ6YKjnbs9pyWmgiA+XcxKlZUyqNzT+LIoEDJJXE47YKks1ThltQ9R7Vwjsvb +9fUWxrITDbPpy5EbZuWOf2l2dPdHJxOkQnf1xTUnkcHob9IwycKXdvCduKW1KbT7 +ODKN7ZYEfENj63D6eFmgWG7dVV7JvVXJMl6aDHUBCPteS+VTbghx78N1YvVpb4V0 +Hnp/LQMbz1gnKLjMUKw4PcZoRrYmEmQlWOWOFPspepLnb06wWO9lWEkIsngFiA3C +oLxDUI8Oo67tKg/0hN2RsqWFBSSKa/F6Wc11ABEBAAG0UkFtYXpvbiBTZXJ2aWNl +cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjIyLjEwLjMgcmVsZWFzZSkgPGNvcnJl +dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAl0uBDoCGy8FCQlmAYAHCwkI +BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRC9k98GtUDWKiqjB/wMzhyE+Fm7DXU6 +koYGHyjY9AtPNDSR9uxXT1PvCjz/Gz12x/kjMz8dOjFwI3qOJhHFmYmjLX7Xb2ZR +1di3/AyCmCWNdxh6X9JOMFBASlcRjKQk5ha69DO4CT1cg9+VSDpvYW+01ha5VC/q +a29WFoL7G5UWWjGku0CXkn+JIRDCBboIumcldm1qoU5LUQVbYY7yqz5gsw+3nsbO +rpEZPjpUGSlQ7IY7aWB4FB0kCQkT8d/mWbJ5/nacy3ib8ZnpIzvrVLO2v9IqBT9f +Ul/8fdyXfYWjv9n2vE86mrYn9VtLI5umLeljgWDTWIqDV2Atn1wVD/g4M+vvQNCe +vjspN4eD +=q2VU -----END PGP PUBLIC KEY BLOCK----- From 05538fad65b9b5486fa7efe238c1d8dbd2414d80 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 19 Aug 2019 19:39:13 +0000 Subject: [PATCH 2/4] update clair scanner --- tests/clairscan.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/clairscan.sh b/tests/clairscan.sh index a06ea78..26c93bc 100755 --- a/tests/clairscan.sh +++ b/tests/clairscan.sh @@ -8,7 +8,7 @@ echo 'starting:' ${starttime} #ensure clair-scanner if [ ! -s ./clair-scanner ]; then echo 'downloading curl-scanner...' - curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64 chmod 755 clair-scanner else echo 'using existing clair-scanner...' @@ -34,9 +34,9 @@ if [ $? == "0" ]; then echo 'removing existing clair-scan container...' docker kill clair &>/dev/null docker rm clair &>/dev/null - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null + docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest &>/dev/null else - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null + docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest &>/dev/null fi sleep 30 From b71845e0e2558893da1a5dc1b06f6f8aadba1d87 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 22 Aug 2019 14:20:19 +0000 Subject: [PATCH 3/4] whitelist known vulnerabilities in clair scanner until next centos service release --- tests/centos7-clair-whitelist.yaml | 27 +++++++++++++++++++++++++++ tests/clairscan.sh | 3 ++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 tests/centos7-clair-whitelist.yaml diff --git a/tests/centos7-clair-whitelist.yaml b/tests/centos7-clair-whitelist.yaml new file mode 100644 index 0000000..d4d5544 --- /dev/null +++ b/tests/centos7-clair-whitelist.yaml @@ -0,0 +1,27 @@ +generalwhitelist: + RHSA-2019:2030: python + RHSA-2019:2237: nss-softokn + RHSA-2019:2237: nss-softokn-freebl + RHSA-2019:2118: glibc-common + RHSA-2019:2030: python-libs + RHSA-2019:2237: nspr + RHSA-2019:2075: binutils + RHSA-2019:2237: nss-sysinit + RHSA-2019:2118: glibc + RHSA-2019:2136: libssh2 + RHSA-2019:2091: systemd + RHSA-2019:2189: procps-ng + RHSA-2019:2237: nss-util + RHSA-2019:2110: rsyslog + RHSA-2019:2057: bind-license + RHSA-2019:2091: systemd-libs + RHSA-2019:2304: openssl-libs + RHSA-2019:2237: nss + RHSA-2019:2237: nss-tools + RHSA-2019:2304: openssl-devel + RHSA-2019:2159: unzip + RHSA-2019:2181: libcurl + RHSA-2019:2197: elfutils-libs + RHSA-2019:2181: curl + RHSA-2019:2197: elfutils-libelf + RHSA-2019:2197: elfutils-default-yama-scope diff --git a/tests/clairscan.sh b/tests/clairscan.sh index 26c93bc..c80c285 100755 --- a/tests/clairscan.sh +++ b/tests/clairscan.sh @@ -46,7 +46,8 @@ echo 'sending ip addr' ${clairip} 'to clair-scan server...' #run scan echo 'running scan...' -./clair-scanner --ip ${clairip} $1 +./clair-scanner -w centos7-clair-whitelist.yaml --ip ${clairip} $1 +#./clair-scanner --ip ${clairip} $1 retcode=$? #eval results From c57d328d8c7b131e06c47340304349d198935e7c Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 22 Aug 2019 14:32:33 +0000 Subject: [PATCH 4/4] fix whitelist --- tests/clairscan.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/clairscan.sh b/tests/clairscan.sh index c80c285..8dbae4a 100755 --- a/tests/clairscan.sh +++ b/tests/clairscan.sh @@ -14,6 +14,14 @@ else echo 'using existing clair-scanner...' fi +#ensure whitelist file (temporary) +if [ ! -s ./centos7-clair-whitelist.yaml ]; then + echo 'downloading whitelist file...' + curl -s -L -o ./centos7-clair-whitelist.yaml https://github.internet2.edu/raw/docker/shib-idp/3.4.4_20190801/tests/centos7-clair-whitelist.yaml +else + echo 'using existing whitelist file...' +fi + #ensure DB container echo 'ensuring a fresh clair-db container...' docker ps | grep clair-db &>/dev/null