docker · pcaskey · Sep 5, 2019 · Aug 19, 2019 · Aug 19, 2019 · Aug 22, 2019
diff --git a/Dockerfile b/Dockerfile
@@ -6,11 +6,11 @@ FROM centos:centos7
 #
 ##tomcat \
 ENV TOMCAT_MAJOR=9 \
-    TOMCAT_VERSION=9.0.22 \
+    TOMCAT_VERSION=9.0.24 \
 ##shib-idp \
     VERSION=3.4.4 \
 ##TIER \
-    TIERVERSION=20190702 \
+    TIERVERSION=20190801 \
 ################## \
 ### OTHER VARS ### \
 ################## \
@@ -71,8 +71,8 @@ RUN update-ca-trust extract
 
 # Install Corretto Java JDK
 #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html
-ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_212.b04-2.x86_64.rpm
-ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.212.04.2
+ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
+ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
 COPY container_files/java-corretto/corretto-signing-key.pub .
 RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \
     && rpm --import corretto-signing-key.pub \

diff --git a/container_files/java-corretto/corretto-signing-key.pub b/container_files/java-corretto/corretto-signing-key.pub
@@ -1,20 +1,20 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-mQENBFy7d2UBCADO3YKtB7/le47DP4R+x69bzQoAr/o/RI0YS4LRpj012VwlWdu5
-ttr4VJiS5r0d4QcOYrdHKULhkLeljvISODh+alpAW3S48k3XfTR9Fa1YugmGinkx
-Xg1aCrT6ap3UAmSGQOWPczajfPjosEYr757G+UPtDyeLho3MMTavDhTBzRcxnJWP
-0EXvXjkqeUHiKx4pc+qA3AA6hezKqGqOZvmoZxEqYWBEA2nBES2+PzY20lrDDT6j
-WWjfXJZYFyfEKBlWV5z967QPi6v70WwF3FzE9CQAzy60ATDOCC2PuTC1b/s5BVLg
-tATO6NtrcvnmhixtWPGLMGyXRDlrXi6APX7XABEBAAG0UkFtYXpvbiBTZXJ2aWNl
-cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjEyLjA0LjIgcmVsZWFzZSkgPGNvcnJl
-dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAly7d2UCGy8FCQlmAYAHCwkI
-BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCl5PZH0EPoO2hYB/40AeZ4z78BKcni
-jAv/3y2Zp+n7PH2XyrTHXaJQoKEeR3EC9YKGVkwh3vLJY495Wm1uWoLv6fnhngM3
-6O5bH1pCSy14ib4xAzweIY9fRcjvpgjyXwwe4EgRhzHy41I3g07ym+SkNEE5lST3
-Oie/NJJDDmunovoE/e0a0NJe2pTYPd/DAjJIfdA1QUwcBNXD2nFWFpnrq5T5BFZu
-Cy5ih456G/PayPSmsG0JfDqSyWRRlrOGamsYy6ZaxsIrS92XGOlL8O3Y4wz6ELhP
-1sGRfI0AVZiOdcxpfuB15mNzgZOHc2rZh3HMxTKCNa13O+xkJEYm51f8cqc1RGmP
-XFjxUMQd
-=WyaZ
+mQENBF0uBDoBCACvZR8N0drCT+9XmesLbldPf8X9wGHf96dw6ZDnSBypMNVZp9o4
+u1VUJ6YKjnbs9pyWmgiA+XcxKlZUyqNzT+LIoEDJJXE47YKks1ThltQ9R7Vwjsvb
+9fUWxrITDbPpy5EbZuWOf2l2dPdHJxOkQnf1xTUnkcHob9IwycKXdvCduKW1KbT7
+ODKN7ZYEfENj63D6eFmgWG7dVV7JvVXJMl6aDHUBCPteS+VTbghx78N1YvVpb4V0
+Hnp/LQMbz1gnKLjMUKw4PcZoRrYmEmQlWOWOFPspepLnb06wWO9lWEkIsngFiA3C
+oLxDUI8Oo67tKg/0hN2RsqWFBSSKa/F6Wc11ABEBAAG0UkFtYXpvbiBTZXJ2aWNl
+cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjIyLjEwLjMgcmVsZWFzZSkgPGNvcnJl
+dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAl0uBDoCGy8FCQlmAYAHCwkI
+BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRC9k98GtUDWKiqjB/wMzhyE+Fm7DXU6
+koYGHyjY9AtPNDSR9uxXT1PvCjz/Gz12x/kjMz8dOjFwI3qOJhHFmYmjLX7Xb2ZR
+1di3/AyCmCWNdxh6X9JOMFBASlcRjKQk5ha69DO4CT1cg9+VSDpvYW+01ha5VC/q
+a29WFoL7G5UWWjGku0CXkn+JIRDCBboIumcldm1qoU5LUQVbYY7yqz5gsw+3nsbO
+rpEZPjpUGSlQ7IY7aWB4FB0kCQkT8d/mWbJ5/nacy3ib8ZnpIzvrVLO2v9IqBT9f
+Ul/8fdyXfYWjv9n2vE86mrYn9VtLI5umLeljgWDTWIqDV2Atn1wVD/g4M+vvQNCe
+vjspN4eD
+=q2VU
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/centos7-clair-whitelist.yaml b/tests/centos7-clair-whitelist.yaml
@@ -0,0 +1,27 @@
+generalwhitelist:
+  RHSA-2019:2030: python
+  RHSA-2019:2237: nss-softokn
+  RHSA-2019:2237: nss-softokn-freebl
+  RHSA-2019:2118: glibc-common
+  RHSA-2019:2030: python-libs
+  RHSA-2019:2237: nspr
+  RHSA-2019:2075: binutils
+  RHSA-2019:2237: nss-sysinit
+  RHSA-2019:2118: glibc
+  RHSA-2019:2136: libssh2
+  RHSA-2019:2091: systemd
+  RHSA-2019:2189: procps-ng
+  RHSA-2019:2237: nss-util
+  RHSA-2019:2110: rsyslog
+  RHSA-2019:2057: bind-license
+  RHSA-2019:2091: systemd-libs
+  RHSA-2019:2304: openssl-libs
+  RHSA-2019:2237: nss
+  RHSA-2019:2237: nss-tools
+  RHSA-2019:2304: openssl-devel
+  RHSA-2019:2159: unzip
+  RHSA-2019:2181: libcurl
+  RHSA-2019:2197: elfutils-libs
+  RHSA-2019:2181: curl
+  RHSA-2019:2197: elfutils-libelf
+  RHSA-2019:2197: elfutils-default-yama-scope
diff --git a/tests/clairscan.sh b/tests/clairscan.sh
@@ -8,12 +8,20 @@ echo 'starting:' ${starttime}
 #ensure clair-scanner
 if [ ! -s ./clair-scanner ]; then
   echo 'downloading curl-scanner...'
-  curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
+  curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64
   chmod 755 clair-scanner
 else
   echo 'using existing clair-scanner...'
 fi
 
+#ensure whitelist file (temporary)
+if [ ! -s ./centos7-clair-whitelist.yaml ]; then
+  echo 'downloading whitelist file...'
+  curl -s -L -o ./centos7-clair-whitelist.yaml https://github.internet2.edu/raw/docker/shib-idp/3.4.4_20190801/tests/centos7-clair-whitelist.yaml
+else
+  echo 'using existing whitelist file...'
+fi
+
 #ensure DB container
 echo 'ensuring a fresh clair-db container...'
 docker ps | grep clair-db &>/dev/null
@@ -34,9 +42,9 @@ if [ $? == "0" ]; then
   echo 'removing existing clair-scan container...'
   docker kill clair &>/dev/null
   docker rm clair &>/dev/null
-  docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null
+  docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest &>/dev/null
 else
-  docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null
+  docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest &>/dev/null
 fi
 sleep 30
 
@@ -46,7 +54,8 @@ echo 'sending ip addr' ${clairip} 'to clair-scan server...'
 
 #run scan
 echo 'running scan...'
-./clair-scanner --ip ${clairip} $1
+./clair-scanner -w centos7-clair-whitelist.yaml --ip ${clairip} $1
+#./clair-scanner --ip ${clairip} $1
 retcode=$?
 
 #eval results