Merge pull request #315 from vitalykorolev/MLE-17162_enhancements

vitalykorolev · web-flow · commit ecc665ade4fd · 2024-10-15T11:15:05.000-07:00
MLE-17162 security enhancements
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -110,7 +110,7 @@ void resultNotification(message) {
                  "<b>Lint Output: </b><br/>" +
                  "<pre><code>${LINT_OUTPUT}</code></pre><br/>" +
                  "<b>Vulnerabilities: </b><pre><code>${SCAN_OUTPUT}</code></pre><br/>" +
-                 "<b><a href='${env.BUILD_URL}artifact/scan/report.json'>Full scan report.</a></b><br/>" +
+                 "<b><a href='${env.BUILD_URL}artifact/scan/report-${env.dockerImageType}.json'>Full scan report.</a></b><br/>" +
                  "<b>Image Size:  <br/></b>${IMAGE_SIZE} <br/>" +
                  "<pre><code>docker pull ${dockerRegistry}/${latestTag}</code></pre><br/><br/>"
     if (params.DOCKER_TESTS) {
@@ -253,14 +253,14 @@ void lint() {
 
 void vulnerabilityScan() {
     sh """
-        make scan current_image=marklogic/marklogic-server-${dockerImageType}:${marklogicVersion}-${env.dockerImageType}-${env.dockerVersion} Jenkins=true
+        make scan current_image=marklogic/marklogic-server-${dockerImageType}:${marklogicVersion}-${env.dockerImageType}-${env.dockerVersion} docker_image_type=${dockerImageType} Jenkins=true
     """
-    SCAN_OUTPUT = sh(returnStdout: true, script: 'cat scan/report.txt')
+    SCAN_OUTPUT = sh(returnStdout: true, script: "cat scan/report-${env.dockerImageType}.txt")
     sh 'echo "SCAN_OUTPUT: ${SCAN_OUTPUT}"'
     if (SCAN_OUTPUT.size()) {
         mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailSecList}", body: "<br/>Jenkins pipeline for ${env.JOB_NAME} <br/>Build Number: ${env.BUILD_NUMBER} <br/>Vulnerabilities: <pre><code>${SCAN_OUTPUT}</code></pre>", subject: "Critical or High Security Vulnerabilities Found: ${env.JOB_NAME} #${env.BUILD_NUMBER}"
     }
-    archiveArtifacts artifacts: 'scan/report.txt,scan/report.json', onlyIfSuccessful: true
+    archiveArtifacts artifacts: 'scan/*', onlyIfSuccessful: true
 }
 
 void publishToInternalRegistry() {
diff --git a/Makefile b/Makefile
@@ -108,15 +108,18 @@ lint:
 .PHONY: scan
 scan:
 ifeq ($(Jenkins),true)
-	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}/scan:/scan anchore/grype:latest --output json --file /scan/report.json ${current_image}
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}/scan:/scan anchore/grype:latest --output json --file /scan/report-${docker_image_type}.json ${current_image}
 	sudo chown -R builder.ml-eng scan
-	echo -e "Grype scan summary\n------------------" > scan/report.txt
-	jq '.matches[].vulnerability.severity' scan/report.json | sort | uniq -c >> scan/report.txt
-	echo -e "\nGrype vulnerability list sorted by severity" >> scan/report.txt
-	echo -e "PACKAGE\tVERSION\tCVE\tSEVERITY" >> scan/report.tmp
-	jq -r '[(.matches[] | [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.severity])] | .[] | @tsv' scan/report.json | sort -k4 >> scan/report.tmp
-	cat scan/report.tmp | column -t >> scan/report.txt
-	rm scan/report.tmp
+	echo -e "Grype scan summary\n------------------" > scan/report-${docker_image_type}.txt
+	jq '.matches[].vulnerability.severity' scan/report-${docker_image_type}.json | sort | uniq -c >> scan/report-${docker_image_type}.txt
+	echo -e "\nGrype vulnerability list sorted by severity.\n" >> scan/report-${docker_image_type}.txt
+	echo -e "PACKAGE\tVERSION\tCVE\tSEVERITY" >> scan/report-${docker_image_type}.tmp
+# generate txt file
+	jq -r '[(.matches[] | [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.severity])] | .[] | @tsv' scan/report-${docker_image_type}.json | sort -k4 >> scan/report-${docker_image_type}.tmp
+	cat scan/report-${docker_image_type}.tmp | column -t >> scan/report-${docker_image_type}.txt
+	rm scan/report-${docker_image_type}.tmp
+# generate csv file
+	jq -r '["ID", "Severity", "CVSS Base Score", "Link", "Package"], (.matches[] | [.vulnerability.id, .vulnerability.severity, (.vulnerability.cvss[0].metrics.baseScore // "N/A"), (.relatedVulnerabilities[]?.dataSource // .vulnerability.dataSource), .artifact.name]) | @csv' scan/report-${docker_image_type}.json > scan/report-${docker_image_type}.csv
 else
 	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest ${current_image}
 endif
@@ -133,7 +136,7 @@ else
 	unzip -p scap-security-guide-${open_scap_version}.zip scap-security-guide-${open_scap_version}/ssg-rhel8-ds.xml > scap/ssg-rhel-ds.xml
 endif
 	docker run -itd --name scap-scan -v $(PWD)/scap:/scap ${current_image}
-	docker exec -u root scap-scan /bin/bash -c "microdnf install -y openscap-scanner"
+	docker exec -u root scap-scan /bin/bash -c "microdnf update -y; microdnf install -y openscap-scanner"
 	# ensure the file is owned by root in order to avoid permission issues
 	docker exec -u root scap-scan /bin/bash -c "chown root:root /scap/ssg-rhel-ds.xml"
 	docker exec -u root scap-scan /bin/bash -c "oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results /scap/scap_scan_results.xml --report /scap/scap_scan_report.html /scap/ssg-rhel-ds.xml > /scap/command-output.txt 2>&1" || true
diff --git a/dockerFiles/marklogic-deps-ubi9:base b/dockerFiles/marklogic-deps-ubi9:base
@@ -21,7 +21,7 @@ RUN microdnf -y update \
 ###############################################################
 # hadolint ignore=DL3006
 RUN echo "NETWORKING=yes" > /etc/sysconfig/network \
-    && microdnf -y install gdb nss libtool-ltdl cpio tzdata \
+    && microdnf -y install --setopt install_weak_deps=0 gdb nss libtool-ltdl cpio tzdata util-linux \
     && microdnf clean all
 
 
diff --git a/dockerFiles/marklogic-deps-ubi:base b/dockerFiles/marklogic-deps-ubi:base
@@ -21,7 +21,7 @@ RUN microdnf -y update \
 ###############################################################
 # hadolint ignore=DL3006
 RUN echo "NETWORKING=yes" > /etc/sysconfig/network \
-    && microdnf -y install gdb.x86_64 glibc.i686 libstdc++.i686 libgcc.i686 initscripts redhat-lsb-core.x86_64 tzdata \
+    && microdnf -y install --setopt install_weak_deps=0 gdb redhat-lsb-core initscripts tzdata \
     && microdnf clean all
 
 
diff --git a/dockerFiles/marklogic-server-ubi-rootless-hardened:base b/dockerFiles/marklogic-server-ubi-rootless-hardened:base
@@ -139,7 +139,8 @@ RUN mkdir -p ${MARKLOGIC_DATA_DIR} \
 ###############################################################
 
 COPY rhel-script-cis.sh /tmp/rhel-script-cis.sh
-RUN chmod +x /tmp/rhel-script-cis.sh \
+RUN touch /.dockerenv \
+    && chmod +x /tmp/rhel-script-cis.sh \
     && /tmp/rhel-script-cis.sh
 
 ###############################################################
@@ -149,6 +150,13 @@ WORKDIR /
 COPY ${ML_CONVERTERS} /tmp/converters.rpm
 RUN chown ${ML_USER}:users /tmp/converters.rpm
 
+###############################################################
+# Remove optional packages that have known vulnerabilities
+###############################################################
+RUN for package in vim-minimal cups-client cups-libs tar python3-pip-wheel platform-python python3-libs platform-python-setuptools avahi-libs binutils expat libarchive python3 python3-libs python-unversioned-command; \
+    do rpm -e --nodeps $package || true; \
+    done;
+
 ###############################################################
 # expose MarkLogic server ports
 ###############################################################
diff --git a/dockerFiles/marklogic-server-ubi-rootless:base b/dockerFiles/marklogic-server-ubi-rootless:base
@@ -131,6 +131,13 @@ ENV MARKLOGIC_INSTALL_DIR=/opt/MarkLogic  \
 
 RUN microdnf -y reinstall tzdata
 
+###############################################################
+# Remove optional packages that have known vulnerabilities
+###############################################################
+RUN for package in vim-minimal cups-client cups-libs tar python3-pip-wheel platform-python python3-libs platform-python-setuptools avahi-libs binutils expat libarchive python3 python3-libs python-unversioned-command; \
+    do rpm -e --nodeps $package || true; \
+    done;
+
 ################################################################
 # Set appropriate authorisation to MARKLOGIC_DATA_DIR 
 ################################################################
diff --git a/dockerFiles/marklogic-server-ubi:base b/dockerFiles/marklogic-server-ubi:base
@@ -27,7 +27,7 @@ COPY scripts/start-marklogic.sh /usr/local/bin/start-marklogic.sh
 COPY ${ML_RPM} /tmp/marklogic-server.rpm
 RUN rpm -i /tmp/marklogic-server.rpm \
     && rm /tmp/marklogic-server.rpm \
-    && microdnf -y install sudo \
+    && microdnf -y install --setopt install_weak_deps=0 sudo \
     && microdnf -y clean all \
     && rm -rf ./opt/MarkLogic/mlcmd/lib/* \
     && rm -rf ./opt/MarkLogic/mlcmd/ext/*
@@ -108,6 +108,13 @@ ENV MARKLOGIC_INSTALL_DIR=/opt/MarkLogic  \
 
 RUN microdnf -y reinstall tzdata
 
+###############################################################
+# Remove optional packages that have known vulnerabilities
+###############################################################
+RUN for package in vim-minimal cups-client cups-libs tar python3-pip-wheel platform-python python3-libs platform-python-setuptools avahi-libs binutils expat libarchive python3 python3-libs python-unversioned-command; \
+    do rpm -e --nodeps $package || true; \
+    done;
+
 ###############################################################
 # expose MarkLogic server ports
 ###############################################################
@@ -136,4 +143,4 @@ VOLUME /var/opt/MarkLogic
 ###############################################################
 # set entrypoint
 ###############################################################
-ENTRYPOINT ["/tini", "--", "/usr/local/bin/start-marklogic.sh"]
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/start-marklogic.sh"]
