diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 4c79b63..d565848 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,9 +1,12 @@ -* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team +* @cyberark/community-and-integrations-team # Changes to .trivyignore require Security Architect approval -.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects +.trivyignore @cyberark/security-architects # Changes to .codeclimate.yml require Quality Architect approval -.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects +.codeclimate.yml @cyberark/quality-architects # Changes to SECURITY.md require Security Architect approval -SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects +SECURITY.md @cyberark/security-architects + +# Need to make sure we don't add something that triggers CVE-2020-36327 or CVE-2021-43809 +Gemfile* @cyberark/security-architects diff --git a/.trivyignore b/.trivyignore index dda25c0..2f9ffd5 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,4 +1,12 @@ -## These vulnerabilities impact the kernel version of the container which +# At the moment, we do not pull any private gems. Updating to +# a fixed version of bundler requires updating the whole project to Ruby +# 3.0, which breaks the tests. CONJSE-1571 is entered for this upgrade +# process. For now, ignore the bundler CVEs since we don't trigger them +# but we need to check it if we change the Gemfile. +CVE-2020-36327 +CVE-2021-43809 + +# These vulnerabilities impact the kernel version of the container which ## isn't used when the code is being run within Docker ## More info: https://docs.docker.com/engine/security/security/ CVE-2020-12465 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a4f8871..b37fefc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -274,10 +274,10 @@ ZIP file with the release of the repository with all dependencies. 1. Verify that `dev/manifest.txt` includes all relevant top-level directories and files. These will be copied into a temporary `pkg` directory used when zipping, to avoid including unnecessary files in our ZIP. -1. Run the `./dev/build` script, which will run `bundle pack --all`, which - creates a `vendor/cache/` directory with the project dependencies. It - will also produce a ZIP file of the project which includes this directory. -1. Attach the ZIP file to the release draft; the CI for the VMWare Tanzu Tile +2. Run the `./dev/build` script, which will run `bundle pack` with the cache_all + config set to true, which creates a `vendor/cache/` directory with the project dependencies. + It will also produce a ZIP file of the project which includes this directory. +3. Attach the ZIP file to the release draft; the CI for the VMWare Tanzu Tile will use this artifact. ## Contributing diff --git a/Dockerfile b/Dockerfile index 4e123a8..7ed4544 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,7 @@ RUN bundle config build.nokogiri --use-system-libraries && \ RUN bundle config set --local frozen 'true' && \ bundle config set --local system 'true' && \ bundle config set --local without 'development test' && \ - bundle install --no-deployment + bundle config set --local deployment 'false' && \ + bundle install COPY . /app/ diff --git a/Dockerfile.dev b/Dockerfile.dev index d155102..4788d04 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -19,7 +19,8 @@ WORKDIR /tmp RUN bundle config set --local frozen 'true' && \ bundle config set --local system 'true' && \ bundle config set --local with 'development' && \ - bundle install --no-deployment + bundle config set --local deployment 'false' && \ + bundle install RUN mkdir -p /app WORKDIR /app diff --git a/Dockerfile.test b/Dockerfile.test index 4f43b54..16ac155 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -31,7 +31,8 @@ RUN bundle config set --local frozen 'true' && \ bundle config set --local system 'true' && \ bundle config set --local with 'test' && \ bundle config set --local without 'development' && \ - bundle install --no-deployment + bundle config set --local deployment 'false' && \ + bundle install RUN mkdir -p /app WORKDIR /app diff --git a/Gemfile b/Gemfile index 23666f1..6889c16 100644 --- a/Gemfile +++ b/Gemfile @@ -11,6 +11,14 @@ end # Docker base image so it won't be updated with fuzzy matching. ruby '~> 2.7' +# We currently use a version of Bundler with known vulnerabilities until we +# can update this project to use Ruby 3.0. Currently, this Gemfile does not +# include any gems in ways that trigger those vulnerabilities. However, any +# changes to this file need to be reviewed to ensure they don't expose us +# to CVE-2020-36327 or CVE-2021-43809. These CVEs are currently ignored in +# our Trivy scans and will not be caught. Adding Gemfile and Gemfile.lock +# to CODEOWNERS to ensure reviews include security personnel for this reason. + gem 'conjur-api', '~> 5.3.4' gem 'activesupport', '~> 5.2.6' gem 'railties', '~> 5.2.6' diff --git a/Gemfile.lock b/Gemfile.lock index cfd3b19..7fd88dc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,35 +1,35 @@ GEM remote: https://rubygems.org/ specs: - actionpack (5.2.7.1) - actionview (= 5.2.7.1) - activesupport (= 5.2.7.1) + actionpack (5.2.8.1) + actionview (= 5.2.8.1) + activesupport (= 5.2.8.1) rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.7.1) - activesupport (= 5.2.7.1) + actionview (5.2.8.1) + activesupport (= 5.2.8.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activesupport (5.2.7.1) + activesupport (5.2.8.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) tzinfo (~> 1.1) - addressable (2.8.0) - public_suffix (>= 2.0.2, < 5.0) - aruba (2.0.0) + addressable (2.8.1) + public_suffix (>= 2.0.2, < 6.0) + aruba (2.1.0) bundler (>= 1.17, < 3.0) childprocess (>= 2.0, < 5.0) contracts (>= 0.16.0, < 0.18.0) - cucumber (>= 4.0, < 8.0) + cucumber (>= 4.0, < 9.0) rspec-expectations (~> 3.4) thor (~> 1.0) builder (3.2.4) - bundler-audit (0.9.0.1) + bundler-audit (0.9.1) bundler (>= 1.2.0, < 3) thor (~> 1.0) byebug (11.1.3) @@ -40,7 +40,7 @@ GEM ci_reporter (~> 2.0) rspec (>= 2.14, < 4) coderay (1.1.3) - concurrent-ruby (1.1.9) + concurrent-ruby (1.1.10) conjur-api (5.3.7) activesupport (>= 4.2) addressable (~> 2.0) @@ -60,10 +60,10 @@ GEM mime-types (~> 3.3, >= 3.3.1) multi_test (~> 0.1, >= 0.1.2) sys-uname (~> 1.2, >= 1.2.2) - cucumber-core (10.1.0) + cucumber-core (10.1.1) cucumber-gherkin (~> 22.0, >= 22.0.0) cucumber-messages (~> 17.1, >= 17.1.1) - cucumber-tag-expressions (~> 4.0, >= 4.0.2) + cucumber-tag-expressions (~> 4.1, >= 4.1.0) cucumber-create-meta (6.0.4) cucumber-messages (~> 17.1, >= 17.1.1) sys-uname (~> 1.2, >= 1.2.2) @@ -74,37 +74,36 @@ GEM cucumber-messages (~> 17.1, >= 17.1.0) cucumber-messages (17.1.1) cucumber-tag-expressions (4.1.0) - cucumber-wire (6.2.0) + cucumber-wire (6.2.1) cucumber-core (~> 10.1, >= 10.1.0) cucumber-cucumber-expressions (~> 14.0, >= 14.0.0) - cucumber-messages (~> 17.1, >= 17.1.1) diff-lcs (1.5.0) domain_name (0.5.20190701) unf (>= 0.0.5, < 1.0.0) - erubi (1.10.0) + erubi (1.11.0) ffi (1.15.5) http-accept (1.7.0) - http-cookie (1.0.4) + http-cookie (1.0.5) domain_name (~> 0.5) - i18n (1.10.0) + i18n (1.12.0) concurrent-ruby (~> 1.0) json-schema (2.8.0) addressable (>= 2.4) json_spec (1.1.5) multi_json (~> 1.0) rspec (>= 2.0, < 4.0) - license_finder (6.15.0) + license_finder (7.0.1) bundler rubyzip (>= 1, < 3) - thor (~> 1.0.1) + thor (~> 1.2) tomlrb (>= 1.3, < 2.1) with_env (= 1.1.0) - xml-simple (~> 1.1.5) + xml-simple (~> 1.1.9) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) ruby_dep (~> 1.2) - loofah (2.18.0) + loofah (2.19.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) method_source (1.0.0) @@ -112,7 +111,7 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2022.0105) mini_portile2 (2.8.0) - minitest (5.15.0) + minitest (5.16.3) multi_json (1.15.0) multi_test (0.1.2) netrc (0.11.0) @@ -120,32 +119,32 @@ GEM nokogiri (1.13.9) mini_portile2 (~> 2.8.0) racc (~> 1.4) - pry (0.13.1) + pry (0.14.1) coderay (~> 1.1) method_source (~> 1.0) - pry-byebug (3.9.0) + pry-byebug (3.10.1) byebug (~> 11.0) - pry (~> 0.13.0) - public_suffix (4.0.6) + pry (>= 0.13, < 0.15) + public_suffix (5.0.0) puma (5.6.4) nio4r (~> 2.0) racc (1.6.0) - rack (2.2.3.1) - rack-test (1.1.0) - rack (>= 1.0, < 3) + rack (2.2.4) + rack-test (2.0.2) + rack (>= 1.3) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) rails-html-sanitizer (1.4.3) loofah (~> 2.3) - railties (5.2.7.1) - actionpack (= 5.2.7.1) - activesupport (= 5.2.7.1) + railties (5.2.8.1) + actionpack (= 5.2.8.1) + activesupport (= 5.2.8.1) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) rake (13.0.6) - rb-fsevent (0.11.1) + rb-fsevent (0.11.2) rb-inotify (0.10.1) ffi (~> 1.0) rest-client (2.1.0) @@ -175,7 +174,7 @@ GEM rspec-mocks (~> 3.9.0) rspec-support (~> 3.9.0) rspec-support (3.9.4) - rspec_junit_formatter (0.5.1) + rspec_junit_formatter (0.6.0) rspec-core (>= 2, < 4, != 2.12.0) ruby_dep (1.5.0) rubyzip (2.3.2) @@ -185,14 +184,14 @@ GEM spring (>= 1.2, < 3.0) sys-uname (1.2.2) ffi (~> 1.1) - thor (1.0.1) + thor (1.2.1) thread_safe (0.3.6) - tomlrb (2.0.1) + tomlrb (2.0.3) tzinfo (1.2.10) thread_safe (~> 0.1) unf (0.1.4) unf_ext - unf_ext (0.0.8) + unf_ext (0.0.8.2) with_env (1.1.0) xml-simple (1.1.9) rexml